IT Flashcards

Question 1

Q

Elements of Accounting Systems

Answer

A

People
Procedures
Hardware
Software
Data

Question 2

Q

Risks in Computer-Based Systems

Answer

A

Systems, programs and people (FUNI)
•Reliance on FAULTY systems or programs
•UNAUTHORIZED changes in master files, systems, or programs
•Failure to make NEEDED changes
•Inappropriate INTERVENTION (by people)

Question 3

Q

COBIT purpose

Answer

A

Align IT and business goals/strategies

Link business risks, control needs and IT

Common language for users, auditors, management, and business process owners in identifying risks and structuring controls.

Determine how much to invest in IT control

Question 4

Q

COBIT Framework Defined

Answer

A

To provide the information that the organization needs to achieve its objectives, IT resources needed to be managed by a set of naturally grouped processes.

Process orientation to exercise responsibilities, achieve goals and manage risks.

CIRCLE (a) IT processes (b) Business requirements (c) IT resources

Question 5

Q

COBIT Information Attributes

Answer

A

Effective
Efficient
Confidential
Integrity
Available
Compliant
Reliable

Question 6

Q

COBIT and COSO

Answer

A

Both concerned with monitoring of organizational processes

FOCUS:
•COSO: organizational control and processes
•COBIT: IT controls and processes

Question 7

Q

According to the COBIT model, identify 5 physical resources that, together, comprise an IT system

Answer

A

People
Applications
Technology
Facilities
Data

Question 8

Q

According to the COBIT model, what are the four IT domains?

Answer

A

Planning and organization
Acquisition and implementation
•the process of identifying automated solutions.
Delivery and support
•the process of ensuring security and continuous service.
Monitoring

Question 9

Q

What are the three major components of the COBIT model?

Answer

A

Domains and processes
Information criteria
IT resources

Question 10

Q

ERP Goals

Answer

A

Integration (goal visibility): Integrate all data into 1 data base with user-Defined views
Cost Savings: decrease system maintenance costs (only one system to maintain)
Employee Empowerment: Improves Communication and decision making by increasing information availability
“Best Practices”: include most successful business processes of an industry.

Question 11

Q

Enterprise Architecture Defined

Answer

A

An organizations enterprise architecture is its efforts to understand, manage, and plan for IT assets. An organizations IT security governance plan must articulate with, and be informed by, the organizations enterprise architecture plan.

Question 12

Q

Enterprise-Wide or Enterprise Resource Planning (ERP) Systems Defined

Answer

A

ERPS provide transaction processing, management support, and decision-making support in a single, integrated, organization-wide package. By integrating all data and processes of an organization into a unified system, ERPs attempt to manage and eliminate the organizational problem of consolidating information across departments, regions, or divisions.

Question 13

Q

Online Transaction Processing (OLTP) System

Answer

A

The modules comprising the core business functions: sales, production, purchasing, payroll, financial reporting, etc. These functions collect the operational day for the organization and provide the fundamental motivation for the purchase of an ERP.

Question 14

Q

Online analytical Processing (OLAP) System

Answer

A

Incorporates data warehouse and data mining capabilities within the ERP.

*provides an integrated view of transactions in all parts of the system.

•primarily concerned with collecting data (not analyzing it) across the organization.

Question 15

Q

PaaS Defined

Answer

A

The use of the cloud to CREATE (not access) software.

Question 16

Q

SaaS Defined

Answer

A

The use of the cloud to ACCESS software.

Question 17

Q

Three important functions (segregate) of IT department rolls

Answer

A

Application Development: SAFEGUARD ASSETS (applications in development)
Systems Administration and Programming: Grant AUTHORIZATION (access)
Computer Operations: EXECUTE events, safeguard archived IP

Question 18

Q

Segregation of Duties: Data Control (Clerk)

Answer

A

Control document flows, schedule batches for data entry and editing, reconcile control totals (reconciling + authorizing function)

Question 19

Q

Segregation of Duties: Computer Operators

Answer

A

Operate the (mainframe) computer, load program and data files, run programs (execute transactions)

Question 20

Q

Segregation of Duties: File Librarian

Answer

A

Maintain files and data that are not online in file library, check files in and out to support scheduled jobs. Should not have access to operating equipment or data outside of library.

Question 21

Q

Inadequate Scope and Agility

Answer

A

IT investments in business units, inadequately scaled to meet changing business needs

Question 22

Q

Digitization Defined

Answer

A

Moving data to electronic form.

Question 23

Q

Governance Defined

Answer

A

The processes and structures, to oversee the activities of the organization in pursuit of organizational objectives.

Question 24

Q

Oversight Defined

Answer

A

Process of managing and monitoring an organizations operations to achieve internal control and effectively manage risk.

Question 25

Q

Product Differentiation Defined

Answer

A

Setting your product apart from your competitors’

Question 26

Q

Common Problems with IT Investments

Answer

A

Lack of IT strategic focus - many IT investments are “bottom up”.
Lack of strategic investment - over-investment in existing businesses and inadequate investment in “transformative” technologies.
Inadequate scope and agility - IT investments in business units, inadequately scaled to meet changing business needs.

Question 27

Q

Governance is primarily the responsibility of

Answer

A

THE BOARD

Question 28

Q

Operational, Transaction Processing, Systems (TPS)

Answer

A

Support large volume, day-to-day activities of business.
•purchasing of goods/svcs, mfg activities, sales to customers, cash collections, payroll.
Transaction types
•Non-financial (placing orders for goods, accepting orders from customers)
•Financial (billing a customer, receiving pmt, paying employees)

GENERATE DEBIT AND CREDIT ENTRIES INTO ACCOUNTS.

Question 29

Q

Knowledge Management Systems (KM)

Answer

A

Components:

Knowledge base, knowledge database, provides means to collect, organize, and develop relations among information.

Question 30

Q

Management Information System (MIS)

Answer

A

Support routine, lower to mid level management.

Primarily synthesize (analyze) data from TPSs (internal data)
Tasks: structured problems

Ex: compare planning info (budgets, forecasts) data with outcomes. , AR Aging

Question 31

Q

Accounting Information System (AIS) is a subset of:

Answer

A

Management Information Systems (MIS)

•AIS generated debits and credits (ex: A/R transactions – aging)

Question 32

Q

Decision Support Systems (DSS)

Answer

A

Support mid and upper level management.

