Information Systems & Communications Flashcards
1
Q
Define “field”.
A
A group of characters (bytes) that identify a characteristic of an entity. A data value is a specific value found in a field. Fields can consist of a single character (Y, N) but usually consist of a group of characters. Each field is defined as a specific data type. Date, Text and Number are common data types.
2
Q
Define “application software”.
A
The diverse group of end-user programs that accomplish specific user objectives. Can be general purpose (word processors, spreadsheets, databases) or custom-developed for a specific application (ex.: a marketing information system for a clothing designer). May be purchased “off the shelf” or developed internally.
3
Q
Define a “bit” (binary digit).
A
An individual zero or one; the smallest piece of information that can be represented.
4
Q
Define “byte”.
A
A group of (usually) eight bits that are used to represent alphabetic and numeric characters and other symbols (3, g, X, ?, etc.). Several coding systems are used to assign specific bytes to characters. ASCII and EBCIDIC are the two most commonly used coding systems. Each system defines the sequence of zeros and ones that represent each character.
5
Q
Define “operating system”.
A
The interface between the user and the computer hardware.
6
Q
Define “systems software”.
A
The programs that run the computer and support system management operations.
7
Q
Define “record”.
A
A group of related fields (or attributes) that describe an individual instance of an entity (a specific invoice, a particular customer, an individual product).
8
Q
Define “file”.
A
A collection of records for one specific entity (an Invoice File, a Customer File, a Product File). In a relational database environment, files are also known as tables.
9
Q
Define “programming languages”.
A
All software is created using programming languages. They consist of sets of instructions and a syntax that determine how the instructions can be put together.
10
Q
Define “supercomputers”.
A
Computers at the leading edge of processing capacity. Their definition is constantly changing as the supercomputer of today often becomes the personal computer of tomorrow. They are generally used for calculation-intensive scientific applications, for example, weather forecasting and climate research.
11
Q
What are input devices?
A
These devices instruct the CPU and supply data to be processed. For example: keyboard, mouse, trackball, touch-screen technology, point of sale (POS) scanners.
12
Q
What are “microcomputers” or “personal computers (PCs)”?
A
These computers comprise an extremely diverse group of devices ranging from handheld personal digital assistants (PDAs) through desktop machines that can serve as components in large, networked environments. Some of the more common classifications include fat or thin clients and workstations. In addition, servers are computers that have been configured to provide resources to the network.
13
Q
What are output devices?
A
These devices transfer data from the processing unit to other formats. For example: printers, plotters, monitors, flat panel displays, CRT (Cathode Ray Tube) displays.
14
Q
What is the purpose of secondary storage devices?
A
Provide permanent storage for programs and data. Depending on the way the devices are set up, they can either be online (the data on the device is available for immediate access by the CPU) or offline (the device is stored in an area where the data is not accessible to the CPU).
15
Q
What are magnetic disks?
A
These are random access devices. Data can be stored on, and retrieved from, the disk in any order. This is the most efficient way to store and retrieve individual records. Magnetic disks are the most commonly used form of secondary storage.
16
Q
What is a magnetic tape?
A
This is a sequential access device. Data is stored in order of the primary record key (i.e. document number, customer number, inventory number, etc.) and must also be retrieved sequentially. Although once used for transaction processing, this medium is now used mostly for archiving data.
17
Q
How is read-only memory (ROM) used?
A
Used to permanently store the data needed to power on the computer; includes portions of the operating system.
18
Q
What are flash drives (also known as jump drives or thumb drives)?
A
These are very small, portable devices that can store anywhere from 500 M of data to over several gigabytes of data. The term “drive” is a bit of a misnomer as there are no moving parts to the “drive.” Rather, the memory in a flash drive is similar to the RAM used as primary storage for your CPU.
19
Q
Define “central processing unit (CPU)”.
A
The CPU is the control center of the computer system. It has three principal components.
20
Q
What is the purpose of the Arithmetic Logic Unit (ALU)?
A
To performs arithmetic calculations.
21
Q
What is the purpose of primary storage (main memory)?
A
To store programs and data until they are ready to be used by the computer’s processor. Primary storage is divided into two main parts - random access memory (RAM) and read-only memory (ROM).
22
Q
Define “mainframe computers”.
A
Computers used by commercial organizations to support mission critical tasks such as sales and order processing, inventory management, and e-commerce applications. Unlike supercomputers, which tend to support processor-intensive activities (i.e., a small number of highly complex calculations), mainframe computers tend to be input/output (I/O) intensive (i.e., a very large numbers of simple transactions). Mainframes frequently support thousands of users at a single point in time.
23
Q
What does a control unit do?
A
Interprets program instructions.
24
Q
What does random access memory (RAM) store?
A
It stores data temporarily while it is being processed.
25
What is an optical disk?
These use laser technology to "burn" data on the disk (although some rewritable disks use magnetic technology to record data). In general, read-only and write-once optical disks are a more stable storage medium than magnetic disks. Optical disks, like magnetic disks are random access devices. There are several different types of optical disks.
26
Define "peripherals".
Devices that transfer data to or from the CPU but do not take part in processing data. Peripherals are commonly known as input and output devices (I/O devices).
27
What constitutes computer hardware?
This includes the physical equipment in your computer and the equipment that your computer uses to connect to other computers or computer networks. Computer hardware falls into four principal classifications.
28
Define "batch processing".
