Chapter 6 Flashcards

Question

IT Strategy

Answer 1

Factors that Impact: * Virtual/ Physical Network Design: * computing power of a company will be key element * depends of nature of business * Centralized/ Decentralized Network Design * organization with multiple offices across a wide range of locations - decentralized * Cybersecurity * some organization have more regulatory burdens and compliance needs than others * Disaster Recovery and Business Continuity * degree of recovery speed for system is more important in some environments * Available IT Personnel: * insourced, outsourced or combo

Answer 2

* input from top leadership, middle managers, IT staff, end users, and external stakeholders * right policies and procedures in place to main relevancy, provide oversight, and align with organizational goals * Board of Directors: * appointment of those who will plan and administer policies * must evaluate IT governance to ensure they meet strategic and operational needs * Executive Management * structure is in place and executed effectively * set tone at the top for ethical climate or attitude toward policies * Middle Management * responsible for carrying out governance policies and making sure that subordinates are doing the same * appropriate resources and support * IT Support Staff * Strategic or Executive-level IT Staff: * executive or middle managers * daily planning and governance policies and carrying them out * Chief Technology Officer * Network Engineers: * responsible for designing and maintaining company network * configuring servers, routers, switches, internet connectivity * Help Desk and Lower-Level IT Support: * first responders when end users have trouble shooting needs * Cybersecurity Staff: * ensure safe and secure usage of company data and IT assets * Function-Specific Staff: * discipline-specific job roles * larger companies * experts for specific items * Accountants: * Stewards of Accounting Information Systems (AIS) * accountants know their information needs best and thus provide input to system developers * Members of Project Development Teams * participation in project development team * real time instead of reactionary * Testers * test to verify that controls are implemented and functioning properly * End Users * best to understand the day-to-day needs of the technology * External Stakeholders * customers or stakeholder such as auditors or regulators can drive change in IT governance

Answer 3

* formed for new IT projects typically include members of management, IT systems personnel, accountants, and system users * responsible for project planning and tracking, IT infrastructure design, change management, and monitoring project performance. * Tasks: * monitoring the project to ensure timely and cost-effective completion * managing the human element (resistance to change) * frequently communicating with users and holding regular meetings to consider ideas and to discuss progress so that are not surprises at project completion * managing risk and escalating issues that cannot be resolved within the team

Answer 4

* aka Project Steering Committee * individuals within an organization who review and approves long-range plans and oversees its information system * consists of high-level management and experts (CIO, controller, IT department heads) * oversight role * responsible for: * developing and communicating strategic goals * reviewing the IT budget and allocation of IT costs * Providing ongoing guidance and addressing big-picture issues that arise * ensuring management engagement and participation * monitoring the project development team's progress * more holistic view * address concerns across business units * help facilitate coordination and integrations of information systems activities

Answer 5

* helps to identify and assess risks * identifies business units, departments, and processes that are essential to the survival of an entity * identify organizational impact in event of failure or disruption * identify resources required to resume business activities in case of disaster * Assessing IT Governance Risks * Objectives: * estimate the quantitative or financial impact to the organization, assuming a worst-case scenario * estimate the qualitative impact to the organization and the effect it could have on operations, assuming a worst-case scenario * identify the organization's business unit processes and the estimated recovery time frame

Answer 6

* need to know what IT resources and assets exist * determine base resources it needs to sustain minimum operations * document the following regarding assets: * date placed in service * machine specifications * make/model of hardware and software * operating systems installed * software applications installed * security software installed * firmware installed * assigned users and department * cost * insurance or any associated warranties

Answer 7

* determines criteria for categorizing the list of information resources as high, moderate, or low related to the effect on day-to-day operations High * department cannot operate without resource * may experience a high recovery costs * may fail to meet the organization's objective or maintain its reputation Moderate * could partially function temporarily for a period of days or a week * may experience some cost of recovery * may fail to meet the organization's objectives or maintain its reputation Low * could operate for an extended period of time * may notice an effect on achieving the organization's objectives or maintaining its reputation

Answer 8

High Likelihood * risk is highly probable, has occurred recently, can occur frequently, or controls to prevent it are ineffective Medium Likelihood * risk could occur, but controls are in place that may impede successful exercise of vulnerability Low Likelihood * risk is improbable, or control are in place to prevent or significantly impede successfully exercise of the vulnerability

