IT Flashcards

Question

Product Differentiation Defined

Answer 1

Setting your product apart from your competitors'

Answer 2

* Lack of IT strategic focus - many IT investments are "bottom up". * Lack of strategic investment - over-investment in existing businesses and inadequate investment in "transformative" technologies. * Inadequate scope and agility - IT investments in business units, inadequately scaled to meet changing business needs.

Answer 3

Support large volume, day-to-day activities of business. •purchasing of goods/svcs, mfg activities, sales to customers, cash collections, payroll. Transaction types •Non-financial (placing orders for goods, accepting orders from customers) •Financial (billing a customer, receiving pmt, paying employees) GENERATE DEBIT AND CREDIT ENTRIES INTO ACCOUNTS.

Answer 4

Components: | Knowledge base, knowledge database, provides means to collect, organize, and develop relations among information.

Answer 5

Support routine, lower to mid level management. * Primarily synthesize (analyze) data from TPSs (internal data) * Tasks: structured problems Ex: compare planning info (budgets, forecasts) data with outcomes. , AR Aging

Answer 6

Management Information Systems (MIS) •AIS generated debits and credits (ex: A/R transactions -- aging)

Answer 7

Support mid and upper level management. Tasks: manage non-routine problems and long-range planning. Often integrate external (market-level) with TPS data. Include significant analytical and statistical capabilities.

Answer 8

DATA DRIVEN: process large amounts of data to find relations and patterns. Ex: data warehousing and data mining. MODEL DRIVEN: use models to forecast outcomes, model-driven analytics.

Answer 9

Client risk Assessment Client acceptance and retention Internal control documentation and testing Compute audit sample sizes

Answer 10

Facilitate group collaboration May include functions such as calendars, meeting scheduling, and document sharing.