Periodic transaction processing method in which transactions are processed in groups.
29
What are "time lags"?
This is an inherent part of batch processing. There is always a time delay between the time the transaction occurs, the time that the transaction is recorded, and the time that the master file is updated.
30
Define "master files".
Computerized data files equivalent to the ledgers found in manual accounting system.
31
Define "online, real-time (OLRT) processing".
Continuous, immediate transaction processing method in which transactions are processed individually as they occur.
32
What is the Accounts Receivable (A/R) sub-ledger?
This ledger classifies A/R transactions (credit sales and customer payments) by Customer.
33
Define "general ledger".
The collection of the organization's accounts.
34
What are point-of-sale (POS) systems?
These systems are one of the most commonly encountered data capture systems in the marketplace today. POS systems combine on-line, real-time processing with automated data capture technology, resulting in a system that is highly accurate, reliable, and timely.
35
Define "transaction files".
Computerized data files equivalent to the journals found in a manual accounting system.
36
What are subsidiary ledgers (sub-ledgers)?
These ledgers classify transactions by alternative accounts (e.g., customer accounts, vendor accounts, product accounts).
37
What is the inventory sub-ledger?
This ledger stores the costs and quantities of the each item in inventory.
38
What are distributed database systems?
These systems are so named because rather than maintaining a centralized or master database at a central location, the database is distributed across the locations according to their needs.
39
What are centralized systems?
These systems maintain all data and perform all data processing at a central location; remote users may access the centralized data files via a telecommunications channel, but all of the processing is still performed at the central location.
40
Define "fiber optic cable."
A wired transmission medium. Extremely fast and secure. Uses light pulses instead of electrical impulses. Less electrical interference and signal degradation over long distances; more expensive to purchase and to install.
41
Define "server."
Computer or other device on a network which only provides resources to the network and is not available (normally) to individual users; examples include print servers, file servers, and communications servers. Contrast with a workstation.
42
Define "microwave transmission."
Wireless communications medium. Often used in a combination with satellite transmission; used primarily by WANs.
43
What are hierarchical operating systems?
A centralized control point, generally referred to as the host computer, manages communications and access to resources, and performs most data processing. Nodes connected to these systems often function as "dumb" (low capability) terminals used by WANs.
44
Define "Wi-Fi" or "spread-spectrum radio transmission."
A wireless transmission medium. Depending on power levels, may be used for relatively large networks serving hundreds of users or for small home networks. It is found in Local Area Network (LAN) environments but frequently used to provide access to Wide Area Networks (WANs). Wi-Fi connections are generally slower than wired systems using coaxial (Ethernet) cable or fiber optic cable.
45
Define "file server."
In a local area network, a computer that provides centralized access to program and data files.
46
Define "coaxial cable."
A wired transmission medium. Similar to the cable used for television, coaxial cable is faster, more secure and less subject to interference than twisted pair, but has a slightly higher cost
47
Define" local area networks (LANs)."
Originally confined to very limited geographic areas (a floor of a building, a building, or possibly a couple of buildings in very close proximity to each other). Inexpensive fiber optic cable now enables local area networks to extend many miles.
48
Define "transmissions medium."
The communication link between nodes on the network. One of several types of wired or wireless media.
49
Define "client/server system."
A central machine (the server) mediates communication on the network and grants access to network resources. Client machines use of network resources and also perform data processing functions; used by LANs.
50
Describe wide area networks (WANs).
These networks vary dramatically in geographic coverage. Most WANs are national or international in scope.
51
Define "Bluetooth."
Wireless transmission medium. It uses the same radio frequencies as Wi-Fi, but with lower power consumption resulting in a weaker connection. It is used to provide a direct communications link between two devices (e.g., a cell phone and ear piece, computer and a printer).
52
Define a "client."
A node, usually a microcomputer, which is used by end users; uses but usually does not supply network resources.
53
Define "computer network."
Two or more computing devices connected by a communication channel on which the devices exchange data.
54
Define "digital cellular" ("cellular digital packet data or CDPD").
Wireless transmission medium. It allows transmission of data over the cell phone network; used by WANs.
55
Define "twisted pair."
A wired transmission medium. Traditionally used for phone connections, slowest, least secure (e.g., easy to tap) and most subject to interference of all the wired media. Recent modifications have improved performance. The lowest cost media.
56
What are communication devices?
These devices link networks to other networks and to remote access. Examples include modems, multiplexers, concentrators, bridges, routers and gateways.
57
Define "peer-to-peer system."
A network system in which all nodes share in communications management. No central controller (server) is required. These systems are relatively simple and inexpensive to implement; used by LANs.
58
What is a network operating system?
This system controls communication over the network and access to network resources.
59
Define a "node."
Any device connected to a computer network.
60
Define "hypertext markup language (HTML)".
Core "markup" language (a way of tagging text) for web pages. The basic building-block protocol for constructing webpages.
61
Define "internet".
A "network of networks:" a global network of millions of interconnected computers and computer networks.
62
What is extensible business reporting language (XBRL)?
XML-based protocol for encoding and tagging business information. A means to consistently and efficiently identify the content of business and accounting information in electronic form.
63
What is extensible markup language (XML)?
Protocol for encoding (tagging) documents in machine-readable form.
64
What is "instant messaging (IM)"?
A protocol for instant messaging.
65
Describe extensible.