Tasks: manage non-routine problems and long-range planning.

Often integrate external (market-level) with TPS data.

Include significant analytical and statistical capabilities.

Question 33

Q

Two types of DSS (decision support systems)

Answer

A

DATA DRIVEN: process large amounts of data to find relations and patterns. Ex: data warehousing and data mining.

MODEL DRIVEN: use models to forecast outcomes, model-driven analytics.

Question 34

Q

DSS Examples Used by Audit Firms

Answer

A

Client risk Assessment

Client acceptance and retention

Internal control documentation and testing

Compute audit sample sizes

Question 35

Q

Group Support Systems (GSS)

Answer

A

Facilitate group collaboration

May include functions such as calendars, meeting scheduling, and document sharing.

Question 36

Q

Executive Support Systems (ESS) or Strategic Support Systems (SSS)

Answer

A

Similar to DSS
•Support forecasting and long-range, strategic decisions
•Greater use of external data
•primarily to support top management.
•DSS for dummies

•can be for a specific purpose (monitoring competitive price)

Question 37

Q

Flat File Systems

Answer

A

Early IT Systems
Separate programs and data sheets

Each application has separate data and programs (think going into multiple places to change the same thing)
•Data sharing across applications through separate programs
•Select data records from one application and reformat for other application.
•data redundancies.

Question 38

Q

Database Systems

Answer

A

Pool data into logically related files (the database).

MIS always implemented into a database environment.

Question 39

Q

Data Warehouses and Mining

Answer

A

System to collect, organize, integrate, and store entity-wide data.

Easy access to large quantities of varied data from across the organization.

Question 40

Q

Data Mining

Answer

A

Exploration, aggregation, and analysis of data in the data warehouse using analytical tools and exploratory techniques.

Question 41

Q

Data Warehousing

Answer

A

Relational data of archived operational transactions and other data.

Often incorporated in a data-driven DSS

May include external data.

Question 42

Q

Drill Down

Answer

A

Move from summary to detailed information.

Associated with data warehouses
Ability to move from summary to granular information.

Question 43

Q

Slicing and Dicing

Answer

A

View data in multiple ways.

Question 44

Q

A specialized version of a data warehouse

Answer

A

A data mart

Question 45

Q

Bit

Answer

A

Binary digit

Zero or one

Question 46

Q

Byte

Answer

A

Logical grouping of bits

Must be to the power of 2 (2^n)

Question 47

Q

Field (attribute)

Answer

A

logical group of bytes
identify a characteristic or attribute of an entity (invoice, customer, product, etc)
in databases, fields are also known as “attributes”

Question 48

Q

Record

Answer

A

a group of related fields (attributes)

* describe an example of an entirety (a specific invoice, a particular customer)

Question 49

Q

File (Table)

Answer

A

•collection of related records for one specific entity ( an invoice file, a customer file, a product file)

Question 50

Q

Database

Answer

A

A set of logically related files.

Question 51

Q

Systems Software

Answer

A

Programs that run computer and support system management (operating system is more important)

Question 52

Q

Programming Languages

Answer

A

Used to create applications.
Now, most are “third” or “fourth generation” languages, many are object-oriented programming languages (OOPL) (Ex: Java)
All must be converted to “first generation” language (Ex: 0s and 1s) (from source to object code)

Question 53

Q

Application Software

Answer

A

End-user programs that you know and love.

Categories:
General (word processors, spreadsheets, databases)
Specific (a marketing IS for a clothing designer)

Runs on a specific operating system and hardware environment.

Question 54

Q

Operating System

Answer

A

Interface between user and hardware.
Defined what commands can be issued and how (typing in a command, pointing and clicking) Ex: Microsoft, Mac.
Controls all input and output in computer systems.

Question 55

Q

Database Management System (DBMS)

Answer

A

“Middleware” program (between the Software and hardware, or application software and operating system)

Manages the database.

Question 56

Q

Data Definition Language (DDL)

Answer

A

User can define tables and fields and relations among the tables
Uses meta-data (data about data) to define the database elements
Example commands: create, drop, alter (of fields and tables)

Question 57

Q

Data Manipulation Language (DML)

Answer

A

User can add, delete or update records

* Example commands: update, insert, delete (of records)

Question 58

Q

Data Query Language (DQL)

Answer

A

User can extract information.
Most relational databases use structured query language (SQL) to extract fat (text approach)
Query-By-Example (QBE): graphic interface with “drag and drop” fields to create query (graphic approach)

Question 59

Q

Database Controls - DBMS includes:

Answer

A

No collisions - concurrent access management (only one person in at a time)
No hackers or creepers - Access controls
Data definition standards, data element standards
Backup and recovery procedures
Update privileges
Data elements and relationship controls

Question 60

Q

Inputs and Output terminology

Answer

A

Peripherals = input and output devices = I/O devices

Question 61

Q

Input devices

Answer

A

Input devices instruct the CPU and supply data to be processes.

Ex: keyboard, mouse, trackball, touch-screen technology, microphones and voice recognition technology, point of sale (POS) scanners.

Question 62

Q

Output devices

Answer

A

Transfer data from the processing unit to other formats.

printers,plotters–paper output
monitors, flat panel displays, CRT (cathode ray tube) displays–visual output
speakers, voice output communication aids (VOCAs)–auditory output

Question 63

Q

Central Processing Unit (CPU)

Answer

A

CONTROL UNIT: interprets program instructions

ARITHMETIC LOGIC UNIT (ALU): performs arithmetic calculations

Question 64

Q

Primary storage (main memory)

Answer

A

Stores programs and data when in use.

Random Access Memory (RAM)– stores data temporarily (information in process in computer system)
Read-Only Memory (ROM)– permanently stores data needed by computer

Answer 65

A

Form of secondary storage.

Flash drives, USB, jump, thumb drives

No moving parts. Similar to the RAM.

Answer 66

A

A computer that provides resource on a computer network.

Answer 67

A

Physical equipment of the computer system.

Answer 68

A

Batch: group transactions for processing (then are sorted into item number sequence)
On-line, real-time (OLRT): Continuous, immediate Processing.