Answer 11

``` Similar to DSS •Support forecasting and long-range, strategic decisions •Greater use of external data •primarily to support top management. •DSS for dummies ``` •can be for a specific purpose (monitoring competitive price)

Answer 12

Early IT Systems Separate programs and data sheets Each application has separate data and programs (think going into multiple places to change the same thing) •Data sharing across applications through separate programs •Select data records from one application and reformat for other application. •data redundancies.

Answer 13

Pool data into logically related files (the database). MIS always implemented into a database environment.

Answer 14

System to collect, organize, integrate, and store entity-wide data. Easy access to large quantities of varied data from across the organization.

Answer 15

Exploration, aggregation, and analysis of data in the data warehouse using analytical tools and exploratory techniques.

Answer 16

Relational data of archived operational transactions and other data. Often incorporated in a data-driven DSS May include external data.

Answer 17

Move from summary to detailed information. Associated with data warehouses Ability to move from summary to granular information.

Answer 18

View data in multiple ways.

Answer 19

A data mart

Answer 20

Binary digit Zero or one

Answer 21

Logical grouping of bits Must be to the power of 2 (2^n)

Answer 22

* logical group of bytes * identify a characteristic or attribute of an entity (invoice, customer, product, etc) * in databases, fields are also known as "attributes"

Answer 23

* a group of related fields (attributes) | * describe an example of an entirety (a specific invoice, a particular customer)

Answer 24

•collection of related records for one specific entity ( an invoice file, a customer file, a product file)

Answer 25

A set of logically related files.

Answer 26

Programs that run computer and support system management (operating system is more important)

Answer 27

* Used to create applications. * Now, most are "third" or "fourth generation" languages, many are object-oriented programming languages (OOPL) (Ex: Java) * All must be converted to "first generation" language (Ex: 0s and 1s) (from source to object code)

Answer 28

End-user programs that you know and love. Categories: General (word processors, spreadsheets, databases) Specific (a marketing IS for a clothing designer) Runs on a specific operating system and hardware environment.

Answer 29

* Interface between user and hardware. * Defined what commands can be issued and how (typing in a command, pointing and clicking) Ex: Microsoft, Mac. * Controls all input and output in computer systems.

Answer 30

"Middleware" program (between the Software and hardware, or application software and operating system) Manages the database.

Answer 31

* User can define tables and fields and relations among the tables * Uses meta-data (data about data) to define the database elements * Example commands: create, drop, alter (of fields and tables)

Answer 32

* User can add, delete or update records | * Example commands: update, insert, delete (of records)

Answer 33

* User can extract information. * Most relational databases use structured query language (SQL) to extract fat (text approach) * Query-By-Example (QBE): graphic interface with "drag and drop" fields to create query (graphic approach)

Answer 34

* No collisions - concurrent access management (only one person in at a time) * No hackers or creepers - Access controls * Data definition standards, data element standards * Backup and recovery procedures * Update privileges * Data elements and relationship controls

Answer 35

Peripherals = input and output devices = I/O devices

Answer 36

Input devices instruct the CPU and supply data to be processes. Ex: keyboard, mouse, trackball, touch-screen technology, microphones and voice recognition technology, point of sale (POS) scanners.

Answer 37

Transfer data from the processing unit to other formats. * printers,plotters--paper output * monitors, flat panel displays, CRT (cathode ray tube) displays--visual output * speakers, voice output communication aids (VOCAs)--auditory output

Answer 38

CONTROL UNIT: interprets program instructions ARITHMETIC LOGIC UNIT (ALU): performs arithmetic calculations

Answer 39

Stores programs and data when in use. 1. Random Access Memory (RAM)-- stores data temporarily (information in process in computer system) 2. Read-Only Memory (ROM)-- permanently stores data needed by computer

Answer 40

Form of secondary storage. Flash drives, USB, jump, thumb drives No moving parts. Similar to the RAM.

Answer 41

A computer that provides resource on a computer network.

Answer 42

Physical equipment of the computer system.

Answer 43

1. Batch: group transactions for processing (then are sorted into item number sequence) 2. On-line, real-time (OLRT): Continuous, immediate Processing.

Answer 44

Transaction and mater files must be sorted on a common key •Low volume, periodic transactions. Transactions are independent or unimportant. •Called "sequential-access files" because the records are in sequence. •Alternative is "random-access files" (ex: hardware storage devices)

Answer 45

Continuous, immediate transaction processing. Near simultaneous transaction entry and master files updating. Requirements: random access storage devices, networked computer system or internet. •single transaction, random processing technology, immediate update.

Answer 46

Scanners capture data from product bar codes (fast, accurate, cheap) Computer system connected to, or integrated with, electronic cash register. POS Systems or terminals networked to central computer.

Answer 47

Creation, analysis, storage and dissemination of extremely large data sets. •Feasible due to advances in computer storage technologies (ex: the cloud), advanced data analytics, and massive computing power. Gartner definition: "high volume, velocity, and/or variety Information assets that demand new, innovative forms of processing for enhanced decision making, business insights or process optimization."

Answer 48

Data from business activities that may be reused in analytics, business relationships, or directly monetized (sold). Activity, operational or social media data that is unused or underused. Sometimes a synonym for "meta-data" (data about data)

Answer 49

Use of the cloud to access HARDWARE

Answer 50

Designing systems, prepares specifications for programmers, and serves as intermediary between users and programmers. •should not have access to an entity's data in a large firm. (Violation of segregation of duties)

Answer 51

Responsible for establishing user names and authorizing access to specific data files and fields

Answer 52

1. Security 2. Availability (is the system operational and useable as specified in commitments and agreements? Do I/Cs support system availability?) 3. Processing integrity (concerns the completeness, validity, accuracy timeliness and authorization of system processing) 4. Confidentiality (is the information protected consistent with the orgs commitment in agreements?) 5. Privacy (does the Systems collection, use, retention, disclosure, etc followed)

Answer 53

1. Management (accountability) 2. Notice (tell others of policies and procedures) 3. Choice and consent (US= users can opt out of collection of personal info) 4. Collection (only for identified purposes) 5. Use and retention (consistent with statements about use - retain only as long as needed or by law) 6. Access (people can access, review and update their info) 7. Disclosure to third parties (according to policy) 8. Security for privacy (protect against unauthorized access) 9. Quality (personal info is accurate, complete and relevant) 10. Monitoring and enforcement (monitors the entities compliance)

Answer 54

A top management issue.

Answer 55

1. Organization and management 2. Communications 3. Risk management and design implementation of controls 4. Monitoring of controls 5. Logical and physical access controls 6. System operations 7. Change management

Answer 56

Given enough time and resources, preventive control can be circumvented. Accordingly, detection and correction must be timely. P=time it takes an intruder to break through the organizations preventive controls D=time it takes to detect that Ana track is in progress C=time to respond to the attack If P > (D+C), then security procedures are effective

Answer 57

The strategy of implementing multiple layers of controls to avoid having System break down

Answer 58

Organization specifies objectives with sufficient clarity to enable identification and assessment of risks relating to objectives. Assessing cyber risks begins with understanding the value of information systems to an organization.

Answer 59

Principle 7: Organization identifies, analyzes and manages risks. Principle 8: Organization considers fraud risks. Assess likelihood and severity of cyber risk impact. Consider industry-specific attack. *initiative should be lead by senior management.

Answer 60

Organization identifies and assesses changes that could impact internal control. Risks; Rapidly changing technologies and amber criminals' quick adaption to changes yield new methods of exploiting vulnerabilities.

Answer 61

10: Organization selects and develops control activities that contribute to mitigate risks. 11: Organization selects and develops general control activities over technology to support the achievement of objectives. 12: Organization deploys control activities through policies that establish expectations and procedures that implement policies. * control activities related to cyber risks should relate to the organizations' objectives and cyber risk profile. (Ex: defense-in-depth Approach. Manage cyber risks through careful design and implementation of controls)

Answer 62

Organization obtains, generated and uses relevant, quality information to support internal control. •Information needs follow from cyber risk Assessment and control design processes. •Formally document information requirements to support processes and controls. •Availability of "big data" can create information overload problems. •Transform control system data into actionable, high-quality information to support cyber-related controls.

Answer 63

Organization internally communicates information, including objectives and responsibilities for internal control, necessary to support internal control functioning. •Communication about cyber risks should include all personnel, personnel responsible for managing and monitoring cyber risks and controls, and the Board of Directors.

Answer 64

Organization communicates with external parties regarding internal control.