Users can create taxonomies for specific environments, for example for the purpose of taxation reporting, environmental regulation reporting, or automobile manufacturing.
66
What is "File Transfer Protocol (FTP)"?
A protocol used for file transfer applications.
67
Describe intranets.
Available only to members of the organization (business, school, association); often used to connect geographically separate LANs within a company.
68
Describe extranets.
Open to an organization's associates (company suppliers, customers, business partners, etc.) to access data that is relevant to them.
69
Define "Transmission Control Protocol / Internet Protocol (TCP/IP)".
The core protocol transmission of the internet.
70
What does business-to-consumer (B2C) e-commerce involve?
This involves selling goods and services directly to consumers, almost always using the Internet and web-based technology. B2C e-commerce relies heavily on intermediaries or brokers to facilitate the sales transaction.
71
Define "e-commerce."
Transactions between the organization and its trading partners.
72
Define "supply chain management (SCM)."
The process of planning, implementing, and controlling the operations of the supply chain: the process of transforming raw materials into a finished product and delivering that product to the consumer. Supply chain management incorporates all activities from the purchase and storage of raw materials, through the production process, into finished goods through to the point-of-consumption.
73
Define "e-business."
Any business process that relies on electronic dissemination of information or on automated transaction processing.
74
Define "electronic funds transfer (EFT)."
A technology for transferring money from one bank account directly to another without the use of paper money or checks. It substantially reduces the time and expense required to process checks and credit transactions.
75
What are customer relationship management (CRM) systems?
Technologies used to manage relationships with clients. Both biographic and transaction information about existing and potential customers is collected and stored in a database. The CRM provides tools to analyze the information and develop personalized marketing plans for individual customers.
76
Define "electronic data interchange (EDI)."
This is computer-to-computer exchange of business data (e.g., purchase orders, confirmations, invoices, etc.) in structured formats that allow direct processing of the data by the receiving system. It reduces handling costs and speeds transaction processing compared to traditional paper-based processing.
77
Describe business-to-business (B2B) e-commerce.
This involves electronic processing of transactions between businesses and includes electronic data interchange (EDI), supply chain management (SCM) and electronic funds transfer (EFT).
78
Define "token-based payment systems."
Electronic cash, smart cards (cash cards), and online payment systems (e.g., PayPal); similar to electronic fund transfer (EFT), but governed by different laws.
79
Define "electronic wallets."
Software programs that allow the user to manage credit cards, user names, passwords, and address information in an easy-to-use, centralized location (e.g., Roboform).
80
What are operational systems?
These systems support the day-to-day activities of the business (purchasing of goods and services, manufacturing activities, sales to customers, cash collections, payroll, etc.) Also known as transaction processing systems (TPS).
81
Define data warehousing.
Data warehousing is a database that supports organizational decision making. Data from the live databases are copied to the warehouse so that data can queried without reducing the performance (i.e., speed) or stability (i.e., reliability) of the live systems.
82
Define data mining.
Data mining is searching the data warehouse to discover patterns and relationships in historical data.
83
What are accounting information systems (AIS)?
These systems take the financial data from transaction processing systems and use it to produce financial statements and control reports for management (e.g. accounts receivable aging analysis, product cost reports, etc.). AIS are a subset of MISs.
84
What is the purpose of executive support systems (ESS) or strategic support systems (SSS)?
A subset of decision support systems (DSS) especially designed for forecasting and making long-range, strategic decisions. As such, they have a greater emphasis on external data. Sometimes called "DSS for dummies."
85
What is an Office automation system (OAS)?
An office automation system (OAS) is similar to a knowledge work system but supports clerical-level employees. For example, an OAS system might support the clerical staff in a public accounting firm.
86
Define management information systems.
Systems designed to support routine management problems based primarily on data from transaction processing systems.
87
What are decision support systems (DSS)?
These systems provide information to mid- and upper-level management to assist them in managing nonroutine problems and in long-range planning. Unlike MISs, DSSs frequently include external data in addition to summarized information from the TPS and include significant analytical and statistical capabilities.
88
What are data-driven decision support systems (data-driven DSS)?
These systems process large amounts of data to find relationships and patterns.
89
What is a Knowledge work system?
Knowledge work systems facilitate the work activities of professional-level employees (engineers, accountants, attorneys, etc.) by providing information relevant to their day-to-day activities (e.g., how the company has handled specific types of audit exceptions) and/or by automating some of their routine functions (e.g., computer-aided systems engineering [CASE] packages used by programmers to automated some programming functions).
90
What is an online analytical processing system (OLAP)?
This system incorporates data warehouse and data mining capabilities into an ERP system.
91
Define Platform as a Service (PaaS).
Creating cloud-based software and programs Salesforce.com's Force.com is an example of PaaS.
92
What are enterprise resource planning systems (ERPs) used for?
These systems provide transaction processing, management support, and decision-making support in a single, integrated package. By integrating all data and processes of an organization into a unified system, ERPs attempt to eliminate many of the problems faced by organizations when they attempt to consolidate information from operations in multiple departments, regions, or divisions.
93
What is a cloud-based system?
A cloud-based system is a virtual data pool that is created by contracting with a third-party data storage provider.
94
Define Software as a Service (SaaS).
Remote access to software. Office 365, a suite of office productivity programs, is an example of SaaS.
95
Define online transaction processing system (OLTP).
