Memorize Me! Flashcards
Sampling for compliance test
Attribute
Sampling for substantive test
Variable
Sampling for fraud
Discovery
Sampling for objective of probability of error, and what does it minimize?
Statistical. Minimizes detection risk.
Who approves charter?
Board of directors
Who approves policies?
Board of directors
Who is primarily responsible for IT Governance?
Board of Directors
What does the strategy committee do?
Advise board on IT initiatives
Develop standards/define and set objectives and controls
What does the steering committee do?
Keep BOD informed
Resourcing/general review board for major IT projects
what are the 3 indicators of IT BSC?
- Customer satisfaction
- Internal processes
- Ability to innovate
- note – financial performance is not part of IT BSC*
Identify transcription/transposition errors
Check Digit
Ensure accuracy
Check Digit
Identify transmission error
CRC>Checksum>Parity Bits
Ensure completeness
CRC>Checksum>Parity Bits
Ensure integrity
CRC>Checksum>Parity Bits
Detect and correct transmission error
FEC
ACID principle
Atomicity
Consistency
Isolation
Durability
What online audit technique to use if requires audit trail
Snapshot
What online audit technique to use if requires early detection of error or irregularities
Audit hook
What online audit technique to use if requires audit trail identify transactions as per pre-defined criteria
Continuous and intermittent simulation (CIS)
What online audit technique to use if requires fictitious entity created in live prod
ITF
What online audit technique to use if regular processing cannot be interrupted
SCARF EAM
Not beneficial to use test data
ITF
PM - estimate project timelines or duration
PERT>CPM
Monitor progress of project
GANTT
EVA?
PM - calculate budget to date, actual spending to date, estimate to complete, estimate at completion
Estimate size of sw development efforts
FPA or SLOC
Prevent cost overruns and delivery delays
time-box management
What is the primary function of QoS?
The main function of QoS is to optimize network performance by assigning priority to business applications and end users through the allocation of dedicated parts of the bandwidth to specific traffic.
What are the pros and cons of agile development methods?
Quick building of functionality
Reliance on tacit knowledge – faster – lessons learned to identify for next use
Lack of documentation
What are the pros and cons of prototyping?
Significant time and cost savings
Pressure to implement early prototype
Leads to functions or extras that were not included in initial requirements doc
What are the pros and cons of rapid app dev?
Quick development and reduces dev costs using well defined techniques.
Rigid time limits
What are the pros and cons of object oriented development methods?
Manage unrestricted variety of data types
Model complex relationships
Capacity to meet demands of changing environment
Re-use objects
none
What are the pros and cons of component based development methods?
Ability to buy proven, tested software from commercial developers.
Need for software integration of components
What are the pros and cons of web based development methods?
Tries to solve/avoid need to perform redundant computing tasks with the inherent need for redundant code
Exploitation over internet use App development risk Business risk Tech vulnerabilities Change control
What are the pros and cons of software re-engineering?
None listed
None listed
What are the pros and cons of reverse engineering?
Faster dev and reduced SDLC duration
Introducing improvements by overcoming the reverse-engineered drawbacks
- SW license agreements prohibit this so trade secrets or programming techniques are not compromised
- de-compilers are new tools that depend on specific comps, OS’s and
Alpha/Beta/Pilot
System in stages, alpha proto to users within the org developing sw, and beta to limited users.
Pilot – prelim test focusing on specific aspects. Proof of concept are early pilots.
White box
Assess effectiveness of sw program logic/log paths.
Unit and integration testing.
Black box
Integrity test
UA and Integration Test
Function/validation testing
Functionality of system against detailed requirements to ensure traceability to customer requirements.
Regression
Rerunning portion of test scenario to ensure changes have not introduced new errors.
Parallel
Feeding data into two systems and comparing
Sociability testing
Confirm that new or modded system can operate in its target environment without impacting other systems. Should cover all processes.
EDI
Transaction authorization is the BIGGEST RISK TO EDI – electronic = no inherent authentication.
E-Commerce
Security architecture (firewalls, PKI, encryption, certificates, password management) and SSL
- Man in the middle, phishing, spear phishing, flaws in config, denial of service (DOS), sensitive info, altered email, viruses, inappropriate email in corp.
- Digital sigs are good method of securing emails.
Outgoing email - Simple Mail Transport Protocol (SMTP): can only be used to send emails, not to receive them
Incoming email - Post Office Protocol (POP)
- Internet Message Access Protocol (IMAP)
- Hypertext Transfer Protocol (HTTP)—also called “web-based email”
- Messaging Application Programming Interface (MAPI)—used with Outlook in conjunction with a Microsoft Exchange Server mail server; very close to IMAP but has extended features to interact with other applications
E-banking
Strategic, reputational, operational, including security – sometimes called transactional risk, and legal risk. Credit, price, foreign exchange, interest rate, and liquidity.
Control: SOD, Security (IAAA, non-repudiation, confidentiality)
Board & management oversight
Industrial Control systems
Physical access restriction and redundancy
EFT (and ATMs)
Access security and authorization of processing are important controls. Central bank requirements should be reviewed for application in these processes.
Recovery for low RTO
Mirror or Hot Site
Recovery for low RPO
Mirror imaging or real-time replication for data backup
Recovery for zero RPO
Synchronous data backup
RTO/RPO for critical systems/critical data
Zero or near zero
Speed of recovery rankings
Slowest to fastest
Cold, Warm, Hot, Mirrored
Most secure media transfer
Fibre-optic cables because of low transmission loss and not effected by EMI.
