INFOS SUMMARY Flashcards
what is data?
facts collected, recorded and stored in the system
what is information?
meaningful and organized data
uses for IT?
helps decision makers more effectively filter and condense info
when is info valuable?
when benefits exceed costs of gathering, storing, maintaining
what makes info useful?
- relevant
- reliable
- complete
- timely
- understandable
- verifiable
- accessible
what are business processes?
activities and tasks performed to achieve specific organisational goals
what is a business transaction?
an agreement between two entities to exchange g/s/other that can be measured in economic terms by the entity
what is transaction processing?
when transactional data is used to create FS
what is a basic bus process?
transactions betw the bus and third parties:
- revenue cycle (give g/s = get cash)
- expenditure cycle (get g/s = give cash)
what is an AIS?
a system that collects, records, stores and processes data to produce info for decision makers
components of an AIS?
- people who use it
- processes
- technology
- controls to safeguard info
how does an AIS add value to an org?
- improving quality and reduce service costs
- improves efficiency
- improves decision making
what is a strategy?
the overall goal the org hopes to acheive
what does a value chain do?
it links together diff activities within an org that provide value to the customer
primary value chain activities?
provide direct value to the customer
value chain support activities?
enable primary activities to be efficient and effective
what is a data processing cycle?
demonstrates the operations performed on data to make the info meaningful for decisions
what triggers data processing?
a business activity
four components of data processing cycle
storage
^
input > processing > info output
what forms part of (1) data input?
data collection/preparation
what forms part of (2) data processing?
- editing
- correction
- manipulation
what data must be collected when a bus activity is initiated?
- activity type
- resources affected by the activity
- people who took part in it
what is data collection?
process which ensures that data are both defined and accurate so that decisions can be valid
what is data preparation?
manipulation of data into a form more suitable for analysis
what happens during data input?
verified data is conv into machine-readable form so that it can be processed. time consuming and requires speed and accuracy.
what is a turnaround document?
(source document)
takes output to an external party who returns the output back to the company as an input (after adding things)
what is a transaction processing system?
IS that processes data generated from bus transactions
what are the objectives of a TPS?
- carries out day-to-day transactions
- supplies necessary info to orgs that enables business functions
- supplies data to other IS
what is a transaction?
a business event that modifies/generates data stored in an IS
TPS characteristics?
- rapid processing (info available when needed speedily)
- processing reliability
- controlled access
- must be efficient and meet ACID requirements
what are the ACID requirements?
Atomicity (complete)
Consistency (valid according to rules)
Isolation
Durability (can’t be undone)
what is the design of a TPS based on?
- data content and format
- execution details of transactions
- rules to be enforced
what are TPSs capable of?
- enforcing rules and work procedures
- detecting errors/missing data
- automating certain dec-mak functions
what are the four types of data processing?
C reating new records
R eading existing data
U pdating previous records / data
D eleting data
methods of data processing?
batch processing
online real-time processing
online batch processing
adv of batch processing?
- cheaper
- can manage large repeated work easily
- sharing of batch system for multiple users
disadv of batch processing?
- time delays (you can’t do anything while it’s processing)
- difficult to debug
how does real-time processing work?
comp sys processes data immediately after capture and provides updated info to users on a timely basis
adv of real-time processing?
- accessible
- cost savings
- service improves dramatically
disadv of real-time processing?
- servers must always be online (expensive bc of resources and processing time)
what is data storage?
an important stage in the cycle where data are held for future usage. allows for quicker access to processed info so that it can be passed on to the next stage.
what is CBS?
computer-based storage
what are attributes (CBS)?
facts/properties about an entity
what are data values (CBS)?
actual value stored in a field, describing a particular attribute of an entity
what are records (CBS)?
a group of fields whose data values describe entity attributes
what are fields (CBS)?
this is where attributes of an entity are stored
what is the info output stage?
the stage where processed info is transmitted to the user (can be viewed online) to be interpreted and given meaning to guide decisons
what do IS produce output for?
- planning
- recording/processing transactions
- monitoring performance
- controlling
- dec-mak
what is a file?
a group of media records of an entity
what is a masterfile?
what stores all accumulated info about an org
what does the transaction file consist of?
all bus transactions that occurred during a specific time
what does an enterprise resource planning system do?
integrates activities from the entire org (revenue, exp, production)
adv of ERPSs?
(help MONITOR, CONTROL, AUTOMATE)
- greater monitoring capabilities for mgmt
- improved access of control of data
- increases productivity thru automation
disadv of ERPSs?