Answer 69

A

Transaction and mater files must be sorted on a common key
•Low volume, periodic transactions. Transactions are independent or unimportant.
•Called “sequential-access files” because the records are in sequence.
•Alternative is “random-access files” (ex: hardware storage devices)

Answer 70

A

Continuous, immediate transaction processing.

Near simultaneous transaction entry and master files updating.

Requirements: random access storage devices, networked computer system or internet.

•single transaction, random processing technology, immediate update.

Answer 71

A

Scanners capture data from product bar codes (fast, accurate, cheap)

Computer system connected to, or integrated with, electronic cash register.

POS Systems or terminals networked to central computer.

Answer 72

A

Creation, analysis, storage and dissemination of extremely large data sets.

•Feasible due to advances in computer storage technologies (ex: the cloud), advanced data analytics, and massive computing power.

Gartner definition: “high volume, velocity, and/or variety Information assets that demand new, innovative forms of processing for enhanced decision making, business insights or process optimization.”

Answer 73

A

Data from business activities that may be reused in analytics, business relationships, or directly monetized (sold).

Activity, operational or social media data that is unused or underused.

Sometimes a synonym for “meta-data” (data about data)

Answer 74

A

Use of the cloud to access HARDWARE

Answer 75

A

Designing systems, prepares specifications for programmers, and serves as intermediary between users and programmers.

•should not have access to an entity’s data in a large firm. (Violation of segregation of duties)

Answer 76

A

Responsible for establishing user names and authorizing access to specific data files and fields

Answer 77

A

Security
Availability (is the system operational and useable as specified in commitments and agreements? Do I/Cs support system availability?)
Processing integrity (concerns the completeness, validity, accuracy timeliness and authorization of system processing)
Confidentiality (is the information protected consistent with the orgs commitment in agreements?)
Privacy (does the Systems collection, use, retention, disclosure, etc followed)

Answer 78

A

Management (accountability)
Notice (tell others of policies and procedures)
Choice and consent (US= users can opt out of collection of personal info)
Collection (only for identified purposes)
Use and retention (consistent with statements about use - retain only as long as needed or by law)
Access (people can access, review and update their info)
Disclosure to third parties (according to policy)
Security for privacy (protect against unauthorized access)
Quality (personal info is accurate, complete and relevant)
Monitoring and enforcement (monitors the entities compliance)

Answer 79

A

A top management issue.

Answer 80

A

Organization and management
Communications
Risk management and design implementation of controls
Monitoring of controls
Logical and physical access controls
System operations
Change management

Answer 81

A

Given enough time and resources, preventive control can be circumvented.

Accordingly, detection and correction must be timely.

P=time it takes an intruder to break through the organizations preventive controls
D=time it takes to detect that Ana track is in progress
C=time to respond to the attack

If P > (D+C), then security procedures are effective

Answer 82

A

The strategy of implementing multiple layers of controls to avoid having System break down

Answer 83

A

Organization specifies objectives with sufficient clarity to enable identification and assessment of risks relating to objectives.

Assessing cyber risks begins with understanding the value of information systems to an organization.

Answer 84

A

Principle 7: Organization identifies, analyzes and manages risks.

Principle 8: Organization considers fraud risks.

Assess likelihood and severity of cyber risk impact.

Consider industry-specific attack.

*initiative should be lead by senior management.

Answer 85

A

Organization identifies and assesses changes that could impact internal control.

Risks; Rapidly changing technologies and amber criminals’ quick adaption to changes yield new methods of exploiting vulnerabilities.

Answer 86

A

10: Organization selects and develops control activities that contribute to mitigate risks.
11: Organization selects and develops general control activities over technology to support the achievement of objectives.
12: Organization deploys control activities through policies that establish expectations and procedures that implement policies.
* control activities related to cyber risks should relate to the organizations’ objectives and cyber risk profile. (Ex: defense-in-depth Approach. Manage cyber risks through careful design and implementation of controls)

Answer 87

A

Organization obtains, generated and uses relevant, quality information to support internal control.
•Information needs follow from cyber risk Assessment and control design processes.
•Formally document information requirements to support processes and controls.
•Availability of “big data” can create information overload problems.
•Transform control system data into actionable, high-quality information to support cyber-related controls.

Answer 88

A

Organization internally communicates information, including objectives and responsibilities for internal control, necessary to support internal control functioning.

•Communication about cyber risks should include all personnel, personnel responsible for managing and monitoring cyber risks and controls, and the Board of Directors.

Answer 89

A

Organization communicates with external parties regarding internal control.

Answer 90

A

Illegal activity that used a computer as its means of communication, or in which a computer is the target of the crime.

Answer 91

A

The likelihood of a financial loss, a disruption or damage to an organization form failure of, or an attack on, it’s IT Systems.

Answer 92

A

Link to entity’s strategy and objectives.

Need a process for evolving with change.

Answer 93

A

Policies central to internal control
Reflect managements intentions regarding actions
Procedures are actions to implement policies

Answer 94

A

Values and Service Culture: what is expected of IT function personnel in interactions with clients and others?
Contractors, Employees and Sourcing: why, when and how entity selects IT Human Resources from employees vs. outside contractors.
Electronic Communications Use: policy related to employee use of the internal, intranet, email, blogs, chat rooms and telephones.
Use and Connection Policy: Entity’s position on the use of personal devices and applications in workplace and connection to the entity’s systems.
Procurement: policy on procurement processes for obtaining IT services.
Quality: statement of IT performance standards
Regulatory Compliance: statement of regulatory requirements for IT systems.
Security: policy related to guarding against physical or electronic threats to IT. May include disaster recovery preparation policies.
Service management and operational service problem solving: policies for ensuring quality of live IT services.

Answer 95

A

Marketing, buying, and selling of products and services via the internet

Narrower -> Transactions between organization and trading partners.
Business-to-business (B2B) ecommerce: the electronic processing of transactions between businesses. (ex: Processing of business transactions, electronic data interchange (EDI), supply chain management (SCM) and EFT

•Business-to-consumer (B2C) ecommerce: selling goods and services to consumers, usually on Internet and web-based technology.
•Relies on intermediaries or brothers to
facilitate the sales transaction (eBay)

Answer 96

A

Used internet to improve business performance through connectivity.

