IT Security & Application Development

Question 1

The difficulty of maintaining the integrity of the data is

Answer 1

The most significant limitation of computer-based audit tools

Question 2

Limit who can physically enter the data center

Answer 2

Physical access controls

Question 3

Are designed to protect the organization’s physical information assets.

Answer 3

Environmental controls

Question 4

Are needed because of the use of communications networks and connections to external systems.

Answer 4

Logical security controls

Question 5

Connection to the internet presents security issues. Thus, the organization-wide network security policy should at the very least include:

Answer 5

1) A user account management system,
2) Installation of an Internet firewall, and
3) Methods such as encryption to ensure that only the intended user receives the information and that the information is complete and accurate.

Question 6

The responsibility for creating, maintaining, securing, and restricting access to the database belongs to the

Answer 6

Database administrator (DBA)

Question 7

The five IT business assurance objectives include:

Answer 7

1) Availability
2) Capability
3) Functionality
4) Protectability, and
5) Accountability

Question 8

May exploit a known hole or weakness in an application or operating system program to evade security measures.

Answer 8

Malicious software

Question 9

Types of server attacks:

Answer 9

1) Password attacks
2) Man-in-the-middle attack
3) Denial-of-service (DOS) attack

Question 10

A brute-force attack uses password-cracking software to try large numbers of letter and number combinations to access a network.

Answer 10

Password attacks

Passwords also may be discovered by Trojan horses, IP spoofing, and packet sniffers.

Question 11

Takes advantage of networking, packet sniffing, and routing and transport protocols.

Answer 11

Man-in-the-middle attack

Question 12

Is an attempt to overload a system with false messages so that it cannot function.

Answer 12

Denial-of-service (DOS) attack

Question 13

Is needed to respond to security breaches if an organization’s computer system has external connections.

Answer 13

Intrusion Detection System (IDS)

Question 14

Works by using sensors to examine packets traveling on the network.

Answer 14

Network IDS

Question 15

Internal auditors often assess the organization’s information

Answer 15

Integrity and reliability practices

Question 16

Is responsible for ensuring that an organization’s privacy framework is in place

Answer 16

Management

Question 17

Primary role is to ensure that relevant privacy laws and other regulations are being properly communicated to the responsible parties

Answer 17

Internal auditors’

Question 18

Is a means of taking a user’s identity from the operating system on which the user is working and passing it to an authentication server for verification.

Answer 18

Application authentication

Question 19

Technology converts data into a code. A program codes data prior to transmission. Another program decodes it after transmission. Unauthorized users still may be able to access the data, they cannot decode the information

Answer 19

Encryption

Question 20

Requires two keys, one public and one private. These pairs of keys are issued by a trusted third party called a certificate authority.

Answer 20

Public-key (asymmetric) encryption

Question 21

Is a means of authentication of an electronic document, for example, a purchase order, acceptance of a contract, or financial information

Answer 21

Digital signature

Question 22

Is another means of authentication used in e-business. The certificate authority issues a coded electronic certificate that contains the holder’s name, a copy of its public key, a serial number, and an expiration date. The certificate verifies the holder’s identity.

Answer 22

Digital certificate

Question 23

Is less secure than the public-key method because it requires only a single (secret) key for each pair of parties that want to send each other coded messages.

Answer 23

Private-key encryption

Question 24

Involves user-created or user-acquired systems that are maintained and operated outside of traditional information systems controls

Answer 24

End-User Computing (EUC)

Question 25

Three basic architectures for desktop computing include:

Answer 25

1) Client-server system
2) Dummy terminal model
3) Application server model

Question 26

Divides processing of an application between a client machine on a network and a server. This division depends on which tasks each is best suited to perform.

Answer 26

Client-server system

Question 27

In this architecture, desktop machines that lack stand-alone processing power have access to remote computers in a network.

Answer 27

Dummy terminal model

Question 28

Involves a three-tiered or distributed network application. Also performs business logic functions, transaction management, and load balancing.

Answer 28

Application server model

Question 29

The application server model involves a three-tiered or distributed network application.

Answer 29

The middle (application) tier translates data between the database (back-end) server and the user’s (front-end) server.

Question 30

Over the life of an application, users are constantly asking for changes. The process of managing these changes is referred to as _______, and the relevant controls are called ______

Answer 30

Systems maintenance & Program change controls

Question 31

The program change control process includes

Answer 31

1) Saving a copy of the production program in a test area of the computer.
2) Making the necessary changes to this copy of the program.
3) Transforming the changed program into a form that the computer can execute.
4) Testing the changed program to see if it performs the new task as expected.
5) Demonstrating the new functionality for the user.
6) Moving the program to a holding area once it is in an acceptable form.
7) (The supervisor) Reviewing, approving, and authorizing the new program.

Question 32

Is the traditional methodology applied to the development of large, highly structured application systems. A major advantage of the approach is enhanced management and control of the development process.

Answer 32

Systems development life cycle (SDLC)

Question 33

The phases and component steps of the traditional SDLC can be described as:

Answer 33

1) Definition
2) Design
3) Development
4) Implementation, and
5) Maintenance

Question 34

Is an alternative approach to application development that involves creating a working model of the system requested, demonstrating it for the user, obtaining feedback, and making changes to the underlying code.

Answer 34

Prototyping

Question 35

Common application development tools are:

Answer 35

1) Computer-aided software engineering (CASE)
2) Object-oriented programming (OOP)
3) Rapid application development (RAD)

Question 36

Which applies the computer to software design and development

Answer 36

Computer-aided software engineering (CASE)

Question 37

Which combines data and the related procedures into an object

Answer 37

Object-oriented programming (OOP)

Question 38

Which is a software development process involving iterative development, the construction of prototypes, and the use of CASE tools

Answer 38

Rapid application development (RAD)