Information Technology (15-25%)

Question 1

What is the COBIT Model?

Answer 1

Control OBjectives for related and Information Technologies (COBIT)

provides framework for implementation of IT into control system & understand risks of doing so - guide to managers and users to adopt best IT practices

aimed at figuring out 3 main things (PRO):
1 - OBJECTIVES - what are our business requirements of IT system?
2 - RESOURCES - what IT resources would be necessary to implement such system?
3 - PROCESSES - what IT processes do we need to figure out how to implement such system?

Question 2

What are the 4 main domains of the COBIT Model?

Answer 2

DAMP
1 - PLANNING & ORGANIZATION - how IT system helps accomplish objectives
2 - ACQUISITION & IMPLEMENTATION - how acquires and develops IT solutions and automated solutions that address objectives
3 - DELIVERY & SUPPORT - how can best deliver required IT services including operations, security, continuous service, and training
4 - MONITORING - how can periodically assess IT processed for quality and control

Question 3

What are the 7 attributes of desired information from COBIT Model?

Answer 3

ICCAREE
1 - effective
2 - efficient
3 - confidential
4 - integrity
5 - available
6 - compliant
7 - reliable

Question 4

What is an IT Risk Assessment?

Answer 4

3 main risk management components:
1 - EVALUATION - to identify and evaluate properties and characteristics
2 - ASSESSMENT - to discover threats and vulnerabilities that pose risk to assets
3 - MITIGATION - to address risk by transferring, eliminating, or accepting it

Question 5

What is Change Management?

Answer 5

policies and procedures governing change within organization

follows basic logical steps of implementing change:

• identify need for change
• create plan outlining objectives of change
• obtain approval from management, create budget, map out general timeline
• identify risks of implementing change
• test change
• implement change
• review and monitor

Question 6

What are the 3 Risks associated with Change Management?

Answer 6

1 - ACQUSITION RISKS:
inability to consider all effects of implementing new system/software - could be incompatibilities with existing systems or with organizational objectives
2 - INTEGRATION RISKS:
EEs resisting adoption of new system/software, lack of adequate resources to correctly implement change, possibility of unforeseen incompatibility
3 - OUTSOURCING RISKS:
outside organization does not have same understanding/knowledge of objectives, security of sensitive information

Question 7

What are the 7 stages of Systems Development Lifecycle (SDLC)?

Answer 7

PADDTIM
1 - PLANNING & FEASABILITY
- technical feasibility - possible with current IT system?
- economic feasibility - do benefits outweigh costs?
- operational feasibility - will system work?
2 - ANALYSIS - identifies what system must accomplish
3 - DESIGN - interactions among systems/users-flowcharted
4 - DEVELOPMENT
5 - TESTING
6 - IMPLEMENTATION
- parallel implementation - old system and new system run side by side, until clear new system works
- cold turkey - old system dropped, new system implemented all at once
- phased implementation - new system implemented in phases
- pilot implementation - users divided into small groups and one group at a time implements new system
7 - MAINTENANCE - user groups/help desks used to monitor issues as time goes on

Question 8

What is involved in the documentation of an IT system? What are the 4 levels of documentation?

Answer 8

documentation required in order to:

• evaluate system
• train EEs on using system
• re-create or re-deploy system after crisis
• for auditors to use during audits
• can be in many different forms - questionnaires, narrative description, flow charts, diagrams, decision tables, etc.

SOUP
1 - SYSTEM documentation - gives overview of programs/data and how system works together
2 - PROGRAM documentation - is record of programming logic - mainly used for programmers
3 - OPERATOR documentation - run manual is necessary information to run programs - used by computer operators
4 - USER documentation - helps untrained user to understand and use system

Question 9

What are the IT System Access types of Controls?

Answer 9

2 types of control:
1 - LOGICAL controls:
within computer systems - prevent authorization access - user authentication, ability to read/write, firewalls, etc.
2 - PHYSICAL ACCESS controls:
physical measures taken to protest information of organization - keycards to open certain doors, fingerprint scanners, etc.

Question 10

What are the IT Segregation of Duties and Roles?

Answer 10

segregation of: PADDO

• planning
• design
• development
• administration
• operating of IT system

SAAP-SASP-O

• SYSTEMS ANALYST - designs and analyzes - usually lead a team of programmers
• APPLICATION PROGRAMMER - write the programs
• SYSTEM ADMINSTRATOR - grants access to system resources and manages activities within
• SYSTEM PROGRAMMER - maintain and update systems and hardware
• OPERATOR - actual users of system/software

Question 11

What are 3 main areas regarding sensitive information risk in IT?

Answer 11

1 - critical information
2 - confidentiality
3 - privacy

*numerous ways this information can be stolen, exposed, misused, accessed without authorization

Question 12

What are the 6 categories of General IT Controls?

Answer 12

1 - PREVENTIVE controls - prevent error before occurs
2 - DETECTIVE controls - detect error after occurs
3 - CORRECTIVE controls - reverse effects of error
4 - FEEDBACK controls - results evaluated/adjusted
5 - GENERAL controls - apply all parts
6 - APPLICATION controls - apply to specific parts

Question 13

What are the 3 types of Application IT Controls?

Answer 13

1 - INPUT controls - ensure transactions are Valid, Complete, and Accurate (ACV)
2 - PROCESSING controls - ensure updates and processes work accurately, completely, and detect unauthorized transactions
3 - OUTPUT controls - ensure reports generated are accurate and only distributed to authorized individuals

Question 14

What are a few examples of Input Controls under the Application IT Controls?