Business process that relies on electronic dissemination of information or automated transaction processing.
can be within or between organizations.
Most via the Internet using web-based technology’s

Answer 97

A

Business-to-employee e-commerce: sharing information and interacting with employees.

Answer 98

A

Business-to-government e-commerce: contract bidding, property disposal, audit procurement.

Answer 99

A

availability/downtime
privacy, security and confidentiality
authentication and nonrepudiation (after the fact, can’t claim that transaction never occurred)
integrity

Answer 100

A

Customers go elsewhere
Limited growth
Limited markets

Answer 101

A

E-marketplaces and exchanges
Viral marketing
Online direct marketing
E-rendering Systems (putting out bids for products we need?)
Social networking

Answer 102

A

Trading partner

2. The trading site or service provider

Answer 103

A

Risk of System unavailability
•availability/downtime
Privacy, security and confidentiality risks
Authentication risks
Nonrepudiation risks
System integrity risks

Answer 104

A

Where a company seeks bids to provide a product or service.

Answer 105

A

Technologies for managing client e-relationships.

Ex: customer data, profitability, personalized marketing

Database of customer data
•sales force automation: tracking contacts and follow-ups

Marketing automation: “triggered” marketing (ex: Kroger promoting grocery products only to interested customers)

Customer service automation
•customer service automation: automating common customer interactions

Analytics
•sales history and projections, marketing campaign success, trends, and performance indicators

Answer 106

A

computer-to-computer exchange of business data.
structured data and processing protocols to reduce costs and speed processing (purchase orders, confirmations, invoices, etc.)
facilitates JIT (just-in-time) inventory
ex: Walmart and suppliers (direct EDI connections)
often, direct links between trading partners through intermediaries (called “service bureaus” or VANs)
- Most EDI transactions on Value Added Networks (VANs)

Answer 107

A

Audit trails, controls, and security

Often used in conjunction with EDIs

Answer 108

A

Translation software converts between standardized EDI format and internal company format.

Answer 109

A

paperless (saves storage, filing, process costs
zero data entry
reduce errors in information exchange
required by customers (ex: Walmart can force supplies to adopt a system comparable to theirs)
real time data, no delays (faster invoicing and payments)

Answer 110

A

•demanded by customers

•management of e-banking requires:
    Senior management of BoD oversight
    Technology under Senior IT leadership
    Operational management
       monitoring and measuring risk

Answer 111

A

Technology for electronically transferring money.

Increase speed and reduce cost

Answer 112

A

Not payment systems

Programs for managing credit cards, user names, passwords and address information in easy-to-use, centralized location.

Answer 113

A

Process of transforming raw materials into finished product and delivering goods.

Process of planning, implementing, and controlling supply chain operations

SCM OFTEN INCLUDES EDI (ex: Walmart)

Answer 114

A

Preventive and detective controls to prevent unauthorized procurement of cloud services.
•a cloud use policy that articulates how, when, and for what uses, cloud computing is allowed.
•a list of approved cloud vendors

Policy: who can contract for cloud services and under what conditions.

Answer 115

A

Vendor selection & assessment of CSP controls

approved list of cloud vendors includes only vendors who provide sufficient info to enable informed risk assessments of the integrity of CSP operations.
* list of required info from CSP may depend on type of service provided (IAAS, SAAS, PAAS)

Answer 116

A

Effective incident management plan and procedure.

Contract with backup CSPs in case of system failure with primary CSP.

Implement CSP availability monitoring.

Answer 117

A

Incident management plan that considers increased likelihood of attack on CSP.

Answer 118

A

Using a network of remote servers hosted on the Internet to store, manageC and process data, rather than a local server or in-house network.

Answer 119

A

Cloud service providers offer network services, infrastructure, or business applications in the cloud.

Hosted in a data center than can be accessed by companies or individuals using network connectivity.

Answer 120

A

No knowledge or application of SDLC (systems development life cycle).
Not integrated with existing systems
Inadequate system testing and documentation.
Poor data controls, system design
Poor integration with existing systems.
Management may rely on these systems without knowing their risks.

Answer 121

A

Exclusively microcomputers
No centralized IT department (outsourced IT?)
Poor segregation of Duties (incompatible functions often combined)

Answer 122

A

Physical access: unprotected Computing site(s)?
•Give > attention to locked doors & secure storage

Logical (electronic) access: require UNs and strong PWs, automatic log outs

Data Backup: outsource, or, establish

Answer 123

A

Centralized system
•data and processing at central location.
Decentralized system
•individual location processing and data
Distributed (hybrid) database system
•distribute to locations according to need

Answer 124

A

All data processing at one location. Users access via telecommunications channel

ADVANTAGES: enables better data security, consistency in processing.

DISADVANTAGES: high transmission costs, input/output bottlenecks at high traffic times (end of period), slow response to info requests.

Answer 125

A

Each location maintains separate system and data. Summarized data sent to central office.
Use of this system is declining. Can be customized Systems.

ADVANTAGES: low transmission cost, low processing power and storage needs at central site, lower input/output bottlenecks, higher response to local needs.

DISADVANTAGES: higher data redundancy and poor information integration, higher security issues and hardware costs.

Answer 126

A

Compromise: Seek the best of centralized and decentralized.
Database distributed across locations according to needs.
Increasingly common

ADVANTAGES: better communications between locations (all connected to distributed database), more current and complete information, reduce or eliminate need for expensive central processing center.

DISADVANTAGES: similar to centralize systems cost of communications among locations, access and update conflicts among locations.

Answer 127

A

Two or more computing devices connected by a communications channel.

Answer 128

A

Network access point.
•controlling is critical to security. (Who is on the network and why?)

A connected device (computers, printers, headphones, etc.) identified by type (linked to device protocols)

Measure of network complicity.

Each Node is assigned a DNS and IP address

Network monitor displays nodes.

Answer 129

A

Domain Name System: translates network Node into IP address (internet protocol)

Answer 130

A

Route traffic and may include security features (identifying nodes engaged in activity you don’t want on your network).

Routers are smarter, more complex and cost more than switches.

Answer 131

A

•Circuit board and software on each Node.
•Matched to transmission media.
Ex: in each computer (to translate between the network language and the computer language)

Answer 132

A

Communication link between nodes (here a cable).