Answer 65

Illegal activity that used a computer as its means of communication, or in which a computer is the target of the crime.

Answer 66

The likelihood of a financial loss, a disruption or damage to an organization form failure of, or an attack on, it's IT Systems.

Answer 67

Link to entity's strategy and objectives. Need a process for evolving with change.

Answer 68

* Policies central to internal control * Reflect managements intentions regarding actions * Procedures are actions to implement policies

Answer 69

1. Values and Service Culture: what is expected of IT function personnel in interactions with clients and others? 2. Contractors, Employees and Sourcing: why, when and how entity selects IT Human Resources from employees vs. outside contractors. 3. Electronic Communications Use: policy related to employee use of the internal, intranet, email, blogs, chat rooms and telephones. 4. Use and Connection Policy: Entity's position on the use of personal devices and applications in workplace and connection to the entity's systems. 5. Procurement: policy on procurement processes for obtaining IT services. 6. Quality: statement of IT performance standards 7. Regulatory Compliance: statement of regulatory requirements for IT systems. 8. Security: policy related to guarding against physical or electronic threats to IT. May include disaster recovery preparation policies. 9. Service management and operational service problem solving: policies for ensuring quality of live IT services.

Answer 70

Marketing, buying, and selling of products and services via the internet * Narrower -> Transactions between organization and trading partners. * Business-to-business (B2B) ecommerce: the electronic processing of transactions between businesses. (ex: Processing of business transactions, electronic data interchange (EDI), supply chain management (SCM) and EFT •Business-to-consumer (B2C) ecommerce: selling goods and services to consumers, usually on Internet and web-based technology. •Relies on intermediaries or brothers to facilitate the sales transaction (eBay)

Answer 71

Used internet to improve business performance through connectivity. * Business process that relies on electronic dissemination of information or automated transaction processing. * can be within or between organizations. * Most via the Internet using web-based technology's

Answer 72

Business-to-employee e-commerce: sharing information and interacting with employees.

Answer 73

Business-to-government e-commerce: contract bidding, property disposal, audit procurement.

Answer 74

* availability/downtime * privacy, security and confidentiality * authentication and nonrepudiation (after the fact, can't claim that transaction never occurred) * integrity

Answer 75

1. Customers go elsewhere 2. Limited growth 3. Limited markets

Answer 76

1. E-marketplaces and exchanges 2. Viral marketing 3. Online direct marketing 4. E-rendering Systems (putting out bids for products we need?) 5. Social networking

Answer 77

1. Trading partner | 2. The trading site or service provider

Answer 78

1. Risk of System unavailability •availability/downtime 2. Privacy, security and confidentiality risks 3. Authentication risks 4. Nonrepudiation risks 5. System integrity risks

Answer 79

Where a company seeks bids to provide a product or service.

Answer 80

Technologies for managing client e-relationships. Ex: customer data, profitability, personalized marketing Database of customer data •sales force automation: tracking contacts and follow-ups Marketing automation: "triggered" marketing (ex: Kroger promoting grocery products only to interested customers) Customer service automation •customer service automation: automating common customer interactions Analytics •sales history and projections, marketing campaign success, trends, and performance indicators

Answer 81

* computer-to-computer exchange of business data. * structured data and processing protocols to reduce costs and speed processing (purchase orders, confirmations, invoices, etc.) * facilitates JIT (just-in-time) inventory * ex: Walmart and suppliers (direct EDI connections) * often, direct links between trading partners through intermediaries (called "service bureaus" or VANs) * Most EDI transactions on Value Added Networks (VANs)

Answer 82

Audit trails, controls, and security Often used in conjunction with EDIs

Answer 83

Translation software converts between standardized EDI format and internal company format.

Answer 84

* paperless (saves storage, filing, process costs * zero data entry * reduce errors in information exchange * required by customers (ex: Walmart can force supplies to adopt a system comparable to theirs) * real time data, no delays (faster invoicing and payments)

Answer 85

•demanded by customers ``` •management of e-banking requires: Senior management of BoD oversight Technology under Senior IT leadership Operational management monitoring and measuring risk ```

Answer 86

Technology for electronically transferring money. Increase speed and reduce cost

Answer 87

Not payment systems Programs for managing credit cards, user names, passwords and address information in easy-to-use, centralized location.

Answer 88

Process of transforming raw materials into finished product and delivering goods. Process of planning, implementing, and controlling supply chain operations SCM OFTEN INCLUDES EDI (ex: Walmart)

Answer 89

Preventive and detective controls to prevent unauthorized procurement of cloud services. •a cloud use policy that articulates how, when, and for what uses, cloud computing is allowed. •a list of approved cloud vendors Policy: who can contract for cloud services and under what conditions.

Answer 90

Vendor selection & assessment of CSP controls * approved list of cloud vendors includes only vendors who provide sufficient info to enable informed risk assessments of the integrity of CSP operations. * list of required info from CSP may depend on type of service provided (IAAS, SAAS, PAAS)

Answer 91

Effective incident management plan and procedure. Contract with backup CSPs in case of system failure with primary CSP. Implement CSP availability monitoring.

Answer 92

Incident management plan that considers increased likelihood of attack on CSP.

Answer 93

Using a network of remote servers hosted on the Internet to store, manageC and process data, rather than a local server or in-house network.

Answer 94

Cloud service providers offer network services, infrastructure, or business applications in the cloud. Hosted in a data center than can be accessed by companies or individuals using network connectivity.

Answer 95

* No knowledge or application of SDLC (systems development life cycle). * Not integrated with existing systems * Inadequate system testing and documentation. * Poor data controls, system design * Poor integration with existing systems. * Management may rely on these systems without knowing their risks.

Answer 96

* Exclusively microcomputers * No centralized IT department (outsourced IT?) * Poor segregation of Duties (incompatible functions often combined)

Answer 97

Physical access: unprotected Computing site(s)? •Give > attention to locked doors & secure storage Logical (electronic) access: require UNs and strong PWs, automatic log outs Data Backup: outsource, or, establish

Answer 98

1. Centralized system •data and processing at central location. 2. Decentralized system •individual location processing and data 3. Distributed (hybrid) database system •distribute to locations according to need

Answer 99

All data processing at one location. Users access via telecommunications channel ADVANTAGES: enables better data security, consistency in processing. DISADVANTAGES: high transmission costs, input/output bottlenecks at high traffic times (end of period), slow response to info requests.

Answer 100

Each location maintains separate system and data. Summarized data sent to central office. Use of this system is declining. Can be customized Systems. ADVANTAGES: low transmission cost, low processing power and storage needs at central site, lower input/output bottlenecks, higher response to local needs. DISADVANTAGES: higher data redundancy and poor information integration, higher security issues and hardware costs.

Answer 101

Compromise: Seek the best of centralized and decentralized. Database distributed across locations according to needs. Increasingly common ADVANTAGES: better communications between locations (all connected to distributed database), more current and complete information, reduce or eliminate need for expensive central processing center. DISADVANTAGES: similar to centralize systems cost of communications among locations, access and update conflicts among locations.

Answer 102

Two or more computing devices connected by a communications channel.

Answer 103

Network access point. •controlling is critical to security. (Who is on the network and why?) A connected device (computers, printers, headphones, etc.) identified by type (linked to device protocols) Measure of network complicity. Each Node is assigned a DNS and IP address Network monitor displays nodes.

Answer 104

Domain Name System: translates network Node into IP address (internet protocol)

Answer 105

Route traffic and may include security features (identifying nodes engaged in activity you don't want on your network). Routers are smarter, more complex and cost more than switches.

Answer 106

•Circuit board and software on each Node. •Matched to transmission media. Ex: in each computer (to translate between the network language and the computer language)

Answer 107

* Communication link between nodes (here a cable). | * May be wired or wireless.

Answer 108

CLIENT: usually an end user's microcomputer, uses but does not provide network resources SERVER: provides services or resources to network, end-users access server resources but generally don't use directly. LOCAL AREA NETWORK (LANs): use dedicated communication lines, cover limited area. WIDE AREA NETWORK (WANs): uses public or shared communication lines. STORAGE AREA NETWORK (SANs): type of LAN, dedicated to connecting storage devices to serves and other devices, centralized data storage, increased use in cloud computing. PERSONAL AREA NETWORK (PANs): created by individual person, wireless or wired.

Answer 109

WIRED Twisted pair Coaxial cable Fiber optic cable WIRELESS Microwave transmission (primarily used in WANS) Wi-Fi or spread/spectrum radio transmission Bluetooth (used in PANs)

Answer 110

WIRELESS: Scalable, flexible, often lower cost, mobility. WIRED: reliable, security, speed, occasionally lower cost. large LANs and WANs often include both.

Answer 111

