11/18 Class IT Control Flashcards Preview

ACCT 5410 > 11/18 Class IT Control > Flashcards

Flashcards in 11/18 Class IT Control Deck (29):
1

IT controls

IT controls prevent problems,

2

IT GCC's

information tech general computer controls

3

application controls

controls that the programmers must follow and document every part of the system and that will stop bad things from happening

4

Good general computer controls start

at the top,
good lines of authority will stop any fraud or error
segregation of duties -

5

segregation of duties IT

keeping the programmers separate from the live environment and the development sphere, this makes so that they can't change live data, four people that should be separated in IT
developers
users
security people
computer operators

6

Logical/access/authentication control

what you know - user name and password
who you are - fingerprint, retinal scanner
what you have - token based controls, magnetic cards etc

7

RSA Card

randomly makes a user name and constantly changes

8

authentication

anything related to ecommerce, you need to see what is working behind the browser, look at how the browser is working and how it is secured. public key and private key keeps people accountable

9

the administrators

you must monitor these people

10

project

if you are doing ecommerce you need to see what the controls are. we don't care so much about what they do but how they do it and if they have good controls in place,
appendix must include references and screen shots of you testing the controls

11

Change management

programs are out there that have version control.

12

Backup/Recovery/Continuity

making so that we have our data backed up and getting data when you lose it

13

disaster recovery

how do we recover data? have data somewhere else that is easily setup to get going

14

business continuity

making so that my data pops up somewhere else in the event of a disaster
cold side - all we have is the data offsite
hot side - a site is already running with the other one to work when one fails(business continuity)
warm side - data offsite, arrangement with someone who has a lease on standby ready for a disaster

15

Network

firewall, IDS, etc.
completeness and accuracy,

16

intrusion detection software (IDS)

lets you know that someone is trying to break into the system, works with the firewall

17

Encryption

encrypting your software so that people can't modify it
external source - internet
internal - onsite
database level - fields and tables of data

18

VPN virtual private network

an encrypted network where only you and the other side use it, it makes its own key
mainly for private networks

19

SSL secure socket layer

when there is a closed secure connection with another site, uses a certificate authority to authenticate the communication
example: your site and american express
public networks

20

Vulnerability

when we hire people to see where we are vulnerable

21

Penetration

when we allow people to get all the way into your system and show you where you can fraud the company

22

Physical Security

data center - offsite location to hold data
co location facility (secure location) - separate location that holds the data as a fail safe
lots of locks and verifications

23

elemental security

air conditioner is running(temperature control), humidity control, above ground against floods, spring to foundation, fire suppression
3 backup generators

24

network operation center

monitor your network

25

application control

input- what can go wrong with the input?
programmed edit checks,
field check - checking the format of input/words/numbers
validity check-testing if it is a valid input
limit check-tests if the quantity is reasonable nothing over this
range check-gives it a range, it can be below or above this
reasonableness check - credit check, checking if someone is ordering too much or an abnormal amount
completeness check - making sure data is in a field
sign check - positive or negative number
sequence check - the next invoice has the be the one that is entered
self-checking digit - checks if the credit card is one of the ones we use

26

control totals and reconciliations

record counts - counts to see if there were more or less than there are supposed to be
batch total - adds the amounts in a batch to see if the main total is right
hash total - random total of the numbers

27

Other

automated authorization - when they send an authorization to someone to authorize it
auto forced SOD - only sends that authorization to someone who can't commit fraud

28

processing controls

run to run totals(internal reconciliation) - tests the transaction table vs the output
checks for duplicate transactions - checking for gaps
Logs - records who is getting in
Exception Reporting - see if something is abnormal and send it to someone to review
Checklists - operator follows a process to insure accuracy

29

output

testing for completeness and accuracy - test the data and its output, run transactions through
security overviewing - making sure only the right people can see it