* May be wired or wireless.

Answer 133

A

CLIENT: usually an end user’s microcomputer, uses but does not provide network resources

SERVER: provides services or resources to network, end-users access server resources but generally don’t use directly.

LOCAL AREA NETWORK (LANs): use dedicated communication lines, cover limited area.

WIDE AREA NETWORK (WANs): uses public or shared communication lines.

STORAGE AREA NETWORK (SANs): type of LAN, dedicated to connecting storage devices to serves and other devices, centralized data storage, increased use in cloud computing.

PERSONAL AREA NETWORK (PANs): created by individual person, wireless or wired.

Answer 134

A

WIRED
Twisted pair
Coaxial cable
Fiber optic cable

WIRELESS
Microwave transmission (primarily used in WANS)
Wi-Fi or spread/spectrum radio transmission
Bluetooth (used in PANs)

Answer 135

A

WIRELESS: Scalable, flexible, often lower cost, mobility.

WIRED: reliable, security, speed, occasionally lower cost.

large LANs and WANs often include both.

Answer 136

A

A. Response time reports
B. Downtime reports
C. Online monitors
D. Network monitors
E. Protocol analyzers
F. Simple network management protocol (SNMP): way of monitoring network traffic
G. Help desk reports

Answer 137

A

A “network of networks”
•worlds largest client/server network.

Common protocol = 2 parts:
TCP (Transmission Control Protocol)
•breaks up sent messages into IP packets
IP (Internet Protocol)
 •all nodes assigned an IP address for delivery of information.

Answer 138

A

Rules by which a network operates and controls flow and priority of messages.

Answer 139

A

A means by which information is transmitted.

Sent files are broken down into packets which contains:
Header: routing information (address), length protocol (maybe), originating info.
Data: main message
Trailer: used in some Systems, error detection bits, end of message identifier

Answer 140

A

Mail servers – hosts that deliver, forward and store mail
Clients – link users to servers. Allow you to read, compose, send, and store email.

Answer 141

A

Web address of a resource

Answer 142

A

Translates the URL to an IP address

Sends a request for URL via HTTP (hypertext transfer protocol)

Answer 143

A

For email services.

Answer 144

A

Permits access to remote mailboxes (e.g. On a server) as if they were locks (e.g. On a client system)

Answer 145

A

For uploading and downloading files.

Answer 146

A

Common for informal, internal corporate communications.

Answer 147

A

For internet-based phone communications.

Answer 148

A

Codes that indicate how parts of a file are to be processed or displayed.

Answer 149

A

Core markup language (Way of tagging text for display) for web pages.

Answer 150

A

For encoding (tagging) documents in machine-readable form.

Answer 151

A

XML-based. For encoding and tagging financing information.

*This is the future.
•used in filing with SEC on EDGAR
•some companies now report their F/S in both paper and XBRL formats.

Answer 152

A

Detect and/or prevent unauthorized uses.
•non-work tasks, legal issues

National security/political control

Packet sniffers (view and capture sent information)

Desktop surveillance (keystroke + website logging)

Answer 153

A

Provide access through: direct connections to Internet backbone (high speed, high capacity communication lines)

Answer 154

A

Private (limited access) networks built using Internet protocols.
•allows access to network resources through web browsers rather proprietary interface.
•reduces training and system development time.
•rapidly replacing traditional proprietary LANs and WANs.
•easier to use, greater security.
•intranet portal–the entry site (URL) for an intranet.

Answer 155

A

Available only within and organization (school, business, association)
•intranets are often used to connect geographically separate LANs within a company.

Answer 156

A

Extent intranet to associates

•extend to suppliers, customers, business partners.

Could have security issues that are not found wth intranet.

Answer 157

A

Technology to secure communications.

•extending an intranet to an extranet.

Answer 158

A

Web based, collaboration and community-generated content using tools such as blogs and wiki.

Answer 159

A

Need and information source by (free) subscription.

Answer 160

A

One-time password (device displays; user inputs devise password, user ID, and account password)

New password ~30-60 seconds

Answer 161

A

Physical characteristic for access (thumbprint, Regina patterns)

Answer 162

A

All firewalls are hardware and/or software to review and filter network traffic (e.g. Block no compliant data packets based on set parameters)

TYPES/LEVELS
Network, application and personal.

Answer 163

A

On a network (e.g. Server)

Filters data packets based on header information (source and destination IP addresses and Communication port)

Blocks non compliant transmissions based on rules in access control list.

Very fast (examine headers only)

Answer 164

A

Inspect data packet content

Can perform deep packet inspection (detailed packet examination)

Answer 165

A

Software enabling end-users to block unwanted network traffic.

Usually on a home network or computer.

Answer 166

A

IDS: monitors network for anomalies.

What is unusual–3 identification methods

Signature-based (site patterns/sources)
Statistical-based (unusual activity-modeling)
Neural Networks (learns from created database)

Answer 167

A

IPS e.g. Honeypot/honeynet – allow hackers access to a decoy system.

Answer 168

A

Unauthorized user follows and uses authorized user credentials

Answer 169

A

Failure (outage)
Reduced voltage (brownout)
Sags, spikes, and surges
electromagnetic interference (EMI)

Answer 170

A

This logically restricts the ability of the user to read, write, Update, and/or delete records in a file.

Answer 171

A

A zest of techniques used by attackers to fool employees into giving them access to information resources.

Answer 172

A

Process of converting a plaintext message into a secure-coded form (ciphertext).

Decryption - reverse encryption (to read a message).

Answer 173

A

device or code that makes the message unique. Needed to encrypt or decrypt.
•an input or parameter
•device encryption e.g. On s laptop, smart phone

Key length – longer keys are slower but harder to crack

Answer 174

A

One algorithm to encrypt and decrypt

Sender creates and sends ciphertext, tells which algorithm (key)

Receiver reverses process

Old=data encryption standard
New and better = Advanced Encryption Standard

Answer 175

A

Paired algorithms
•one to encrypt, one to decrypt
•if public encrypts, private decrypts
•if private encrypts, public decrypts

Safer but more complicated (slower)
Common in sending of message (data in transit)

Answer 176

A

Wrong guesses about encrypting key yield falsified data that looks correct but isn’t.