``` A. Response time reports B. Downtime reports C. Online monitors D. Network monitors E. Protocol analyzers F. Simple network management protocol (SNMP): way of monitoring network traffic G. Help desk reports ```

Answer 112

A "network of networks" •worlds largest client/server network. ``` Common protocol = 2 parts: TCP (Transmission Control Protocol) •breaks up sent messages into IP packets IP (Internet Protocol) •all nodes assigned an IP address for delivery of information. ```

Answer 113

Rules by which a network operates and controls flow and priority of messages.

Answer 114

A means by which information is transmitted. Sent files are broken down into packets which contains: Header: routing information (address), length protocol (maybe), originating info. Data: main message Trailer: used in some Systems, error detection bits, end of message identifier

Answer 115

1. Mail servers -- hosts that deliver, forward and store mail 2. Clients -- link users to servers. Allow you to read, compose, send, and store email.

Answer 116

Web address of a resource

Answer 117

Translates the URL to an IP address Sends a request for URL via HTTP (hypertext transfer protocol)

Answer 118

For email services.

Answer 119

Permits access to remote mailboxes (e.g. On a server) as if they were locks (e.g. On a client system)

Answer 120

For uploading and downloading files.

Answer 121

Common for informal, internal corporate communications.

Answer 122

For internet-based phone communications.

Answer 123

Codes that indicate how parts of a file are to be processed or displayed.

Answer 124

Core markup language (Way of tagging text for display) for web pages.

Answer 125

For encoding (tagging) documents in machine-readable form.

Answer 126

XML-based. For encoding and tagging financing information. *This is the future. •used in filing with SEC on EDGAR •some companies now report their F/S in both paper and XBRL formats.