Answer 14

ACV - accurate, complete, valid

• DEFAULT VALUES - help reduce mistakes, such as date on order page being auto filled in with current days date
• AUTOMATED DATA CAPTURE - barcode allows fast data entry and reduces mistakes
• REASONABLENESS CHECK - compares 2 fields, such as hours worked with paycheck total, makes sure values reasonable
• CLOSED LOOP VERIFICIATION - reduces data entry errors - retrieves related information, if comes up wrong, user knows typed wrong
• SEQUENCE CHECK - verifies all numbers in sequence accounted for, such as check numbers
• HASH TOTAL - total for field with no actual meaning, can prevent errors, such as adding up numbers of customer account

Question 15

What are a few examples of Processing Controls under the Application IT Controls?

Answer 15

REI

• ELECTRONIC AUDIT TRAIL - list of transactions written to a log, provides trail
• RUN TO RUN - counts that monitor number of units in batch as move from one procedure to another
• INTERNAL LABELS - tells program using correct files for update process

Question 16

What are a few examples of Output Controls under the Application IT Controls?

Answer 16

SAD

• SPOOLING CONTROLS - jobs sent to printer, held in queue, access to queue is restricted
• ABORTED PRINT JOBS - control to dispose of partial printouts or aborted print jobs - can contain sensitive data
• DISTRIBUTION LOGS - record of who receives what reports, make sure only those authorized receive

Question 17

What is Encryption? and what are the 2 types?

Answer 17

process of converting regular text to code, can only be deciphered by intended recipient (ideally) - usually a type of system/software is converting message

• SYMMETRIC encryption - simple, easy to use - less secure - single algorithm
• ASYMMETRIC encryption - more complicated to use - more secure - 2 algorithms used

Question 18

What is a peer-to-peer network (P2P)?

Answer 18

when different nodes all share communications management - no central controlling server (2 of more PCs share files & access to devices) - how Bitcoin (BTC) operates

Question 19

What is a local area network (LAN)? What is a wide area network (WAN)?

Answer 19

LAN - confined to small geographic area such as one office or even just one floor

WAN - cover large geographic areas, such as national network

Question 20

What is a node?

Answer 20

electronic device that is attached to a network, and is capable of creating, receiving, or transmitting information over a communication channel

Question 21

What is an extensive markup language (XML)?
What is hypertext markup language (HTML)?
What is extensible business reporting language (XBRL)?

Answer 21

XML - protocol for encoding documents in a machine readable form

HTML - language for web pages

XBRL - protocol for encoding and tagging business and accounting/financial specific information in electronic form

Question 22

What is transmission control protocol (TCP)/internet protocol (IP)?
What is file transfer protocol (FTP)?

Answer 22

TCP/IP - transmission protocol of internet

FTP - protocol used to transfer files from client to server

Question 23

What is social engineering?

Answer 23

set of techniques used by fraudster to get sensitive information from EEs - getting information from people instead of actually hacking computer systems

Question 24

What are the 4 electrical systems risks?

Answer 24

1 - failure/outage
2 - reduced voltage (brownout)
3 - spike/surges
4 - electromagnet interference

Question 25

What are the 2 main security protocols that make secure internet transactions possible?

Answer 25

1 - SSL - secure sockets layer

2 - S-HTTP - secure hypertext transport protocol

Question 26

What is a denial of service attack?

Answer 26

prevents legitimate users from accessing system by flooding system with requests - attack is meant to only disable system, not gain access to it

Question 27

What is a backdoor?

Answer 27

program that lets hacker bypass regular security process, such as a password

Question 28

What are the 3 main categories of planning, identifying and prioritizing a business continuity management (BCM)?

Answer 28

MBT
1 - MISSION CRITICAL (highest level) - serving customers and manufacturing products
2 - BUSINESS CRITICAL - IT systems and processes necessary for business to run
3 - TASK CRITICAL (lowest level) - services required to carryout individual tasks

Question 29

What is a Disaster Recovery Plan (DRP)?

What are the different types of sites for a DRP?

Answer 29

allows organization to make plan for disasters and recover from them

• COLD SITE - offsite location has all physical requirements for data processing, does not have actual equipment/data
• WARM SITE - place business can relocate to after disaster, contains hardware but no copies of backed up data
• HOT SITE - offsite location completely ready to take over data processing
• MIRRORED SITE - fully redundant facility - has highest cost

Question 30

What is an IT steering committee?

Answer 30

members selected from different areas across organization - oversees development of system being built or resources being acquired for data processing needs

Question 31

What is Enterprise-wide Resource Planning system (ERPs)?

Answer 31

software system that processes transactions, supports management, aids decision making throughout entire organization in one single package - integrates all data maintained by organization into one database - improves flexibility and decision-making process by having all information in one place

advantage - increased efficiency
disadvantage - very expensive

Question 32

What is the online analytical processing system (OLAP) within an ERP system?
What is the online transaction processing system (OLTP) within an ERP system?

Answer 32

OLAP - provides data warehouse and data mining capabilities - EEs can go into system and run queries/generate reports from firms data (OLAP refers to analyzing data)

OLTP - records day-to-day transactions, such as sales, production, purchasing (OLTP refers to collecting data)

Question 33

What are 3 main advantages of a cloud-based system?

What are 3 main risks associated with using a cloud-based system?

Answer 33

advantages:
1 - enhanced access as long as someone has internet
2 - lower maintenance costs
3 - scalability

risks:
1 - risk of data loss
2 - increased risk of data being breached by hackers
3 - overall risk relying on service provider instead of housing data internally

Question 34

What is the Extract, Transform, Load (ETL) load data process?

Answer 34

using data to perform analytics of some kind

EXTRACT - extracting from its source (database)
TRANSFORM - cleaning and normalizing data before its analyzed
LOAD - loading transformed data into software where analytics will be performed