Answer 177

A

Quantum encryption where data are encrypted using the Alice-in-Wonderland-like qualities of quantum computers.

Answer 178

A

Electronic document that contains information

Purpose: provide identity and crest secure communication.

Answer 179

A

Created by Microsoft to acquire key pair, user applied for CA.

CA registers public key on server and sends private key to user. (Ie. additional layer of approval to get key)

Answer 180

A

Legally recognized identification.

Uses public/private key technology.

Answer 181

A

Facilitate secure exchanges (e.g. E-commerce)

uses public/private key paid to authenticate sender.
provides authentication and nonrepudiation.
weakness: public/private key pair can be acquired without verification. (Does not provide confidentiality)

Answer 182

A

SSL (secure socket layer)
S-HTTP (secure hypertext transport protocol)
SET (secure electronic transactions protocol) - used for consumer purchases

Answer 183

A

Natural: i.e. Earthquakes, floods
Unintentional Human: i.e. Loss of power, gas leak
Intentional Human: i.e. Terrorist attacks, hackers, vengeful employees

Answer 184

A

Acceptable data loss recovery time Objective (acceptable downtime).

Determining: criticality of application, cost, time to recovery, security.

Answer 185

A

Cold site: no computers $
Warm site: computers no data \$\$
Hot site: everything \$\$$
Mirrored site: fully redundant \$\$\$\$
Reciprocal Agreement: $?$

Answer 186

A

Off-site location with electrical and other physical requirements for processing.

No equipment or files (added when needed)

1-3 day start-up typically

Cheaper

Answer 187

A

Off-site location with similar computer hardware.

Does not include backed-up data (delivered when needed)

More expensive than cold-site

Answer 188

A

Completely equipped including data

Near-immediate (within hours) operation

Big money (e.g. Medical, credit card systems)

Answer 189

A

Fully redundant, fully staffed, fully equipped.

Real-time replication of mission critical systems

E.g. Credit card processing

Answer 190

A

Agreement between toe it more organizations to aid each other with data processing if disaster strikes.

May be cold, warm, or hot

Answer 191

A

identify and plan for disruptions
integrate into business culture
recall risk management lesson / risk appetite and management.

Answer 192

A

Business risk management or organizational risk management.

Answer 193

A

Business continuity planning

Answer 194

A

Organizational continuity plan

•process of risk Assessment, contingency planning, and long-term continuity maintenance.

Answer 195

A

Business impact analysis
•risk analysis portion of BCP (business continuity planning)

Identifies maximum tolerable interruption periods of an organization by function and activity to assess risk importance and consequences.

Answer 196

A

Create a OCP policy and program
Determine critical functions / business risks
Determine continuity strategies
Develop and implement BCM response
Exercise, maintain, and update plan
Embed BCM plan into the culture

Answer 197

A

Map level of incidents to events to responses

E.g. 0=negligible event (e.g. Power strike)
7= crisis (pandemic virus or terrorist)

•responses mapped to level of incidents.

Answer 198

A

recover from equipment failures, power failures and errors
maintain at least one remote archive off-site
use redundant (multiple) backups.

Answer 199

A

full: all data
increment: data changed from a certain time
differential: data changed since the last full backup

Answer 200

A

At least one off-site archive
Controls over storage libraries mirror those for data processing sites
Many organizations outsource - choosing a vendor, consider availability, standardization, capacity, speed, and price
Backup procedures may be full, increment, or differential
Maintain inventory of backups that identifies data set name, volume serial number, data created, accounting period, and storage location
Consider privacy, security and confidentiality of data (e.g. HIPPA)
Restoration procedures integrated into organizations continuity plan (OCP)
Backup and restoration procedures regularly tested and reviewed.

Answer 201

A

Used when all systems were batch processing and is mostly associated with batch processing.

Son = newest
Grandfather = 2 generations

Answer 202

A

Common in batch processing.

Checkpoint
•point where processing accuracy is verified
•periodic backups
•if problem, return to most recent checkpoint and restart

Answer 203

A

Common to online, real-time processing

Record processing transactions log

Periodically record master file contents

If problem, return to good master file and reprocess subsequent transactions

Answer 204

A

Operate despite component failure (include redundancy and corrections for component failure)

E.g. Space flight, ecommerce, bank credit card processing

*dont want outages or downtime

Network-enabled backup procedure.

Answer 205

A

Computer clusters designed to improve service availability: common in e-commerce.

If a part of the system goes down, the other components will pickup the slack.

Network-enabled backup procedure.

Answer 206

A

Advantages: automated, outsource to experts, off-site, can be continuous.

Network-enabled backup procedure.

Answer 207

A

Replicate data from multiple sites

Data immediately available

Efficient storage for servers

Network-enabled backup procedure.

Answer 208

A

Maintain EXACT COPY of data set

Files are stored in same format as System (e.g. Not zipped)

Advantage: very fast
Disadvantage: storage, expensive

Used for mission critical systems

Network-enabled backup procedure.

Answer 209

A

Backup and recovery

Answer 210

A

Nation-states and spies: foreign nations

Industrial spies: seek intellectual property and trade secrets for competitive advantage

Organized crime: e.g. Blackmails that threaten to harm data resources

Hacktivists: social or political statements e.g. Anonymous

Hackers/crackers: for fun and challenge

Answer 211

A

Computer or system as target–e.g. Denial of service (DoS) attacks and hacking

Computer as subject–unlawful access to attack others. e.g. DoS infections.

Computer as tool–access data or resources. E.g. Unauthorized access breaches, phishing, key loggers

Computer as symbol/user as target–variation in computer as tool. Deceive user to obtain access e.g. Social engineering

Answer 212

A

Make crime harder (less likely)
Increase the costs (difficulty) of crime
Improve detection methods
Reduce losses

Answer 213

A

software allowing unauthorized entry to System by omitting login
once common among programmers to facilitate development

Answer 214

A

Prevent legitimate users accessing system.

Flood server with incomplete access requests

Often use botnets (zombie computers)

Answer 215

A

Unauthorized interception of private communication.

Answer 216

A

Sending thousands or millions of emails to an address.

Answer 217

A

Program planted in System dormant until event or time (e.g. Date, employer deleted from active status)

Answer 218

A

Exploit system and user vulnerabilities to gain or damage computer.

Examples:
VIRUS: unauthorized program that copies itself; may damage data.

WORM: virus that replicates across Systems; e.g. By sending email floods

TROJAN HORSE: Program hidden inside benign file; can insert back door into system

Answer 219

A

Packet analyzers, network analyzers, and sniffers.
•have network control (legitimate) and data capture (nefarious) uses.

Packet=formatted block of data carried by a computer network

Packet sniffing=capture packets of data as they move across a network

Answer 220

A

Software used to generate potential passwords and test to gain access.

Finds weak passwords easily.

Answer 221

A

Internet Protocol (IP) address–unique identifying number for each device on a networked system.

Hacker can identify IP address (e.g. Packet sniffing) and use to access network

Masquerade=hacker mimics legitimate user.

Answer 222

A

Seek access by tricking employees

FISHING: fooling recipients into divulging personal financial data

Answer 223

A

Irrelevant or inappropriate email (or text or whatever messaging system comes next) messages sent to either:
•a large number of recipients.
•the same recipient many times (email bombing)

Answer 224

A

War Chalking: draw symbols in public places to indicate available Wi-Fi network access.

War Driving: seeking access to Wi-Fi while diving

War Walking: seeking access to Wi-Fi while walking, may lead to war Chalking.

Answer 225

A

Planning for and testing protocol
Event detection procedures
Ever logging procedures
Triage and incident analysis
Containment and removal of threats
Decision and action regarding event announcement or secrecy
Incident recovery
Closure
Event reporting
Monitoring and system revisions

Answer 226

A

an essential change control (COSO - importance in managing changes within a system of I/C)
software and instructions for people
for new or changed programs, SPLMS manages migration from application development test environment to production library (live status)
SPLMS controls and validates program changes by comparing new to old code

Answer 227

A

Store programs in the SPL (source program library)
Retrieve programs for updating and maintenance
Delete obsolete programs
Audit trail; document program changes

*may be part of database system, operating system or purchased separately

Answer 228

A

Required by law (e.g. The foreign corrupt practices act, and SOX, SEC regulations, HIPPA)
The build and evaluate complex systems
For training (for new employees)
For creating sustainable/surviving systems
For auditing (internal and external)
For Process (re)engineering

Answer 229

A

Overview of program, data files, processing logic, interactions with other programs and systems

big picture of entire system
may include requirements, architecture and design of the system

Answer 230

A

Detailed description of inputs, logic, and outputs for software

•includes program flow charts, source code listings, record layouts

Answer 231

A

Also called “run manual”

How to load and execute programs and data.

Includes needed equipment, files, supplies, commands, error messages

Answer 232

A

General and primarily preventive

Answer 233

A

Ensure reliability of application program data and processes.

Understanding enables auditor to assess risks if absent or weak.

Some may function as input or processing controls (eg. control totals)

Best “input” control is often to automate data entry i.e. To not have manual (human) input

Answer 234

A

Goals: accuracy, completeness, efficiency

Answer 235

A

Use entered data to display additional (confirming data)

Helps ensure valid and correct entry

E.g. After customers account code entered, the system displays additional information about the selected customer.

Goals: C (all data entered), A (entered data accurate), E

Answer 236

A

Financial total - add invoice amounts
Hash total - add invoice #s
Record count-count # of invoices

Record count goal = A & C

Answer 237

A

Confirm numerical sequence (of check or invoice numbers
•usually automated but may be manual

Goal: C (all valid are included), V (no invalid are included)

Answer 238

A

Re-key (re-enter) and compare critical data
•ex: require password entry twice

Goal: Validity

Answer 239

A

Can’t continue until data is entered

Goal: completeness

Answer 240

A

Is data of correct type? Ex: alphabetic, numeric, characters
E.g. A zip code can only have numbers.

Goal: Accuracy

Answer 241

A

Numeric field with specified value(s). E.g. Need to enter a number for age that can’t be past 120

Goals: validity and accuracy

Answer 242

A

Validate upper and lower limit.

Ex: price per gallon of gas $2 < x < $10

Answer 243

A

has correct sign (+ or -)

Ex: # purchased > 0

Answer 244

A

Does entered account # exist?
In database, called referential integrity

Goals: validity and accuracy

Answer 245

A

Do two or more fields agree?

Ex: don’t allow pay rate = “$3,500” and pay period = “hourly”

Goals: validity and accuracy

Answer 246

A

Decrease data entry errors, speed data entry

Goals: accuracy, completeness and efficiency

Answer 247

A

Pre-supplied data valued for fields

Ex: sales order date = current date

Goals: accuracy and efficiency

Answer 248

A

automated equipment to reduce manual data entry
ex: bar code scanners
reducing human involvement reduces errors

Answer 249

A

Processing
File
Output
Input

Answer 250

A

Efficiency
•accurate and complete master file update
•detect unauthorized transactions
•maintain data integrity

Answer 251

A

Run-to-run Controls: use batch totals (input controls) to agree the batch from one procedure (run) to another.

*used in batch processing.

Answer 252

A

Audit trail control
•used mostly in OLRT processing
•transaction log = electronic audit trail

Answer 253

A

May include data values, time, terminal number, IP address, user name

Importance:
•GOALS: accuracy, completeness and validity
•BACKUP AND RECOVERY: essential to checkpoint and restart, and rollback and recovery systems

Answer 254

A

Master files (ex: payables, receivables, updated regularly with transactions)

Standing files (rarely changed master files)

Transaction files (events that are used to update master files)

System control parameter files

Answer 255

A

Check digit (parity bit)
•0 or 1 included in byte to indicate if sum bits = odd or even
Read after write check
•verifies that data was correctly written to disk
•mostly used in local file operations
Echo check
•verify transmission by “echo back” received transmission to sender
•primary use = telecommunications systems
Boundary protection
•with multiple programs and/or simultaneous users
•prevents one program from overwriting data and instructions of another program

Answer 256

A

Internal labels–Read by system (or removable storage)

External labels–Read by humans

Version controls–Protocols for ensuring use of the correct file version

File access and updating controls–procedure to restrict file updates and access to authorized users

Answer 257

A

Transaction logs of printed output (built into most systems)

Access to sensitive reports through permissions and access controls (e.g. Authorization matrix)

Answer 258

A

Send files to queue for printing, in order sent

Control issue: sensitive output

Ex: sensitive product sales data, require printer password entry before file is printed, printed files are held by data control clerk for pickup

Answer 259

A

Controls built into the computer equipment to ensure that data are transmitted and processed accurately.