Answer 127

Detect and/or prevent unauthorized uses. •non-work tasks, legal issues National security/political control Packet sniffers (view and capture sent information) Desktop surveillance (keystroke + website logging)

Answer 128

Provide access through: direct connections to Internet backbone (high speed, high capacity communication lines)

Answer 129

Private (limited access) networks built using Internet protocols. •allows access to network resources through web browsers rather proprietary interface. •reduces training and system development time. •rapidly replacing traditional proprietary LANs and WANs. •easier to use, greater security. •intranet portal--the entry site (URL) for an intranet.

Answer 130

Available only within and organization (school, business, association) •intranets are often used to connect geographically separate LANs within a company.

Answer 131

Extent intranet to associates •extend to suppliers, customers, business partners. Could have security issues that are not found wth intranet.

Answer 132

Technology to secure communications. | •extending an intranet to an extranet.

Answer 133

Web based, collaboration and community-generated content using tools such as blogs and wiki.

Answer 134

Need and information source by (free) subscription.

Answer 135

One-time password (device displays; user inputs devise password, user ID, and account password) New password ~30-60 seconds

Answer 136

Physical characteristic for access (thumbprint, Regina patterns)

Answer 137

All firewalls are hardware and/or software to review and filter network traffic (e.g. Block no compliant data packets based on set parameters) TYPES/LEVELS Network, application and personal.

Answer 138

On a network (e.g. Server) Filters data packets based on header information (source and destination IP addresses and Communication port) Blocks non compliant transmissions based on rules in access control list. Very fast (examine headers only)

Answer 139

Inspect data packet content Can perform deep packet inspection (detailed packet examination)

Answer 140

Software enabling end-users to block unwanted network traffic. Usually on a home network or computer.

Answer 141

IDS: monitors network for anomalies. What is unusual--3 identification methods 1. Signature-based (site patterns/sources) 2. Statistical-based (unusual activity-modeling) 3. Neural Networks (learns from created database)

Answer 142

IPS e.g. Honeypot/honeynet -- allow hackers access to a decoy system.

Answer 143

Unauthorized user follows and uses authorized user credentials

Answer 144

* Failure (outage) * Reduced voltage (brownout) * Sags, spikes, and surges * electromagnetic interference (EMI)

Answer 145

This logically restricts the ability of the user to read, write, Update, and/or delete records in a file.

Answer 146

A zest of techniques used by attackers to fool employees into giving them access to information resources.

Answer 147

Process of converting a plaintext message into a secure-coded form (ciphertext). Decryption - reverse encryption (to read a message).

Answer 148

device or code that makes the message unique. Needed to encrypt or decrypt. •an input or parameter •device encryption e.g. On s laptop, smart phone Key length -- longer keys are slower but harder to crack

Answer 149

One algorithm to encrypt and decrypt Sender creates and sends ciphertext, tells which algorithm (key) Receiver reverses process Old=data encryption standard New and better = Advanced Encryption Standard

Answer 150

Paired algorithms •one to encrypt, one to decrypt •if public encrypts, private decrypts •if private encrypts, public decrypts Safer but more complicated (slower) Common in sending of message (data in transit)

Answer 151

Wrong guesses about encrypting key yield falsified data that looks correct but isn't.

Answer 152

Quantum encryption where data are encrypted using the Alice-in-Wonderland-like qualities of quantum computers.

Answer 153

Electronic document that contains information Purpose: provide identity and crest secure communication.

Answer 154

Created by Microsoft to acquire key pair, user applied for CA. CA registers public key on server and sends private key to user. (Ie. additional layer of approval to get key)

Answer 155

Legally recognized identification. Uses public/private key technology.

Answer 156

Facilitate secure exchanges (e.g. E-commerce) * uses public/private key paid to authenticate sender. * provides authentication and nonrepudiation. * weakness: public/private key pair can be acquired without verification. (Does not provide confidentiality)

Answer 157

* SSL (secure socket layer) * S-HTTP (secure hypertext transport protocol) * SET (secure electronic transactions protocol) - used for consumer purchases

Answer 158

1. Natural: i.e. Earthquakes, floods 2. Unintentional Human: i.e. Loss of power, gas leak 3. Intentional Human: i.e. Terrorist attacks, hackers, vengeful employees

Answer 159

Acceptable data loss recovery time Objective (acceptable downtime). Determining: criticality of application, cost, time to recovery, security.