Enterprise resource planning (ERP) modules that comprise the core business functions: sales, production, purchasing, payroll, financial reporting, etc. These functions collect the operational data for the organization and provide the fundamental motivation for the purchase of an ERP.
96
Define Scalability.
It is the capacity of a system to grow with an organization.
97
Define Infrastructure as a Service (IaaS).
Use of the cloud to access virtual hardware, such as computers and storage. Examples include Amazon Web Services and Carbonite.
98
Describe the concept of knowledge management (KM).
Attempts to ensure that the right information is available at the right time to the right user. A variety of practices attempt to electronically capture and disseminate information throughout the organization. Knowledge management practices seek specific outcomes, including shared intelligence, improved performance, competitive advantage, and more innovation.
99
Define "data warehouse".
A database designed to archive an organization's operational transactions (sales, purchases, production, payroll, etc.) over a period of years. External data that might be correlated with these transactions such as economic indicators, stock prices, exchange rates, market share, political issues, weather conditions, etc. can also be incorporated into the data warehouse. Data mining techniques can then be used to identify patterns and relationships among the data elements.
100
Define "expert system (knowledge-based system)".
A computer program that contains subject-specific knowledge derived from experts. The system consists of a set of rules that are used to analyze information provided by the user of the system. Based on the information provided, the system recommends a course of action.
101
Define "data mart".
A specialized version of a data warehouse that contains data that is pre-configured to meet the needs of specific departments. Companies often support multiple data marts within their organization.
102
Describe a flat file system.
Early information technology systems used flat file technology. Flat files are characterized by independent programs and data sets, high degrees of data redundancy, and difficulty in achieving cross functional reporting.
103
Define "drill down".
Concept associated with data warehouses. The ability to move from summary information to more granular information (i.e. viewing an accounts receivable customer balance and drilling down to the invoices and payments which resulted in that balance).
104
Define "knowledge base (or knowledgebase)".
A component of a knowledge management system. A special type of database designed for retrieval of knowledge. It provides the means to collect and organize the information and develop relationships among information components.
105
Define "slicing and dicing" as it relates to data warehouses.
The ability to view a single data item in multiple dimensions; for example, the sale of VCRs might be viewed by product, by region, by time period, by company, etc.
106
Describe the parallel implementation method for new systems.
Implementation of a new systems where the new system and the old system are run concurrently until it is clear that the new system is working properly.
107
Describe the testing step of the systems development lifecycle (SDCLC) process.
Stage 5 of the systems development lifecycle (SDLC) process. The system is evaluated to determine whether it meets the specifications identified in the requirements definition.
108
Describe the phased implementation method for new systems.
Implementation of a new system where the system is divided into modules that are brought online one or two at a time.
109
Describe the planning and feasibility study step of the systems development lifecycle (SDCLC) process.
Stage 1 of the systems development lifecycle (SDLC) process. When an application proposal is submitted for consideration, it is evaluated from three respects: Technical, Economic, and Operational feasibility.
110
Define "lead systems analyst".
The manager of the programming team: Usually responsible for all direct contact with the end user; Often responsible for developing the overall programming logic and functionality.
111
Define "application programmers".
The team of programmers who, under direction of the lead analyst are responsible for writing and testing the program.
112
Describe the implementation step of the systems development lifecycle (SDCLC) process.
Stage 6 of the systems development lifecycle (SDLC) process. Before the new system is moved into production, existing data must be often be converted to the new system format and users must be trained on the new system; implementation of the new system may occur in one of four ways.
113
Define "end user".
In relation to systems development, the employees who will use the program to accomplish their tasks. Responsible for identifying the problem to be addressed and approving the proposed solution to the problem.
114
Describe the analysis step of the systems development lifecycle (SDCLC) process.
Stage 2 of the systems development lifecycle (SDLC) process. During this phase the systems analysts work with end users to understand the business process and document the requirements of the system; the collaboration of IT personnel and end users to define the system is known as joint application development (JAD).
115
Describe the maintenance step of the systems development lifecycle (SDCLC) process.
Stage 7 of the systems development lifecycle (SDLC) process. Monitoring the system to ensure that it is working properly and updating the programs and/or procedures to reflect changing needs and requirements.
116
Describe the composition of the information technology steering committee.
Members of the committee are selected from functional areas across the organization, including the IT department; the committee's principal duty is to approve and prioritize systems proposals for development.
117
Describe the development step of the systems development lifecycle (SDCLC) process.
Stage 4 of the systems development lifecycle (SDLC) process. During this phase, programmers use the systems design specifications to develop the program and data files.
118
Describe the "cold turkey" (also called the "plunge" or "big bang") implementation method for new systems.
Implementation of a new system where the old system is dropped and the new system put in place all at once.
119
Describe the design step of the systems development lifecycle (SDCLC) process.
Stage 3 of the systems development lifecycle (SDLC) process. In the design phase, the technical specifications of the system are established; the design specification has two primary components: Technical architecture specification, creation of a systems model.
120
Describe the pilot implementation method for new systems.
Implementation of a new system similar to phased implementation, except rather than dividing the system into modules, the users are divided into smaller groups and are trained on the new system one group at a time.
121
Describe the control objectives for information and related technology (COBIT) framework.
Widely used international standard for identifying best practices in IT security and control. Provides management with an information technology (IT) governance model that helps in delivering value from IT processes and in understanding and managing the risks associated with IT.