Answer 260

A

Competent, timely execution of the following:

Analyze transactions and business documents.
Journalist transactions.
Post journal entries to accounts.
Determine account balances and prepare a trial balance.
Journalize and post adjusting entries.
Prepare financial statements and reports.
Journalize and post-closing entires.
Balance the accounts and prepare a post-closing trial balance.
Repeat.

Answer 261

A

Revenue cycle–interactions with customers (give goods; get cash)

Expenditure cycle–interactions with suppliers (give cash; get goods)

Production cycle–give labor and raw materials; get finished product

Human Resources/Payroll Cycle–hire,utilize, and develop labor; give cash and benefits

General ledge, reporting, financing cycle–give cash; get cash; report financial outcomes

Answer 262

A

Loss, alteration, or unauthorized disclosure of data.

Accounting system is not functioning as required by law, regulation, or organizational policy.

Answer 263

A

Completeness - All:

transactions are properly authorized.
record transactions are valid.
valid and authorized transactions are recorded.
transactions are recorded accurately.
safeguarding - assets are safeguarded from loss or theft.
efficiency - business activities are performed efficiently and effectively.
compliance - the organization complies with all applicable laws and regulations.
reporting - all financial disclosures are full/fair
data integrity - accurate data is available when needed.

Answer 264

A

Systematic process of recording and processing financial transactions and events.

A way of categorizing similar business and accounting activities.

Answer 265

A

records activity related to employees and payroll.
gets funds from the financing cycle, provides labor to the production cycle, and provides data to the GL and reporting system.

Answer 266

A

•gets funds from the revenue cycle, provides funds to the expenditure and HR/payroll Cycles, and provides data to the GL and reporting system.

Answer 267

A

•gets labor from HR/Payroll, gets money from financing, gets raw materials from expenditure, provides data to GL and reporting, provides finished goods to revenue.

Answer 268

A

Gets finished goods from production
provides data to GL and reporting
provides funds to the financing.

Core Activities:
Sales: receive customer orders, approve customer credit/sales authorization.
Physical (or virtual) custody of products/svcs: fill the order and prepare for shipping, ship
AR: bill as needed, management receivables
Cash: collection and receipt of payments, reconciliation/control activities

Answer 269

A

Gets money from financing, provides data to the GL and reporting, provides raw materials to production.

Core activities:
Request and authorize purchase, acquiring goods, taking custody and paying for goods.

Answer 270

A

Purpose: helps match payments to invoices.

Comments and Controls: Sent by customers to selling company to indicate payment.

Answer 271

A

It doesn’t work the way it was designed to.
Cost over-runs: cost more than it should have.
Time: it falls behind schedule.

Answer 272

A

Lack of senior management knowledge of, and support and involvement in, major IT projects.
Difficulty in specifying requirements.
Emerging technologies (hardware and software) may not work.
Lack of standardization project management and methods.
Resistance to change; lack of proper “change management”.
Scope and Project creep. (Ex. Going over budget)
Lack of user participation and support.
Inadequate testing and training.
Poor project management–underestimating of time, resources, and scope.

Answer 273

A

IT Steering Committee
•Concerned with the strategic plan for IT within the organization.
•Review, approve and prioritize Systems Development proposals.
•include IT department and functional user areas
Lead Systems Analyst
•manages development team and project.
•direct contact with end users. Usually responsible for developing overall programming logic and functionality.
Systems Analysts and Application Programmers
•design, create and test system, programs, and controls in partnership with users
End users
•Identify problems and often suggest first-pass solutions.

Answer 274

A

SYSTEM PLANNING AND BUILDING
1. Planning and feasibility
2. Analysis / Requirements
3. Design
4. Development
IMPLEMENTING, TESTING AND MAINTENANCE
5. Testing
6. Implementation 
7. Maintenance

Answer 275

A

3 dimensions of feasibility:

Technical: Can it be built?
Economic: Is it cost effective?
Operational: Will it meet user needs?

If feasible, crest a project plan:
•Critical success factors: What just happen to succeed?
•Scope: Project purpose and most important goals.
•Major risks: $?, delivery date? Technology?
•Milestones and responsibilities: Who will do what, when?

Answer 276

A

Systems analysts partner with end users to:
•Understand business processes and purposes.
•Document system requirements
Requirements Defined: Document that identifies system functionality Framework for system design and development Parties sign to signify agreement on requirements. (Contract).

Answer 277

A

Collaboration of IT personnel and end users to define system.

Part of analysis/requirements in SDLC

Answer 278

A

Prepare or evaluate RFPs (request for proposals) for hardware or software.
Vendor evaluations: Reliability (financial and product), service commitment, training, tech support + documentation.

Answer 279

A

Design: Define systems’ technical specifications. Two components:

Technical architecture specification: Define hardware, systems software and networking technology of systems.
Systems model specifications: (a) Graphical models (flowcharts, etc.) describing system components and processes. (b) Create system menus and screen formats.

Answer 280

A

Programmer sues design specifications to develop the program and data files.
Purchases hardware and IT infrastructure specified in design.

Answer 281

A

Does system meet the design specifications in the requirements definition?
TEST:
•With both correct and erroneous data
•At expected operational loads
TYPES OF TESTING:
•Individual processing unit: Each component works
•System testing: Modules work together
•Inter-system testing: System works with other systems
•User acceptance: System meets business needs

Answer 282

A

Includes:
•Data conversion (old data into new format)
•User training

Answer 283

A

Monitor and update programs and/or procedures
•Remember Y2K?

System updates return to start of SDLC process. (Size will determine if you go through the whole process or just Components)

Answer 284

A

Similar to phased implementation, except divide users into smaller groups and train by groups (vs. by modules)

Answer 285

A

Old system is dropped and the new system is put in place all at once. RISKY!

Brainscape's Knowledge GenomeTM

IT Flashcards

Brainscape's Knowledge Genome^TM