Answer 160

``` Cold site: no computers $ Warm site: computers no data $$ Hot site: everything $$$ Mirrored site: fully redundant $$$$ Reciprocal Agreement: $?$ ```

Answer 161

Off-site location with electrical and other physical requirements for processing. No equipment or files (added when needed) 1-3 day start-up typically Cheaper

Answer 162

Off-site location with similar computer hardware. Does not include backed-up data (delivered when needed) More expensive than cold-site

Answer 163

Completely equipped including data Near-immediate (within hours) operation Big money (e.g. Medical, credit card systems)

Answer 164

Fully redundant, fully staffed, fully equipped. Real-time replication of mission critical systems E.g. Credit card processing

Answer 165

Agreement between toe it more organizations to aid each other with data processing if disaster strikes. May be cold, warm, or hot

Answer 166

* identify and plan for disruptions * integrate into business culture * recall risk management lesson / risk appetite and management.

Answer 167

Business risk management or organizational risk management.

Answer 168

Business continuity planning

Answer 169

Organizational continuity plan | •process of risk Assessment, contingency planning, and long-term continuity maintenance.

Answer 170

Business impact analysis •risk analysis portion of BCP (business continuity planning) Identifies maximum tolerable interruption periods of an organization by function and activity to assess risk importance and consequences.

Answer 171

1. Create a OCP policy and program 2. Determine critical functions / business risks 3. Determine continuity strategies 4. Develop and implement BCM response 5. Exercise, maintain, and update plan 6. Embed BCM plan into the culture

Answer 172

Map level of incidents to events to responses E.g. 0=negligible event (e.g. Power strike) 7= crisis (pandemic virus or terrorist) •responses mapped to level of incidents.

Answer 173

* recover from equipment failures, power failures and errors * maintain at least one remote archive off-site * use redundant (multiple) backups.

Answer 174

* full: all data * increment: data changed from a certain time * differential: data changed since the last full backup

Answer 175

1. At least one off-site archive 2. Controls over storage libraries mirror those for data processing sites 3. Many organizations outsource - choosing a vendor, consider availability, standardization, capacity, speed, and price 4. Backup procedures may be full, increment, or differential 5. Maintain inventory of backups that identifies data set name, volume serial number, data created, accounting period, and storage location 6. Consider privacy, security and confidentiality of data (e.g. HIPPA) 7. Restoration procedures integrated into organizations continuity plan (OCP) 8. Backup and restoration procedures regularly tested and reviewed.

Answer 176

Used when all systems were batch processing and is mostly associated with batch processing. ``` Son = newest Grandfather = 2 generations ```

Answer 177

Common in batch processing. Checkpoint •point where processing accuracy is verified •periodic backups •if problem, return to most recent checkpoint and restart

Answer 178

Common to online, real-time processing Record processing transactions log Periodically record master file contents If problem, return to good master file and reprocess subsequent transactions

Answer 179

Operate despite component failure (include redundancy and corrections for component failure) E.g. Space flight, ecommerce, bank credit card processing *dont want outages or downtime Network-enabled backup procedure.

Answer 180

Computer clusters designed to improve service availability: common in e-commerce. If a part of the system goes down, the other components will pickup the slack. Network-enabled backup procedure.

Answer 181

Advantages: automated, outsource to experts, off-site, can be continuous. Network-enabled backup procedure.

Answer 182

Replicate data from multiple sites Data immediately available Efficient storage for servers Network-enabled backup procedure.

Answer 183

Maintain EXACT COPY of data set Files are stored in same format as System (e.g. Not zipped) Advantage: very fast Disadvantage: storage, expensive Used for mission critical systems Network-enabled backup procedure.

Answer 184

Backup and recovery

Answer 185

Nation-states and spies: foreign nations Industrial spies: seek intellectual property and trade secrets for competitive advantage Organized crime: e.g. Blackmails that threaten to harm data resources Hacktivists: social or political statements e.g. Anonymous Hackers/crackers: for fun and challenge

Answer 186

Computer or system as target--e.g. Denial of service (DoS) attacks and hacking Computer as subject--unlawful access to attack others. e.g. DoS infections. Computer as tool--access data or resources. E.g. Unauthorized access breaches, phishing, key loggers Computer as symbol/user as target--variation in computer as tool. Deceive user to obtain access e.g. Social engineering

Answer 187

1. Make crime harder (less likely) 2. Increase the costs (difficulty) of crime 3. Improve detection methods 4. Reduce losses

Answer 188

* software allowing unauthorized entry to System by omitting login * once common among programmers to facilitate development

Answer 189

Prevent legitimate users accessing system. Flood server with incomplete access requests Often use botnets (zombie computers)

Answer 190

Unauthorized interception of private communication.

Answer 191

Sending thousands or millions of emails to an address.

Answer 192

Program planted in System dormant until event or time (e.g. Date, employer deleted from active status)

Answer 193

Exploit system and user vulnerabilities to gain or damage computer. Examples: VIRUS: unauthorized program that copies itself; may damage data. WORM: virus that replicates across Systems; e.g. By sending email floods TROJAN HORSE: Program hidden inside benign file; can insert back door into system

Answer 194

Packet analyzers, network analyzers, and sniffers. •have network control (legitimate) and data capture (nefarious) uses. Packet=formatted block of data carried by a computer network Packet sniffing=capture packets of data as they move across a network

Answer 195

Software used to generate potential passwords and test to gain access. Finds weak passwords easily.

Answer 196

Internet Protocol (IP) address--unique identifying number for each device on a networked system. Hacker can identify IP address (e.g. Packet sniffing) and use to access network Masquerade=hacker mimics legitimate user.

Answer 197

Seek access by tricking employees FISHING: fooling recipients into divulging personal financial data

Answer 198

Irrelevant or inappropriate email (or text or whatever messaging system comes next) messages sent to either: •a large number of recipients. •the same recipient many times (email bombing)

Answer 199

War Chalking: draw symbols in public places to indicate available Wi-Fi network access. War Driving: seeking access to Wi-Fi while diving War Walking: seeking access to Wi-Fi while walking, may lead to war Chalking.

Answer 200

1. Planning for and testing protocol 2. Event detection procedures 3. Ever logging procedures 4. Triage and incident analysis 5. Containment and removal of threats 6. Decision and action regarding event announcement or secrecy 7. Incident recovery 8. Closure 9. Event reporting 10. Monitoring and system revisions

Answer 201

* an essential change control (COSO - importance in managing changes within a system of I/C) * software and instructions for people * for new or changed programs, SPLMS manages migration from application development test environment to production library (live status) * SPLMS controls and validates program changes by comparing new to old code

Answer 202

1. Store programs in the SPL (source program library) 2. Retrieve programs for updating and maintenance 3. Delete obsolete programs 4. Audit trail; document program changes *may be part of database system, operating system or purchased separately

Answer 203

1. Required by law (e.g. The foreign corrupt practices act, and SOX, SEC regulations, HIPPA) 2. The build and evaluate complex systems 3. For training (for new employees) 4. For creating sustainable/surviving systems 5. For auditing (internal and external) 6. For Process (re)engineering

Answer 204

Overview of program, data files, processing logic, interactions with other programs and systems * big picture of entire system * may include requirements, architecture and design of the system

Answer 205

Detailed description of inputs, logic, and outputs for software •includes program flow charts, source code listings, record layouts