Answer 9

* multiple, interconnected technological components, with the core infrastructure involving a combination of on-premises and outsourced hardware, software, and specialized personnel * Hardware * Computer Hardware * microprocessors, graphics and sound cards, hard drives, RAM, power supply, motherboard * External hardware Devices * external peripheral devices, mice, keyboards, speakers * Infrastructure Housing * data centers, ventilation and climate controls for data centers * Networking Devices * Routers * connecting devices from a network * act as link between modem which connect computer to internet and organization's switches * Switches * similar to routers * connect and divide devices within a computer network * allows multiple devices to share the same network * Gateway * computer or device that acts as an intermediary between different networks * transforms data from one protocol into another so that information can flow between networks * protocol is a rule that governs the way in which information is transmitted * Servers * physical or virtual machines that coordinate the computers, programs and data * Firewall * software applications or hardware devices that protect a person's network traffic by filtering it through security protocols with predefined rules * Types: * Basic Packet-filtering * Circuit-Level Gateways: verifies source of packet * Stateful Multilayer Inspection Firewall: combine packet-filtering and network address translation * Network Address Translation Firewalls: assign an internal network address to specific, approved external sources * Next-Generation Firewalls: can assign different firewall rules to different application as well as different users * Software * instructs hardware on how to operate * Networks * group of computers and other machines that are connected through networking devices such as routers or modems * wired or wireless (LANs, WANs) * Mobile Technology * laptops, hotspots mobile phones * IoT (internet of things) device

Answer 10

* enables companies to use data as part of their strategic planning process as well as tactical execution of that strategy * often has subsystems * provides users predefined reports that support effective business decisions * feedback on daily operations and financial and nonfinancial information * support both internal and external business decisions

Answer 11

* Accounting Information System (AIS) * Decision Support Systems (DSS) * Executive Information System (EIS) * Customer Relationship Management System (CRM) * Inventory Management * Knowledge Management Systems (KMS) * Supply Chain Management (SCM) * Enterprise Resource Planning (ERP) * Enterprise Performance Management * Communication

Answer 12

* AIS * for accountants and financial managers * collects records, and stores accounting information * creates an audit trail for accounting transactions * allows for trace back to source documents * 3 Subsystems * Transaction processing Systems: (TPS) * coverts economic event into financial transactions (journal entries) * distributes information to support daily operations * covers sales cycle, conversion cycle and expenditure cycle * Financial reporting System TRS or General Ledger System (GLS): * aggregates daily financial information from TPS for infrequent events such as mergers, lawsuit settlements, or natural disasters * enable timely regulatory and financial reporting * Management Reporting System (MRS) * provides internal financial information to solve day-to-day business problems * budgeting, variance analysis, cost-volume-profit analysis

Answer 13

Functions: * Collect, record, and store data and transactions * Transform data into information through compilation and reporting * Safeguard and maintain data integrity Sequences: 1. transaction data from source documents is entered into the AIS by an end user, via the internet by a customer, or automatically through readable technology such as bar codes or radio frequencies identification tags (RFID) 2. original source documents are filed 3. transactions are posted to appropriate journal 4. transactions are posted to general and subsidiary ledgers 5. trail balances are prepared 6. adjustments, accruals, and corrections are entered as needed 7. financial statements and reported are generated

Answer 14

* an extension of an MIS that provides interactive tools to support day-to-day decision making * provide information, facilitate the preparation of forecasts, allow modeling of various aspects of a decision * aka expert system * What-if Scenarios: * help drive management's decisions * used in forecasting production planning, expense, and revenue projections and expected growth * Artificial Intelligence: * high heavily on * used to automate decisions * examples: * inventory control * revenue optimization * traffic planning * capital investment planning systems * transaction processing systems * database query application * financial modeling application

Answer 15

* provides senior executives with immediate and easy access to internal and external information to assist in strategic decision making * consolidates information * can be stand alone or subsystem * high-level reports and visualizations that allow for big-picture decision making

Answer 16

* strategic drivers for organizations * monitors and manages interactions between the organization and its past, current and potential customers * objectives: * enhance existing customer satisfaction * improve retention * increase customer spending * attract new customers * enhance targeted marketing and promotions to new and existing customers * anticipate customer needs to drive sales and satisfaction * enable cross-selling and upselling of products and services * forecast sales and manage sales staff * manage sales leads * managing leads to better brand recognition, higher revenue, and ultimately higher profits