- costly
- complex
- lots of time to implement
what are some threats to an AIS?
- natural/political disasters
- software errors/malfunctions of equ
- un/intentional acts
what is fraud?
any means a person uses to gain an unfair advantage over another
- false statement, material facts which induces victim to act, intends to deceive
what are the two main categories of fraud?
- misappropriation of assets (theft of comp assets)
- fraudulent financial reporting
elements of misappropriation of assets?
- an org’s assets taken through trickery/deceit not force
- the act of asset theft, concealment and conversion must be present
when can misappropriation of assets occur?
- before they are recorded in the books (skimming)
- while A are being held by the org (larcency)
- during purchasing process
examples of misappropriation of assets?
skimming, larcency, misuse of equ/inv/cash
what are the three conditions for fraud?
- pressure
- opportunity
- rationalization
how to prevent and detect fraud?
- make it less likely to occur
- make it harder to commit
- improve detection
- reduce fraud losses
how to make fraud less likely to occur?
- create a culture of integrity
- develop and communicate the security policy
- assign authority for bus obj and hold them accountable for achieving those goals
how to make fraud difficult to commit?
- strong int controls
- require independent checks
- restrict access
- use encryption / sys authentification
how to improve fraud detection?
- ext/int audits
- audit trails of sys transactions
- install fraud detection software
how to reduce fraud losses?
- insurance
- monitor sys activity
- store backup copies of data files in secure location
why do many orgs experience major control failure?
- increased no. of IS = more people accessing info
- decentralized networks are harder to control than cen
- wide area networks give cust and supp access to each other’s sys and data
what are some common business exposures?
- erroneous bookkeeping
- fraud, cybercrime
- excessive costs
- loss of resources
what is a cryptocurrency?
a digital/virtual currency that is secured by cryptography so it cannot be counterfeited. many are decentral networks based on blockchain tech. are immune to gov intervention.
what is a blockchain used for in cryptocurrency?
ensuring the integrity of transactional data
uses for cryptocurrency
- prevent fraud
- verify transaction correctness
- ensure security
what is a blockchain?
at type of database that stores data in blocks that are chained together in chronological order. new data entered into a fresh block when it comes in and is chained to previous block.
business risk of cryptocurrency?
- not backed by a central party and their value is determined by what market participants place on them. loss in confidence = collapse of trading activities = drop in value
cyber risk of cryptocurrency?
- criminals can break into exchanges and drain crypto wallets and infect computers with malware that steals cc
- cc is highly reliant on unregulated companies that may lack proper int control – more susceptible to fraud and theft
- can’t recover keys if lost/stolen
operational risk of cryptocurrency?
access to money in account cannot be restored if keys are lost / stolen
regulatory/compliance risk of cryptocurrency?
some countries do not allow the use of cc
market risk of cryptocurrency?
there are liquidity concerns and market may be easily manipulated
accounting risks of cryptocurrency?
- not cash/backed by a gov and are thus volatile and have a significant risk of changes in value
- do not give owners a contractual right/obl to receive cash / financial asset (cannot be considered a financial instrument)
why do we need controls?
- to provide assurance that the goals of each bus process are being achieved
- to mitigate the risk that the entity is exposed to
- to provide assurance that the comp is in compliance with gov regulations
name some basic control concepts?
- input / output
- processing
- standard
- sensor
- comparator
- effector
- feedback/forward
- ctrl objectives
what do feedback loops do?
they gather info on the past performance from the output of a system which is then used to govern future performance by adjusting the input
what does a negative feedback aim to do?
attempt to change the direction of the actual movement of the system to bring it back in line with the plan
what does a positive feedback aim to do?
will cause a system to repeat or amplify a certain action
how does a feedforward ctrl system work?
if forecast costs start to rise above budget then action may be prompted on a feedforward principle to prevent such a deviation from ever actually occurring
what do int controls aim to do?
provide reasonable assurance of:
- efficient, effective operations
- reliable FR
- compliance with laws
what are controls framed by?
- what is to be attained
- the means to attain those goals
main objectives of controls?
- to safeguard assets
- to check accuracy & reliability of accounting data
- promote operation efficiency
what is the primary objective of an AIS?
to control the org so that it can achieve its objectives
functions of internal controls?
prevent
detect
correct
what are general controls?
these are designed to ensure an org’s control environment is stable and well-managed
- security mgmt
- IS mgmt
- IT infrastructure controls
what are application controls?
pdc transactions with errors and fraud. concerned with data VAC and authorization.
what are some general ctrls wthin IT environments?