Answer 206

Also called "run manual" How to load and execute programs and data. Includes needed equipment, files, supplies, commands, error messages

Answer 207

General and primarily preventive

Answer 208

Ensure reliability of application program data and processes. Understanding enables auditor to assess risks if absent or weak. Some may function as input or processing controls (eg. control totals) Best "input" control is often to automate data entry i.e. To not have manual (human) input

Answer 209

Goals: accuracy, completeness, efficiency

Answer 210

Use entered data to display additional (confirming data) Helps ensure valid and correct entry E.g. After customers account code entered, the system displays additional information about the selected customer. Goals: C (all data entered), A (entered data accurate), E

Answer 211

1. Financial total - add invoice amounts 2. Hash total - add invoice #s 3. Record count-count # of invoices Record count goal = A & C

Answer 212

Confirm numerical sequence (of check or invoice numbers •usually automated but may be manual Goal: C (all valid are included), V (no invalid are included)

Answer 213

Re-key (re-enter) and compare critical data •ex: require password entry twice Goal: Validity

Answer 214

Can't continue until data is entered Goal: completeness

Answer 215

Is data of correct type? Ex: alphabetic, numeric, characters E.g. A zip code can only have numbers. Goal: Accuracy

Answer 216

Numeric field with specified value(s). E.g. Need to enter a number for age that can't be past 120 Goals: validity and accuracy

Answer 217

Validate upper and lower limit. Ex: price per gallon of gas $2 < x < $10

Answer 218

has correct sign (+ or -) Ex: # purchased > 0

Answer 219

Does entered account # exist? In database, called referential integrity Goals: validity and accuracy

Answer 220

Do two or more fields agree? Ex: don't allow pay rate = "$3,500" and pay period = "hourly" Goals: validity and accuracy

Answer 221

Decrease data entry errors, speed data entry Goals: accuracy, completeness and efficiency

Answer 222

Pre-supplied data valued for fields Ex: sales order date = current date Goals: accuracy and efficiency

Answer 223

* automated equipment to reduce manual data entry * ex: bar code scanners * reducing human involvement reduces errors

Answer 224

1. Processing 2. File 3. Output 4. Input

Answer 225

Efficiency •accurate and complete master file update •detect unauthorized transactions •maintain data integrity

Answer 226

Run-to-run Controls: use batch totals (input controls) to agree the batch from one procedure (run) to another. *used in batch processing.

Answer 227

Audit trail control •used mostly in OLRT processing •transaction log = electronic audit trail

Answer 228

May include data values, time, terminal number, IP address, user name Importance: •GOALS: accuracy, completeness and validity •BACKUP AND RECOVERY: essential to checkpoint and restart, and rollback and recovery systems

Answer 229

Master files (ex: payables, receivables, updated regularly with transactions) Standing files (rarely changed master files) Transaction files (events that are used to update master files) System control parameter files

Answer 230

1. Check digit (parity bit) •0 or 1 included in byte to indicate if sum bits = odd or even 2. Read after write check •verifies that data was correctly written to disk •mostly used in local file operations 3. Echo check •verify transmission by "echo back" received transmission to sender •primary use = telecommunications systems 4. Boundary protection •with multiple programs and/or simultaneous users •prevents one program from overwriting data and instructions of another program

Answer 231

Internal labels--Read by system (or removable storage) External labels--Read by humans Version controls--Protocols for ensuring use of the correct file version File access and updating controls--procedure to restrict file updates and access to authorized users

Answer 232

Transaction logs of printed output (built into most systems) Access to sensitive reports through permissions and access controls (e.g. Authorization matrix)

Answer 233

Send files to queue for printing, in order sent Control issue: sensitive output Ex: sensitive product sales data, require printer password entry before file is printed, printed files are held by data control clerk for pickup

Answer 234

Controls built into the computer equipment to ensure that data are transmitted and processed accurately.

Answer 235

Competent, timely execution of the following: 1. Analyze transactions and business documents. 2. Journalist transactions. 3. Post journal entries to accounts. 4. Determine account balances and prepare a trial balance. 5. Journalize and post adjusting entries. 6. Prepare financial statements and reports. 7. Journalize and post-closing entires. 8. Balance the accounts and prepare a post-closing trial balance. 9. Repeat.

Answer 236

Revenue cycle--interactions with customers (give goods; get cash) Expenditure cycle--interactions with suppliers (give cash; get goods) Production cycle--give labor and raw materials; get finished product Human Resources/Payroll Cycle--hire,utilize, and develop labor; give cash and benefits General ledge, reporting, financing cycle--give cash; get cash; report financial outcomes

Answer 237

Loss, alteration, or unauthorized disclosure of data. Accounting system is not functioning as required by law, regulation, or organizational policy.

Answer 238

Completeness - All: * transactions are properly authorized. * record transactions are valid. * valid and authorized transactions are recorded. * transactions are recorded accurately. * safeguarding - assets are safeguarded from loss or theft. * efficiency - business activities are performed efficiently and effectively. * compliance - the organization complies with all applicable laws and regulations. * reporting - all financial disclosures are full/fair * data integrity - accurate data is available when needed.

Answer 239

Systematic process of recording and processing financial transactions and events. A way of categorizing similar business and accounting activities.

Answer 240

* records activity related to employees and payroll. * gets funds from the financing cycle, provides labor to the production cycle, and provides data to the GL and reporting system.

Answer 241

•gets funds from the revenue cycle, provides funds to the expenditure and HR/payroll Cycles, and provides data to the GL and reporting system.

Answer 242

•gets labor from HR/Payroll, gets money from financing, gets raw materials from expenditure, provides data to GL and reporting, provides finished goods to revenue.

Answer 243

* Gets finished goods from production * provides data to GL and reporting * provides funds to the financing. Core Activities: Sales: receive customer orders, approve customer credit/sales authorization. Physical (or virtual) custody of products/svcs: fill the order and prepare for shipping, ship AR: bill as needed, management receivables Cash: collection and receipt of payments, reconciliation/control activities

Answer 244

Gets money from financing, provides data to the GL and reporting, provides raw materials to production. Core activities: Request and authorize purchase, acquiring goods, taking custody and paying for goods.

Answer 245

Purpose: helps match payments to invoices. Comments and Controls: Sent by customers to selling company to indicate payment.

Answer 246

1. It doesn't work the way it was designed to. 2. Cost over-runs: cost more than it should have. 3. Time: it falls behind schedule.

Answer 247

* Lack of senior management knowledge of, and support and involvement in, major IT projects. * Difficulty in specifying requirements. * Emerging technologies (hardware and software) may not work. * Lack of standardization project management and methods. * Resistance to change; lack of proper "change management". * Scope and Project creep. (Ex. Going over budget) * Lack of user participation and support. * Inadequate testing and training. * Poor project management--underestimating of time, resources, and scope.

Answer 248

1. IT Steering Committee •Concerned with the strategic plan for IT within the organization. •Review, approve and prioritize Systems Development proposals. •include IT department and functional user areas 2. Lead Systems Analyst •manages development team and project. •direct contact with end users. Usually responsible for developing overall programming logic and functionality. 3. Systems Analysts and Application Programmers •design, create and test system, programs, and controls in partnership with users 4. End users •Identify problems and often suggest first-pass solutions.

Answer 249