Preferred for high volumes and long-distance calls
Transmission error that can occur in wired and wireless communication
Attenuation:
- Weakening of signals during transmission
- Length of wire impacts severity
Electro-magnetic Interference (EMI)
- Disturbance generated by external source that affects electrical circuit
- Can degrade circuit performance
o For data paths can range from increase in error rate to total loss of data - Caused by electrical storms or noisy electrical equipment
Alternate Routing
Method of routing information via an alternative medium, such as copper cable or fiber optics.
Two types:
Last mile circuit protection: redundancy for local communication loop.
Long haul network diversity: redundancy for long distance availability.
Diverse Routing:
Method of routing traffic through split-cable facilities or duplicate-cable facilities.
What are the OSI Layer, Address, and functionality of a LAN repeater?
Physical Layer (1)
N/A
Extend transmissions further or to other side of obstruction
What are the OSI Layer, Address, and functionality of a LAN Hub?
Physical (1)
N/A
Broadcast message to all connected devices
What are the OSI Layer, Address, and functionality of a LAN Layer 2 Switch?
Data Link (2)
MAC
Send message to only required devices
What are the OSI Layer, Address, and functionality of a LAN Bridge?
Data Link (2)
MAC
Similar to switch, has capacity to store frames and act as a store and forward device.
What are the OSI Layer, Address, and functionality of a LAN Router?
Data Link (2)
IP
Examines IP address to make decision to forward packet to destination
Backup Time & Media Storage
Full (slow/large) – Differential – Incremental
Restoration time
Incremental (slow) - Differential - Full (fast restore)
PKI Confidentiality
Encrypt using receivers public key
PKI Authentication of message
Encrypt user sender’s private key
PKI Integrity
Create hash of message and encrypt hash using sender’s private key
PKI Confidentiality and Authentication of message
HASH-encrypt using sender’s private key
MESSAGE – encrypt using receiver’s public key
PKI Confidentiality and Authentication and Integrity of message
HASH-encrypt using sender’s private key
MESSAGE – encrypt using receiver’s public key
Layer: MAC address
Data link layer
Layer: IP Address/Routing
Network layer
Layer: Electric signal/hardware devices
Physical layer
Layer: Reliable delivery or connection/congestion control/order of sequence
Transport layer
Layer: Establishing connection
Session layer
Layer: Acceptable format
Presentation layer
Layer: End user
Application layer
What are the environmental, personal, and other risks of water based fire suppression systems?
none
none
Pipe leaks
What are the environmental, personal, and other risks of dry pipe fire suppression systems?
none
none
Comparatively less reliable than water based
What are the environmental, personal, and other risks of halon fire suppression systems?
Bad for environment
Lethal to humans
No good?
What are the environmental, personal, and other risks of FM 200 fire suppression systems?
none
none
Best gas?
What are the environmental, personal, and other risks of Argonite fire suppression systems?
Okay for environment
Suffocates people
No good?
What are the environmental, personal, and other risks of CO2 fire suppression systems?
None
Lethal to humans
Illegal in most countries if there is any chance of humans around
Application firewalls
Application – 7th layer
Highest security option
The application gateway is similar to a circuit gateway, but it has specific proxies for each service. To handle web services, it has a Hypertext Transmission Protocol (HTTP) proxy that acts as an intermediary between externals and internals, but is specifically for HTTP. This means that it not only checks the packet IP addresses (layer 3) and the ports it is directed to (in this case port 80, or layer 4), it also checks every HTTP command (layers 5 and 7). Therefore, it works in a more detailed (granularity) way than the other choices.
Circuit firewalls
Session – 5th layer
Based on a proxy or program that acts as an intermediary between external and internal accesses. This means that during an external access, instead of opening a single connection to the internal server, two connections are established
Stateful inspection
Network – 3rd layer
Packet filtering/screening router
Network – 3rd layer
No granular control
What are the characteristics of dual homed firewalls?
(i) One Packet Filtering Router
ii) One bastion host with two NIC (Network Interface Card
What are the characteristics of screened host firewalls?
(i) One Packet Filtering Router
(ii) One Bastion Host
What are the characteristics of Screened subnet (demilitarized zone) firewalls?
(i) Two Packet Filtering Router
(ii) One Bastion Host
(2) Out of all types of firewall implementation structures, Screened Subnet Firewall (DMZ) provides greatest security environment (as it implements 2 packet filtering router and 1 bastion host).
MOST SECURE
MAC Address filtering
Access to router allowed or rejected by unique identifier
SSID
Wireless network name broadcast by a router. Disable this for securiity .
WPA-2
Encrypted, strongest standard to date for wireless connection.
What is the prime objective of logical access control?
Ensure access has been assigned per organizations
SSL
SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser.
DHCP
Client/server protocol that automatically provides an Internet Protocol (IP) host with its IP address and other related configuration information such as the subnet mask and default gateway. Beneficial for laptop users, but should be disabled for good wireless security.
Global System for Mobile Comms (GSM)
Super safe mobile technology, encrypts but should require an encrypted session (vpn)
5 steps for classification of information assets
1) inventory
2) establish ownership
3) classify IS resources
4) label IS resources
5) create access control list
Greatest benefit of well-defined data?
Reduce cost of control
What is the main objective of library control software?
Authorized changes
When is a Check Sum used?
A checksum or digital signature is commonly used to validate the integrity of a downloaded program or other transferred data.
When is CRC used?
The accuracy of blocks of data transfers, such as data transfer from hard disks, is validated by a cyclic redundancy check (CRC).
What is shadow file processing?
Exact duplicates of files are maintained at the same site or at a remote site. The two files are processed concurrently – used for critical data files such as airline booking systems.
Careful if the answer is hard disk mirroring – this just means redundancy on the same server in case one of the disks fails, it’s not a mirror site data storage.