- org level
- personnel
- file security
- computer facility
… controls
what are the five interrelated components of int control?
1) control environment
2) risk assessment
3) control activities
4) info and communication
5) monitoring
what is IT governance concerned with?
- IT’s value delivery to the business
- mitigating IT risks
what does IT governance involve?
- strategic IT alignment
- value delivery
- risk, resource, performance mgmt
how does a framework address the issue of control?
five key principles:
1) customize bus processes to make an IS that adds value
2) integrates IT and processes
3) applying a single integrated framework
4) applies an approach that results in effective gov and mgmt of IT functions
5) separates governance and management
what is the COSO?
a private sector group that issued the framework which defines internal controls and provides guidance for evaluating and enhancing control systems
what does ERM stand for?
enterprise risk management
what does the BoD and mgmt use ERM for?
to set strategy
identify events that may effect the entity
manage risk
provide assurance the comp achieves its objectives
what are the basic principles of ERM?
- comps are formed to create value for owners
- mgmt must decide how much uncertainty it will accept
- uncertainty = risk = negatively effects ability to create value or opportunity = positive effects
- ERM manages uncertainty = can create/preserve value
what are the kinds of objectives of ERM?
- strategic
- operational
- reporting
- compliance
strategic obj of ERM?
should provide assurance that the board is informed of the progress on the achievement of bus goals
operational obj of ERM?
provide a guide for org to reach operational goals = effective use of resources
reporting obj of ERM?
ensures continued flow of capital to meet strategic obj
what does the internal environment consist of?
mgmt philosophy, operating style, risk appetite commitment to integrity, ethical values organizing structure methods of assigning authority HR standards
how does ERM ensure objective setting?
it ensures there is a plan in place to formulate objectives that support the comp mission and consistent with their risk tolerance
what is event identification?
identify risks or factors that prevent an org from achieving goals
what is risk severity = to?
risk prob x risk impact
how do we assess risk?
in terms of potential impact and probability
monitoring in ERM?
can recommend any changes to the ERM
aims to ensure ERM program functions as designed
five components of the COSO ERM frmwrk?
- gov and culture
- strategy/obj setting
- performance
- review and revision
- info, comm, reporting
governance and culture in COSO ERM?
forms basis of other components by providing on board oversight resp, operating structure, leadership tone
strategy/obj setting in COSO ERM?
focuses on strategic planning and how the org can assess risk. provides guidance on risk appetite and forming obj
performance in COSO ERM?
guides org identifies and assesses risk after developing a strategy and how to respond to risk
review and revision in COSO ERM?
opportunity to see how the ERM can be improved
info, comm, reporting in COSO ERM?
sharing info from int/ext sources throughout the org. systems are used to process, capture and report business risk, culture and performance
what are the components of risk culture?
risk appetite/ tolerance
resp and accountability for IT risk mgmt
awareness and comm
risk culture
what does risk governance do?
provides policies, controls and op guidelines that enable IT leaders to manage risk and weigh bus value
types of risk?
capacity (amount able to take)
universe (all possible risks)
tolerance (capacity minus appetite)
appetite (willing to take)
what is the risk profile?
something that will outline the number/type of risks and the effects thereof. allows the org to anticipate additional costs and disruptions to ops.
controls for info security / trust services framework?
- sys reliability
- confidentiality
- privacy
- processing integrity
- availability
- security
security in trust services framework?
access to system and data is controlled and restricted to legit users
confidentiality in trust services framework?
implies a relationship between two or more persons in which the info com betw them is kept in confidence. sensitive org data is protected
privacy in trust services framework?
privacy of data/info is necessity to preserve and protect personal info from the org from being accessed by a third party
processing integrity in trust services framework?
data are processed accurately, completely, timely and with proper auth
security life cycle?
1) assess threats, select risk response
2) develop and comm policy
3) acquire and implement systems
4) monitor performance
repeat
risks can change and threats can inc so policy may need to be revisited
defense in depth security approach?
multiple layers of control (prevent and detect) to avoid a single point of failure?
security is effective if?
P > D + C
(time it takes hacker to break through Prev ctrls)
(time it takes to Detect)
(time it takes to respond to the attack and Correct)
steps used by criminals to attack IS?
- reconnaissance
- attempting social engineering (spear fishing)
- scan and map target
- research
- execute attack
- cover tracks (back doors)
what is confidentiality?
implies a relationship between persons in which the info comm betw them is to be kept in confidence
(org intellectual property, plans, secrets)
what is data/info privacy?
the necessity to protect any personal info collected by an org from being accessed by a third party
(personal info of employees, vendors, cust)
how to protect the priv/conf of sensitive info?
- identify/classify the info to protect (location, access)
- encrypt the info by protecting it in transit/storage (only accessed by auth people)
- add access controls
- training users of the info
what is data masking?
concealing/encrypting selected info (such as when third parties access reports but aren’t authorized to see certain info)
what is data exfiltration?
when malware carries out an unauth transfer from a computer (data theft)
what are the gen accepted privacy principles?
(sets out how users may collect, store, use and disclose personal info)
- mgmt (policies with assigned with resp)
- notice (tell people about policies)
- choice and consent (opt-in/out)
- collection (only needed info)
- quality
- use and retention (for bus purposes)
- disclosure to third parties
- access (cust should be able to access/review data)
- security (protect from loss, unauth access)
- monitoring and enforcement (compliance)
what influences encryption strength?
- key length
- algorithm
- mgmt policy
what is an encryption key?
a random string of bits created explicitly for scrambling and unscrambling data. reverses encryption process to make info readable.
what is cipher text?
encrypted text
what happens in pub/priv encryption?
multiple people access the public key (encodes messages)
one or a few people access the private key which decodes messages
what creates a hash?
a hashing algorithm
what is cryptography?
the science of de/coding messages to keep them secure
what is a hash?
a number generated from a string of text, in a way that a similar hash with the same value cannot be produced. fixed length.
what are hashes used for?
used to validate content integrity, by detecting mods, and changes to a hash output. reflects every bit in a doc.
what does encryption do?
encodes data for the primary purpose of maintaining data conf and security
hashing vs encryption diff
encryption is two way function that incl encryption and decryption (reversible). hashing is a one way function that changes plain text to a unique irreversible digest.
hashing vs encryption sim
- both ideal in handling data, messages, info
- both change data into a diff format
what is a digest?
is a cryptographic hash
how is a hash encrypted
with the private key of the person who created it
encryption/decryption for a message?
sender encrypts using receiver’s public key, receiver decrypts using their private key
encryption/decryption for a digital signature?
created by encrypting the hash using sender’s private key. it is decrypted with the sender’s public key
what is key escrow?
a data security measure in which a cryptographic key is entrusted to a third party
what is a cryptographic key used for?
encrypts and decrypts data
symmetric system vs asymmetric
same key encrypts and decrypts
vs
encrypt with public key, decrypt with private
if symmetric system key is stolen?
the attacker can access any info encrypted with
if asymmetric system key is stolen?
public key is widely distributed. private key stored securely. if private key is compromised, the attacker can decrypt all info sent to you that was encrypted with your public key, but can also impersonate you with you private key (create dig signatures)
what is a digital signature?
a way to ensure that an electronic doc is authentic (not modified, who created it). relies on encryption.
what is authentication?
verifying that info is coming from a trusted source
creating a digital signature?
- the document creator creates a hash (algorithm) of the og document
- they use their private key to encrypt the hash, which becomes a legally-binding DS
what is non-repudiation?
the assurance that someone cannot deny the validity of something. provides proof of date origin and integrity. digital signatures (combined w other stuff) can offer this.
what can digital signatures assure?
that someone cannot enter into a digital transaction and deny that they have done so and refuse to fulfil their side of the contract
if hashes are identical?
docs are identical
if something can be decrypted with someone’s public key?
it must have been enc with their private key
symmetric encryption?
- one key to dec and enc
- both parties need to know the key and need to securely comm it. cannot be shared w multiple parties. they each get their own key (same one) from the org
- encrypting large amts of info
adv and disadv of symmetric enc?
- speed
- requires sep key for everyone who wishes to comm
- must find a secure way to share keys
risks of both asymm and symm enc?
protecting shared key from loss / theft
adv of asym enc?
- everyone can use ur public key to comm w u
- no need to store keys for each party
disadv of asym enc?
- slow
- requires PKI to validate ownership of public keys
primary use of asym enc?
- creating digital signatures
- secure exchanges of sym keys via email
what is a PKI?
(public key infrastructure)
a set of roles, policies, procedures needed to create, manage, distribute, store, revoke DS and manage public key encryption
what does a VPN do?
- extends a private network across a public network and allows users to send and receive data across public networks as if their devices were directly connected in a private network
- securely transmits encrypted data between two individuals with the appropriate enc/dec keys
what is a hash code/value?
a numeric value of fixed length that uniquely identifies data. represents large amounts of data. used as DS.