``` SYSTEM PLANNING AND BUILDING 1. Planning and feasibility 2. Analysis / Requirements 3. Design 4. Development IMPLEMENTING, TESTING AND MAINTENANCE 5. Testing 6. Implementation 7. Maintenance ```

Answer 250

3 dimensions of feasibility: 1. Technical: Can it be built? 2. Economic: Is it cost effective? 3. Operational: Will it meet user needs? If feasible, crest a project plan: •Critical success factors: What just happen to succeed? •Scope: Project purpose and most important goals. •Major risks: $?, delivery date? Technology? •Milestones and responsibilities: Who will do what, when?

Answer 251

Systems analysts partner with end users to: •Understand business processes and purposes. •Document system requirements Requirements Defined: Document that identifies system functionality Framework for system design and development Parties sign to signify agreement on requirements. (Contract).

Answer 252

Collaboration of IT personnel and end users to define system. Part of analysis/requirements in SDLC

Answer 253

* Prepare or evaluate RFPs (request for proposals) for hardware or software. * Vendor evaluations: Reliability (financial and product), service commitment, training, tech support + documentation.

Answer 254

Design: Define systems' technical specifications. Two components: 1. Technical architecture specification: Define hardware, systems software and networking technology of systems. 2. Systems model specifications: (a) Graphical models (flowcharts, etc.) describing system components and processes. (b) Create system menus and screen formats.

Answer 255

* Programmer sues design specifications to develop the program and data files. * Purchases hardware and IT infrastructure specified in design.

Answer 256

Does system meet the design specifications in the requirements definition? TEST: •With both correct and erroneous data •At expected operational loads TYPES OF TESTING: •Individual processing unit: Each component works •System testing: Modules work together •Inter-system testing: System works with other systems •User acceptance: System meets business needs

Answer 257

Includes: •Data conversion (old data into new format) •User training

Answer 258

Monitor and update programs and/or procedures •Remember Y2K? System updates return to start of SDLC process. (Size will determine if you go through the whole process or just Components)

Answer 259

Similar to phased implementation, except divide users into smaller groups and train by groups (vs. by modules)

Answer 260

Old system is dropped and the new system is put in place all at once. RISKY!

IT Flashcards

(285 cards)