Answer 17

* collecting and capturing information about customers to create customer profiles that include data points * loyalty cards, reward programs and satisfaction surveys * data mining of social media and online reviews * creating personalized experiences and promotions for individual customers * using business intelligence to automate recommendations and cross-selling opportunities

Answer 18

* increase customer satisfaction through personalized marketing efforts to tailor experience to individuals * increased response rates and decrease cost of marketing

Answer 19

* Operational CRM: * automation of task such as sales, service, and marketing to streamline and simplify business process * generate leads and convert leads into customers * Analytical CRM: * designed to collect and analyze customer information and provide insights to management to aid in decision-making process * Collaborative or Strategic CRM: * enable organization to achieve its strategic goals by providing collaboration and sharing of customer information across functions such as sales, marketing, service, and support teams

Answer 20

* Operational CRM: * automation of task such as sales, service, and marketing to streamline and simplify business process * generate leads and convert leads into customers * Analytical CRM: * designed to collect and analyze customer information and provide insights to management to aid in decision-making process * Collaborative or Strategic CRM: * enable organization to achieve its strategic goals by providing collaboration and sharing of customer information across functions such as sales, marketing, service, and support teams

Answer 21

* either stand-alone or apart of broader management information system * software designed to assist with tracking, procurements, and distribution of inventory items * track quantities and trigger reordering * usually connected to point of sale

Answer 22

* any IT system that disseminates knowledge related to organization * with external parties or internal * examples * training videos * FAQ

Answer 23

* cross-functional systems that are utilized to support different business functions and allow for the integration of information across departemnts, such as accounting, customer management, finance, human resources, inventory management, manufacturing, makerting, and vendor management * real-time communication * operating under centralized database and user interface

Answer 24

Benefits: * stores information in central repository so data is only entered once * acts as the framework for integrating and improving an organization's ability to monitor and track sales, expenses, customer service, distribution and other functions * Provides vital cross-functional information quickly to managers across the organization in order to assist them in decision-making process * improve customer service * allows great access controls so that user privileges for multiple systems can be centrally managed Disadvantages: * significant set up time * can be cost prohibitive because the required hardware, software, and training can include significant development and implementation costs as well as maintenance * integration of all business units can be complex bc integration of disparate systems may be difficult from a technology and process standpoint * causes significant changes to business processes which can lead to error, user resistance, and low adoption rate

Answer 25

* aka Business Performance Management (BPM) or corporate performance management (CPM) * software solutions designed to help executives make strategic decisions * from financial perspective, enables leaders to plan, budget, and forecast business performances * consolidates financial results

Answer 26

* electronic commerce platform to facilitate the sales of goods and services using the internet * removes overhead costs * create markets that might not exist otherwise * promotes competitive pricing * allows for product comparison more quickly * provides parity in information among market participants * Cons: * lag time for shipping * less human customer support

Answer 27

1. Business-to-Business 1. buying and selling goods and services between business entitles 2. allows to streamline processes and establish efficient and effective relationships 2. Business-to-Consumer 1. allows businesses to interface and sell goods to their customers 2. online via retail sites 3. Types: 1. Standalone sites 1. smaller companies 2. utilize shopping cart software 2. Integrate Retail sites 1. larger companies 2. integrated so that sales are the same as if they were in a store 3. Consumer-to-Business 1. customers sell goods to business 4. Consumer-to-Consumer 1. online market place 2. host acts as intermediary and charges a fee for service 5. Government E-commerce: 1. allows users and organizations to make, or receive and make, payments related to taxes and other regulatory requirements

Answer 28

* companies often use third party vendor * helps reduce payment processing time and cost * technology based on block chain

Answer 29

* can outsource activities such as software, data entry, data storage, data management, disaster recovery, and network management * Pros: * usually lower cost/ pay for just what you need instead of large investment in hardware, software, and IT staff * Expertise: no need to invest in training internal employees/ useful for companies who don't need a full time IT staff * Resources: access to specialized and high-quality resources * Enhanced focus on Core Business * Cons: * Less Control and have to grant IT firm access to sensitive information * Quality Control: service providers may not perform up to the expectations and desired quality * Loss of Immediate access to IT Support

Answer 30

* renting storage space, processing power, proprietary software, or a combination on remote servers from another company rather than purchasing and building it internally * offers infrastructure elasticity for changes in demand * cloud service provider performs all maintenance and tech support on hardware

Answer 31

* Security and Privacy Practices: * security standards may not meet requirements of the organizations which can: * lead to inadequate controls or ineffective implementation of controls * misuse or abuse of organization's data * Data Accessibility: * data can become inaccessible or overridden * data can be lost (either due to malice or mistake) * Data Disposal: * data can possibly not be effectively deleted * Vulnerability for Attacks: * if multiple firms are using same provider, an attack on one firm can lead to a beach for another

Answer 32

* governed by the Statement on Standards for Attestation Engagements (SSAE) 18 * objective is to provide assurance that the service organization's controls are designed and operating effectively so that financial statements are not negatively impacted * helps mitigate inherent risks in outsourcing IT functions * types: * Type 1: focuses on the fairness of the presentation of management's description of the service organization's systems and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date * Type 2: focuses on the fairness of the presentation of management's description of the service organization's system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.

Answer 33

* governed by SSAE 19 * for users who need attestation concerning controls as they relate to security, processing integrity, availability, and privacy * important for vendor management, oversight of a company, risk management, corporate governance, and regulatory oversight * types: * Type 1: report of management's explanation or description of a given service company's systems as well as the suitability of control design * Type 2: report of management's explanation or description of a company's control design and its operating effectiveness of internal controls

Answer 34

* reports are also for users who need attestation concerning controls as they relate to security, processing integrity, availability, and privacy * for companies that do not have knowledge required to make an effective use of the SOC 2 report

Answer 35

* corporate accumulation of massive amounts of data that can be used for analysis, commonly referred to as data analytics * data collection is done passively, actively, by a person, or by a technology * sources include loyalty/ reward programs, customer focus groups, radio frequency identification (RFID tags), barcodes, and activity detected from sensors on cameras linked to the internet (IoT- internet of things)

Answer 36

* Volume * quantity and amount of data points * various sources of data require didn't volumes of storage (text file v. video file) * Velocity * speed of accumulation of data processing * ex. price of every transaction of a stock, or real time weather data collection * Variety * 3 Types: * Structured: data with a defined organizational format that has specific parameters * relational data base * Unstructured: format is not predefined and lacks organization * review post online or text in instruction guide * Semi-Structured: hybrid * comma-separated values (CSV file) → no restriction on size or length * Veracity: reliability, quality, or integrity of data * processes should be implemented to ensure data is both accurate and timely * Value: insights Big Data can yield * important to understand the question or business problem that needs solved * shapes the transformation and analytical process

Answer 37

* confidential information must be safeguarded to protect it from unauthorized access and exploitation * examples include employee records, banking and financial information, trade secrets, marketing strategies, and intellectual property * organizations must meet the privacy expectations of their customers * What controls are in place? * need ethics in all parts of the data life cycle (capture, maintenance, synthesis, analytics, usage, publication, archival, and purging) * organization governance program should be lead by a designated individual

Answer 38

* most efficient and effective method * allows data to be stored in different tables and tables are linked through relationships using key fields * concepts: * tables: organizational structures within relational databases that establish columns and rows to store specific types of data records * Customer table would be a table where an entity would store all customer records * attributes (columns): headers of a table that describe the characteristics or properties desired to be known about each entity * Customer table attribute could be Last Name * records (rows): rows within a table in a relational database. each row contains information about one entity within the table * information about a single customer * fields: space created at the intersection of a column and row in a table in which data is entered * information placed in the field is called “data values” * data types: tell us the category of data * single character, string of characters, Boolean → provides yes/no or true/false * database keys: act as unique identifiers and create relationships within the relational database * primary key: unique identifiers for a specific row within a table and are made up of one or more attributes * each row has a unique primary key * ex. social security number * when has one or more attributes = composite or concatenated key * foreign key: attributes in one table that are also primary keys in another table * all other keys that are not primary or foreign are considered ‘non-keys’ or descriptive attributes

Answer 39

* results from a link between a primary key in one table and a foreign key in another tables * allows for simultaneously retrieve information from both tables

Answer 40

* aka Metadata * provides information about the data in a database * list attributes and denotes the features and limitations of that attribute * includes data types, description, field size or length, and whether data is primary, foreign, or non-key attribute * Views: * Logical Database View: how the data paneers to a user * Physical Database View: pertains to how the data is actually stored within the database

Answer 41

* Extract: * can be automated, semiautomated, or manual extraction * native source and means of accessing data must be determined in the initial ETL phase * Steps: * Data identification * Obtaining the Data * if automated, an application programming interface (API) will be designed to extraction can happen * Requesting Data * or Manual Extraction * Transform: * most time-consuming steps * taking often-unstructured data, cleaning it, and validating it to ensure it is accurate and ready for analysis * Cleaning Steps: * determine the desired output, which includes attributes needed and formatting those attributes * deduplicate data points, remove inaccurate data, and account for outliers * Address missing fields * remove all attributes that will not provide value to analysis * ensure data is reasonable by performing spot-checks * remove sensitive information not needed for analysis * split data for analysis (data parsing) * use trimming tools to remove unneeded or extra spaces * Validating data after transformation to ensure data is not lost or inappropriately modified in cleaning process * Load: * load into software program * storage: * operational data storage: (ODS) often sources for data warehouses and are used to capture ongoing operational activities form a variety of input systems * Data Warehouse: very large repositories that are centralized and utilized for reporting and analysis rather than transformation * Data Mart: like warehouse but is more focused on a specific purpose such as marketing or logistics/ subset of data warehouse * Data Lake: contains both structured and unstructured data/ natural or raw format

Answer 42

* Relevance * need to define the purpose * directly describing attributes that has been labeled as primary key * Elements to be Included and Excluded * outlines the universe of data points housed within a repository * Relationship between Elements Include Validity, Completeness, and Accuracy * data being entered in a correct manner * no more data is required * data is free from errors and is true

Answer 43

* Initial (Full) Loading: * occurs when the entire data set is loaded into repository * no prior iterations * Incremental Loading: * only differences between existing data and new data added * can be done in real time or in batches * Full Refresh Loading * entire data set is loaded into repository, replacing the previous load

Answer 44

* process of taking raw data, identifying trends, and then transforming that knowledge into insights that can help solve complex business problems * used in validation, planning, insights, risk mitigation, and decision support

Answer 45

* Descriptive Analytics * what happened * summarizes activity that has occurred within a given attribute or attributes * techniques: * observing summary statistics * sorting data to reveal ranges or patterns * analyzing data based on age, location, time, income * Diagnostic Analytics: * reveal why an event happened * attempts to uncover correlations, patterns, and relationships with data set to explain why * techniques: * drill-down or mining * cluster or profile analysis to determine if any similar groupings of variables reveal insight or unknown answers to questions * correlation analysis between two or more variables to explain why certain data points changes * sequence checks to see if there are gaps or duplication issues * Predictive Analytics: * help to forecast future data points by transforming insight into foresight * techniques: * regression analysis: mathematical model to determine the relationship between dependent variable and one or more independent variable * classification analysis: utilizes already labeled data points and allocates them into similar groups/ differs from regression because it works to predict a category using predefined criteria based on past activities * decision trees: rely on the probability of outcomes/ begin with single decision node and branch out from there * Prescriptive Analytics: * reveal how to achieve desired event * describes next course of action * take probability learned from predictive and turns into recommendations * techniques: * AI and machine learning * Scenario modeling and “what if” analysis

Answer 46

* Customer and Marketing Analytics * build customer profiles * analyze spending preferences * optimizes marketing strategies * Managerial and Operational Analytics * usually run in real time * maximizes efficiencies and production * incorporate into key performance indicators * Risk and Compliance Analytics * monitor transactions through continuous auditing, monitoring and reporting * adherence to controls, covenants, and applicable regulations * Financial Analytics * allow organizations and analysts to monitor financial performance through data mining and ratio analysis on continuous basis * Audit Analytics * types: * assessing risk * providing assurance around certain operations * establishing thresholds and expectations * improving quality of audit by testing full populations * Tax Analytics * used by government entities, organizations, tax accountants, and analytics to organize tax information and guidelines * used in tax planning * monitor tax performance indicators

Answer 47

* Qualitative Data: nonnumerical and considered to be categorical in nature * nominal: simplest form of data that cannot be ordered or ranked * ordinal: categorical and not quantitative but can be ranked * Quantitative Data: numerical in nature * discrete: whole numbers and can only have certain values * continuous: can take on any value within a given interval

Answer 48

* Scale Appropriately * Use of Legends Appropriately * Avoid Bias * Use Consistent Time Periods * Use Colors that can be Easily Seen and Follow Cultural Norms * Use Clear and Easy-to-Read Titles and Labels

Answer 49

* existing systems are no longer supported by vendors who provide technical support * existing systems are no longer compatible with modern software or hardware * advances in technology have resulted in more effective systems being available * competitive advantages to be gained through improvements in processes * growth or expansion of organization requires more scalable solutions * shifts in consumer demand or preferences that require changes in the way technology preforms

Answer 50

* term used to describe the policies, procedures, and resources employed to govern change in an organization * either initiated from within the organization or imposed from without * usually impact IT structure and governance * robust change management process is key component for successfully ensuring that organization can keep up with changing needs without losing ability to operate or achieve its strategic objectives * Steps: * identify and define the need for change * design a high-level plan including goals to be achieved as a result of change * obtain approval from management for the change * develop an appropriate budget and time line * assign personnel responsible for managing the change * identify and address potential risks that could occur during the change or post implementation * provide an implementation road map * procure necessary resources, including IT, and train the appropriate personnel * test the change * execute the implementation plan * review and monitor change implementation and test as needed to verify effective implementation

Answer 51

* Selection and Acquisition Risks * Integration Risks * Outsourcing Risks

Answer 52

* Lack of Expertise * purchasing agents does not have knowledge or organizational perspective to purchase software that meets needs of organization * Lack of Formal Selection and Acquisition Process * could result in overspending, inappropriate related party transactions or kickbacks, or software that does not align with the IT governance strategy * Software/ Hardware Vulnerability and Incompatibility * proper safeguards and security features are needed to adequately protect an organization from unauthorized use does not exist

Answer 53

* User Resistance * Lack of management Support * Lack of Stakeholder Support * Resource Concerns * Business Disruption * Lack of System Integration

Answer 54

* Lack of Organizational Knowledge * Uncertainty of the Third Party's Knowledge and Management * Lack of Security

Answer 55

* designed to minimize the possibility that inherent risks will cause business disruptions or negatively impact IT systems * Include: * Policies and Procedures * outline how it should be executed from selection to integration * Emergency Change Policies * separate contingency policies and procedures in case of emergency * Standardized Change Requests * use of consistent forms and request protocols for timely completion * Impact Assessment * effect a change will have on the organization's business activities a well as any potential disruptions * Authorization: * protect against unauthorized modification to project's scope * Separation of Duties * protect against assets or information being utilized improperly * Conversion Controls * help to minimize data conversion errors related to the impacted IT assets and resources * Reversion Access * ability to revert to prior system or process that existed before the change in the case of unexpected complications * Pre-Implementation Testing * Post-Implementation Testing * Ongoing Monitoring:

Answer 56

* Outsourcing Policies and procedures * System and Organization Controls (SOC) Reports * Utilize Key Performance Indicators

Answer 57

* provides a model for organizations to create, modify, or acquire information systems to meet the needs of the organizations and their users * Steps: * Plan * Analyze * Design * conceptual design: broad translation of business requirements into technical requirements * logical design: hardware and software specifications * physical design: more granular platform and product specifications * Develop * Test * Deploy * Plunge or Big Bang: entire new system is immediately delivered to all customers and clients (lowest cost/ highest risk) * Ramped (Rolling, Phased) Conversion: portions of the new system replace corresponding parts of the old system, one piece at a time (above-average costs, below average risk) * A/B Testing (Pilot, Canary): subset of users gets the new system while the old is still in use(average cost, average risk) * Blue/ Green (Other Pair of Colors/ Shadow): new system is fully deployed in parallel with the old system (highest cost, lowest risk) * Maintain * Waterfall Model is most common * different teams of employees performing separate tasks in sequence * challenges: * requires a lot of time to complete * benefits of new system are not realized until completion * no customer input and change can be difficult to manage * some employees may be idle before beginning or after completing their step

Answer 58

* Resource Risk: * expensive and time consuming * lack of funding can cause project fail or corners to be cut * Scheduling Risk * if schedules are not met, the entire project can be delayed * Technical Risk * major factor * can lead to system downtime and latency problems * if design and functionality do not meet end users need a rework is required $$$ * Project Management Risk * requires strong guidelines, leadership and support * high stress can lead to employee turnover, dissention or issues within the team that can delay the project * User Resistance Risk

Answer 59

* many entities maintain legacy systems because of: * cost * time * user resistance * features and customization * risk of information loss

Answer 60

* Security Vulnerability * Lack of Vendor Support * Compatibility Issues * