IT Security & Application Development Flashcards
The difficulty of maintaining the integrity of the data is
The most significant limitation of computer-based audit tools
Limit who can physically enter the data center
Physical access controls
Are designed to protect the organization’s physical information assets.
Environmental controls
Are needed because of the use of communications networks and connections to external systems.
Logical security controls
Connection to the internet presents security issues. Thus, the organization-wide network security policy should at the very least include:
1) A user account management system,
2) Installation of an Internet firewall, and
3) Methods such as encryption to ensure that only the intended user receives the information and that the information is complete and accurate.
The responsibility for creating, maintaining, securing, and restricting access to the database belongs to the
Database administrator (DBA)
The five IT business assurance objectives include:
1) Availability
2) Capability
3) Functionality
4) Protectability, and
5) Accountability
May exploit a known hole or weakness in an application or operating system program to evade security measures.
Malicious software
Types of server attacks:
1) Password attacks
2) Man-in-the-middle attack
3) Denial-of-service (DOS) attack
A brute-force attack uses password-cracking software to try large numbers of letter and number combinations to access a network.
Password attacks
Passwords also may be discovered by Trojan horses, IP spoofing, and packet sniffers.
Takes advantage of networking, packet sniffing, and routing and transport protocols.
Man-in-the-middle attack
Is an attempt to overload a system with false messages so that it cannot function.
Denial-of-service (DOS) attack
Is needed to respond to security breaches if an organization’s computer system has external connections.
Intrusion Detection System (IDS)
Works by using sensors to examine packets traveling on the network.
Network IDS
Internal auditors often assess the organization’s information
Integrity and reliability practices
Is responsible for ensuring that an organization’s privacy framework is in place
Management
Primary role is to ensure that relevant privacy laws and other regulations are being properly communicated to the responsible parties
Internal auditors’
Is a means of taking a user’s identity from the operating system on which the user is working and passing it to an authentication server for verification.
Application authentication
Technology converts data into a code. A program codes data prior to transmission. Another program decodes it after transmission. Unauthorized users still may be able to access the data, they cannot decode the information
Encryption
Requires two keys, one public and one private. These pairs of keys are issued by a trusted third party called a certificate authority.
Public-key (asymmetric) encryption
Is a means of authentication of an electronic document, for example, a purchase order, acceptance of a contract, or financial information
Digital signature
Is another means of authentication used in e-business. The certificate authority issues a coded electronic certificate that contains the holder’s name, a copy of its public key, a serial number, and an expiration date. The certificate verifies the holder’s identity.
Digital certificate
Is less secure than the public-key method because it requires only a single (secret) key for each pair of parties that want to send each other coded messages.
Private-key encryption
Involves user-created or user-acquired systems that are maintained and operated outside of traditional information systems controls
End-User Computing (EUC)
Three basic architectures for desktop computing include:
1) Client-server system
2) Dummy terminal model
3) Application server model
Divides processing of an application between a client machine on a network and a server. This division depends on which tasks each is best suited to perform.
Client-server system
In this architecture, desktop machines that lack stand-alone processing power have access to remote computers in a network.
Dummy terminal model
Involves a three-tiered or distributed network application. Also performs business logic functions, transaction management, and load balancing.
Application server model
The application server model involves a three-tiered or distributed network application.
The middle (application) tier translates data between the database (back-end) server and the user’s (front-end) server.
Over the life of an application, users are constantly asking for changes. The process of managing these changes is referred to as _______, and the relevant controls are called ______
Systems maintenance & Program change controls
The program change control process includes
1) Saving a copy of the production program in a test area of the computer.
2) Making the necessary changes to this copy of the program.
3) Transforming the changed program into a form that the computer can execute.
4) Testing the changed program to see if it performs the new task as expected.
5) Demonstrating the new functionality for the user.
6) Moving the program to a holding area once it is in an acceptable form.
7) (The supervisor) Reviewing, approving, and authorizing the new program.
Is the traditional methodology applied to the development of large, highly structured application systems. A major advantage of the approach is enhanced management and control of the development process.
Systems development life cycle (SDLC)
The phases and component steps of the traditional SDLC can be described as:
1) Definition
2) Design
3) Development
4) Implementation, and
5) Maintenance
Is an alternative approach to application development that involves creating a working model of the system requested, demonstrating it for the user, obtaining feedback, and making changes to the underlying code.
Prototyping
Common application development tools are:
1) Computer-aided software engineering (CASE)
2) Object-oriented programming (OOP)
3) Rapid application development (RAD)
Which applies the computer to software design and development
Computer-aided software engineering (CASE)
Which combines data and the related procedures into an object
Object-oriented programming (OOP)
Which is a software development process involving iterative development, the construction of prototypes, and the use of CASE tools
Rapid application development (RAD)