122
What personnel in an organization should have access to computer operations ("live data")?
Computer operators (and systems programmers, though their access should be limited to times when they need to update systems hardware or software).
123
Describe the responsibilities of the computer operators.
Responsible for operating the computer: loading program and data files, running the programs, and producing output. Computer operators should not enter data into the system or reconcile control totals for the data they process. (That job belongs to Data Control.)
124
Define" file librarian."
Files and data that are not online are usually stored in a secure environment called the File Library. The File Librarian is responsible for maintaining control over the files, checking them in and out only as necessary to support scheduled jobs. The file librarian should not have access to any of the operating equipment or data (unless it has been checked into the library).
125
Which information technology staff is responsible for designing and developing new programs and maintaining existing programs?
Systems analysts and application programmers.
126
Describe the responsibilities of system administrators.
Database administrator, network administrator, and web administrators are responsible for management activities associated with the system they control. For example, they grant access to their system resources, usually by means of user names and passwords. System administrators, by virtue of the influence they wield, must not be permitted to participate directly in operations of these systems.
127
Describe the responsibilities of the computer operations department.
This department is responsible for the day-to-day operations of the computer system including receipt of batch input to the system, conversion of the data to electronic media, scheduling computer activities, running programs, etc.
128
Describe the firing (termination) personnel policy.
A personnel policy. Clear procedures should guide employee departures, regardless of whether the departure is voluntary or involuntary; it is especially important to be careful and thorough when dealing with involuntary terminations of IT personnel. In involuntary terminations, the employee's username and keycard should be disabled prior to notification of the termination in order to prevent any attempt to destroy company property. After notification of termination, the terminated employee should be accompanied at all times until escorted out of the building.
129
Describe the responsibilities of system programmers.
Maintain the various operating systems and related hardware. For example, they are responsible for updating the system for new software releases and installing new hardware. Because their jobs require that they be in direct contact with the production programs and data, it is imperative that they are not permitted to have access to information about application programs or data files.
130
Describe the responsibilities of application programmers.
They work under the direction of the systems analyst to write the actual programs that process data and produce reports.
131
Describe the recommended hiring practices that an organization should employ.
A personnel policy. Applicants should complete detailed employment applications and formal, in-depth employment interviews prior to hiring. When appropriate, specific education and experience standards should be imposed. All applicants should undergo thorough background checks and verification of academic degrees, work experience, and professional certifications, as well as searches for any criminal records.
132
Describe the responsibilities of the data entry clerk (also referred to the data conversion operator).
For systems that still use manual data entry (which is becoming rare), this function keys (enters) handwritten or printed records to convert them into electronic media. The data entry clerk should not be responsible for reconciling batch totals, and should not be able to run programs, or access system output, or having any involvement in application development and programming.
133
Describe the personnel evaluation policy.
A personnel policy. Employees should be evaluated on a regular basis. The evaluation process should provide clear feedback on the employee's overall performance as well as specific strengths and weaknesses. To the extent that there are weaknesses, it is important to provide guidance on how performance can be improved.
134
Describe the responsibilities of the data control position in an organization.
This IT position controls the flow of documents into and out of Computer Operations; for batch processing, schedules batches through data entry and editing, monitors processing, and ensures that batch totals are reconciled. Data control should not access the data, equipment, or programs. This position is called "quality assurance" in some organizations.
135
List the three main functional areas within an information technology department.
1. Applications Development 2. Systems Administration and Programming 3. Computer Operations
136
Define "social engineering".
A set of techniques used by attackers to fool employees into giving them access to information resources.
137
What purpose does setting file attributes serve?
This logically restricts the ability of the user to read, write, update, and/or delete records in a file.
138
What considerations should be given by an organization regarding fire-suppression systems?
Such systems are required in IT operations. Need to be appropriate for electrical fires (halon or a similar chemical suppressor - not water!). Should be periodically inspected.
139
What purpose do file protection rings or locks serve?
Physically prevent the media from being overwritten.
140
Define "internal labels" (header and trailer labels).
Descriptive information stored at the beginning and end of a file that identifies the file, the number of records in the file, and provides data enabling detection of processing errors.
141
Define "external labels".
A tag placed on data storage media (floppy disks, magnetic tape, CDs, etc.) designed to prevent inadvertent use of the wrong file.
142
Define "grandfather-father-son file security control".
A technique used to maintain redundant backup copies (three "generations") of data files; backup files are used to recover from systems failures in which data files are destroyed.
143
Define "mirroring".
A method of backup consisting of the maintenance of an exact copy of a data set to provide multiple sources of the same information. Mirrored sites are most frequently used in e-commerce for load balancing - distributing excess demand from the primary site to the mirrored.
144
Define "remote backup service".
A service that provides users with an online system for backing up and storing computer files. Remote backup has several advantages over traditional backup methodologies: the task of creating and maintaining backup files is removed from the IT department's responsibilities; the backups are maintained off site; some services can operate continuously, backing up each transaction as it occurs.
145
Define "storage area networks (SANs)".
A method of backup that can be used to replicate data from multiple sites. Data stored on a SAN is immediately available without the need to recover it. This enables a more effective disaster recovery process.
146
Describe the rollback and recovery backup and recovery system methodology.
A backup and recovery system methodology that is common to online, real-time processing. All transactions are written to a transaction log when they are processed. Periodic "snapshots" are taken of the master file. when a problem is detected, the recovery manager program starts with the snapshot of the master file and reprocesses all transactions that have occurred since the snapshot was taken.
147
Describe the checkpoint and restart backup and recovery system methodology.
Common to batch processing, a checkpoint is a point in data processing where the accuracy of the processing can be verified. Backups are maintained during the update process so that, if a problem is detected, it is only necessary to return to the backup at the previous checkpoint instead of returning to the beginning of transaction processing.
148
Define "biometric controls."
A physical characteristic is used to gain access instead of a password. Common choices for biometric controls include fingerprint or thumbprint, retina patterns, and voice print patterns. Biometric controls can be very reliable, but generally require special input equipment.
149
What purpose do read-after-write checks serve?
They verify that data was written correctly to disk by reading what was just written and comparing it to the source.
150
Define "hardware controls."
Controls built into the computer equipment to ensure that data is transmitted and processed accurately.
151
List some examples of security tokens.
Includes (1) devices which provide "one-time" passwords that must be input by the user and (2) "smart cards" that contain additional user identification information and must be read by an input device.
152
Define "phishing."
Deceptive requests for information delivered via email.
153
Describe boundary protection.
When multiple programs and/or users are running simultaneously and sharing the same resource (usually the primary memory of a CPU), boundary protection protects program instructions and data from one program from being overwritten by program instructions and/or data from another program.
154
What purpose do echo checks serve?
They verify that transmission between devices is accurate by "echoing back" the received transmission from the receiving device to the sending unit.
155
Why are "one-time" passwords used by an organization and how do these passwords work?
Used to strengthen the standard password by requiring access to a physical device which displays a new "one-time password" every 30-60 seconds. The "one time" password is derived from an algorithm which usually involves the date and time. The user enters this password along with the traditional user name and password. Once received, the computer independently recalculates the "password." If the entered value and computed value are the same, the computer then recognizes the individual.
156
Define "parity check (parity bit)."
An example of a check digit. A 0 or 1 included in a byte of information which makes the sum of bits either odd or even.
157
Why do some organizations require multi-factor authentication?
Since all authentication techniques are individually subject to failure, many organizations require multi-factor authentication procedures - the use of several separate authentication procedures at one time (e.g., user name, password, one-time password and fingerprint). Redundant authentication procedures significantly enhance the authentication process.
158
Describe smart cards and identification badges.
These have identification information embedded on a magnetic strip on the card and require the use of additional hardware (a card reader) to read the data into the system. Depending on the system, the user may only need to swipe the card to log onto the system, or may need to key in other information in order to log on.
159
What purpose do logical access controls serve?
Control electronic access to data via internal and external networks.
160
Describe elements of a strong password.
At least eight characters long; uses both upper and lower case letters; uses at least one numeral; uses at least one special character; is subject to a policy that requires changing at least once a year.
161
Define "diagnostic routines."
Program utilities that check the internal operations of hardware components.
162
List the characteristics of system documentation.
Overviews the program and data files, processing logic and interactions with other programs and systems; often includes narrative descriptions, flowcharts and data flow diagrams; used primarily by systems developers; can be useful to auditors.
163
What purpose does operator documentation (also called a "run manual") serve?
In large computer systems, operator documentation provides information necessary to execute the program such as the required equipment, data files and computer supplies, execution commands, error messages, verification procedures and expected output. It is used exclusively by the computer operators.
164
Define "decision tables."
A type of documentation that depicts logical relationships of a processing system by identifying the decision points and processing alternatives.
165
Define "source program library."
Library of source code computer programs.
166
Define "program documentation."
A detailed analysis of the input data, the program logic, and the data output. It consists of program flowcharts, source code listings, record layouts, etc. It is used primarily by programmers. Program documentation is an important resource if the original programmer is not available and there are questions about the program.
167
Define "source program library management system (SPLMS)."
System for managing process of moving programs from development to production and the reverse.
168
Define "user documentation."
This describes the system from the point of view of the end user. It provides instructions on how and when to submit data and request reports, procedures for verifying the accuracy of the data, and correcting errors.
169
Define "hash totals".
Totals of a field, usually an account code field, for which the total has no logical meaning, such as a total of customer account numbers in a batch of invoices.
170
What purpose do range tests serve?
Validate both upper and lower limits; for example, the price per gallon cannot be less than $4.00 or greater than $10.00.
171
What purpose does a reasonableness check serve (also called a logic test)?
Checks to see that data in two or more fields is consistent. For example, a Rate of Pay value of "$3,500" and a Pay Period value of "Hourly" may both be valid values for the fields when the fields are viewed independently. However, the combination (an hourly pay rate of $3,500) is not valid.
172
Define "completeness".
A control objective. All transactions have been captured; there are no missing transactions.
173
Define "record counts".
Count of the number of documents in a batch or the number of lines on the documents in a batch.
174
Define "default values".
Pre-supplied data values for a field when that value can be reasonably predicted. For example, when entering sales data, the sales order date is usually the current date;. Fields using default values generate fewer errors than other fields.
175
What purpose do input controls serve (also used interchangeably with programmed controls, edit checks, or automated controls)?
Ensure that the transactions entered into the system meet the control objectives of validity, completeness, and accuracy.
176
Define "automated data capture".
Use of automated equipment, such as bar code scanners, to reduce the amount of manual data entry . Reducing human involvement reduces the number of errors in the system.
177
What purpose do sequence checks serve?
Verifies that all items in a numerical sequence (check numbers, invoice numbers, etc.) are present. It is the most commonly used control for processing completeness.
178
Define "financial totals".
Totals of a currency field that result in meaningful totals, such as the dollar amounts of checks. (Note that the total of the hourly rates of pay for all employees is not a financial total because the summation is not meaningful.)
179
Define "missing data check".
The simplest type of test available: checks only to see that something has been entered into the field.
180
Define "limit test check".
Check to see that a numeric field does not exceed a specified value; for example, the number of hours worked per week isn't greater than 60. There are several variations of limit tests.
181
What purpose do sign tests serve?
Verify that numeric data has the appropriate sign (positive or negative); for example, the quantity purchased cannot be negative.
182
Define "key verification".
The re-keying of critical data in the transaction, followed by a comparison of the two keyings. For example, in a batch environment, one operator keys in all of the data for the transactions and a second operator re-keys all of the account codes and amounts. The computer compares the results and reports any differences. Key verification is generally found in batch systems, but can be used in online real-time environments as well. (Consider the process required to change a password: enter the old password, enter the new password, and then re-enter the new password.)
183
What purpose does a field check (data type/ data format check) serve?
Verifies that the data entered is of an acceptable type - alphabetic, numeric, a certain number of characters, etc.
184
Define "batch control totals".
Manually calculated totals of various fields of the documents in a batch. Batch totals are compared to computer-calculated totals and are used to ensure the accuracy and completeness of data entry. Batch control totals are available, of course, only for batch processing systems.
185
Define "validity".
A control objective. All transactions are appropriately authorized; no fictitious transactions are present; no duplicate transactions are included.
186
Define "accuracy".
A control objective. All data has been correctly transcribed, all account codes are valid; all data fields are present; all data values are appropriate.
187
What purpose do preprinted forms and preformatted screens serve?
These reduce the likelihood of data entry errors by organizing input data in a logical manner. When the position and alignment of data fields on a data entry screens matches the organization of the fields on the source document, data entry is faster and there are fewer errors.
188
What purpose do check digit tests serve?
Designed to ensure that each account code entered into the system is both valid and correct. The check digit is a number that is created by applying an arithmetic algorithm to the digits of a number, for example, a customer's account number. The algorithm yields a single digit that is appended to the end of the code. Whenever the account code (including check digit) is entered, the computer recalculates the check digit and compares the calculated check digit to the digit entered. If the digits fail to match, there is an error in the code and processing is halted.
189
What purpose does closed loop verification serve.
This helps ensure that a valid and correct account code has been entered. After the code is entered, this system looks up and displays additional information about the selected code. For example, the operator enters a customer code and the system displays the customer's name and address. This technique is only available in online real-time systems.
190
What purpose does a valid code test (validity test) serve?
Checks to make sure that each account code entered into the system is a valid (existing) code. This control does not ensure that the code is correct, merely that it exists.
191
What purpose do output controls serve?
These controls ensure that computer reports are accurate and are distributed only as authorized.
192
Define "processing controls".
Controls that are designed to ensure that master file updates are completed accurately and completely. They also serve to detect unauthorized transactions entered into the system and maintain data integrity.
193
What should an organization consider regarding distributions of reports?
Data control is responsible for ensuring that reports are maintained in a secure environment prior to distribution and that only authorized recipients receive the reports. A Distribution Log is generally maintained to record transfer of the reports to the recipients.
194
Define "spooling (print queue) controls".
Jobs sent to a printer that cannot be printed immediately are spooled - stored temporarily on disk - while waiting to be printed. Access to this temporary storage must be controlled in order to prevent unauthorized access to the files.
195
What purpose does disposal of aborted print jobs serve?
Reports are sometimes damaged during the printing or bursting (separation of continuous feed paper along perforation lines) process. Since the damaged reports may contain sensitive data, they should be disposed of using secure disposal techniques.
196
Describe audit trail controls.
Each transaction is written to a transaction log as it is processed. The transaction logs become an electronic audit trail that allows the transaction to be traced through each stage of processing. Electronic transaction logs constitute the principal audit trail for online, real-time systems.
197
What purpose do run-to-run controls serve?
These use batch figures to monitor the batch as it moves from one programmed procedure (run) to another. Totals of processed transactions are reconciled to batch totals - any difference indicates an error.
198
What purpose do end user controls serve?
These controls supplement the Information Systems department controls by independently performing checks of processing totals and reconciling report totals to separately maintained records.
199
Define "control totals".
Manually calculated totals of significant data fields in the documents of a batch; counts of the number of lines and/or documents in a batch. Control totals are reconciled to computer calculated totals and are used to ensure accuracy and completeness of data entry.
200
Define "masquerading".
Masquerading occurs when an attacker identifies an IP address (usually through packet sniffing) and then attempts to use that address to gain access to the network. If the masquerade is successful, the hacker has hijacked the session: gained access to the session under the guise of another user.
201
Define "password strength".
The capacity of a password to resist attempts to learn or "crack" it, typically by the use of nefarious automated password cracking software.
202
Define "malicious software (malware)".
Programs that exploit system and user vulnerabilities to gain access to the computer. There are many types of malware.
203
Define "worm".
Similar to viruses except that worms attempt to replicate themselves across multiple computer systems. They generally try to accomplish this by activating the system's email client and sending multiple emails.
204
Define "trojan horse".
A malicious program that is hidden inside a seemingly benign file.
205
Define "password crackers".
Once a user name has been identified, password cracking software can be used to generate a large number of potential passwords and use them to try to gain access.
206
Define "logic bomb".
An unauthorized program which is planted in the system. The logic bomb lies dormant until the occurrence of a specified event or time (e.g., a specific date, the elimination of an employee from "active employee" status, etc.).
207
Define "packet sniffers".
Programs called packet sniffers capture packets of data as they move across a computer network. Packet sniffing has legitimate uses to monitor network performance or troubleshoot problems with network communications. However, it is often used by hackers to capture user names and passwords, IP addresses, and other information that can help the hacker break into the network. Packet sniffing a computer network is similar to wire tapping a phone line.
208
Define "back door".
A software program that allows an unauthorized user to gain access to the system by side-stepping the normal logon procedures;. Back doors were once commonly used by programmers to facilitate access to systems under development.
209
Describe the components of a firewall.
A firewall consists of hardware, or software, or both, that help detect security problems and enforce security policies on a computer system. A firewall is like a door with a lock for a computer system. There are multiple types, and levels, of firewalls.
210
Define "virus".
An unauthorized program, usually introduced through an email attachment, which copies itself to files in the users system. These programs may actively damage data, or they may be benign.
211
Define "denial of service attacks".
Some attackers threaten the system by attempting to prevent legitimate users from gaining access to the system. These attacks, called denial of service attacks, are perpetrated by flooding the server with incomplete access requests.
212
Describe the use of secure Internet transmissions protocols.
Sensitive data sent via the internet is usually secured by one of two encryption protocols: SSL (Secure Sockets Layer) or S-HTTP (Secure Hypertext Transport Protocol).
213
Define "encryption".
The process of coding data so that it cannot be understood without the correct decryption algorithm.
214
Describe symmetric encryption (also called single-key encryption or private-key encryption).
This method uses a single algorithm to encrypt and decrypt the text. The sender uses the encryption algorithm to create the ciphertext and sends the encrypted text to the recipient. The sender must let the recipient know which algorithm was used to encrypt the text. The recipient then uses the same algorithm (essentially running it in reverse) to decrypt the text.
215
Describe the use of digital signatures.
This method uses public/private key pair technology to provide authentication of the sender and verification of the content of the message. The authentication process is based on the private key: because the private key is known only to the user, it can be used as a means of identifying the sender. The weakness in digital signatures is that the public/private key pair can be acquired without verifying the identity of the applicant/sender.
216
Describe the use of secure electronic transactions (SET) protocols.
This protocol is used by the merchant intermediary to securely transmit the payment information and to authenticate the identities of the trading partners.
217
Describe asymmetric encryption (also called public/private-key encryption and private-key encryption).
This method uses two paired encryption algorithms to encrypt and decrypt the text: if the public key is used to encrypt the text, the private key must be used to decrypt the text. Conversely, if the private key is used to encrypt the text, the public key must be used to decrypt the text.
218
Define "cleartext (or plaintext)".
Text that can be read and understood.
219
Describe the use of digital certificates.
For transactions that require a high degree of assurance, a digital certificate provides legally recognized electronic identification of the sender, and verifies the integrity of message content. The certificate is based on public/private key technology just like the digital signature. The difference is that the holder of the certificate must submit identification when requesting the certificate and the certificate authority completes a background check to verify the identity before issuing the certificate.
220
Define "ciphertext".
Text that has been mathematically scrambled so that its meaning cannot be determined.
221
Define BIA.
A business impact analysis (BIA) identifies the maximum tolerable interruption periods of an organization by function and activity as a part of assessing risk importance and consequences.
222
Define warm site.
A location to which the business can relocate after a disaster. The location is already stocked with computer hardware similar to that of the original site, but does not contain backed up copies of data and information.
223
Define cold site (empty shell).
An off-site location that has all the electrical connections and other physical requirements for data processing, but does not have the actual equipment or files. Cold sites often require one to three days to be made operational. A cold site is the least expensive type of alternative processing facility available to the organization.
224
Define BCP/BCM.
Business (or organizational) continuity management (sometimes abbreviated BCM) is the process of planning for disasters and embedding this plan in an organization's culture. This is sometimes also called business continuity planning.
225
Define hot site.
An off-site location that is completely equipped to immediately take over the company's data processing. All equipment plus backup copies of essential data files and programs are also usually maintained at this location. It enables the business to relocate with minimal losses to normal operations - typically within a few hours. A hot site is one of the most expensive facilities to maintain.
226
Define incident response team?
A carefully selected team that responds quickly and follows an established protocol for identifying, investigating, and recovering from a disaster.
227
Define DRP.
DRPs enable organizations to recover from disasters in order to enable continuing operations. DRP processes include maintaining program and data files, and enabling transaction processing facilities. In addition to backup data files, DRPs must identify mission-critical tasks and ensure that processing for these tasks can continue with virtually no interruptions.
228
Define view-only access.
Permitting a user to view, but not change, a file.
229
Define mobile computing.
Transportable computing devices. That is, computing devices that can be carried from place to place.
230
Identify items that should be included in user training in mobile applications.
Organizational policies, password maintenance and protection, when and how to use mobile devices, procedures for lost or stolen devices.
231
Define malicious app.
An app that collects and transmits user data to a third party.
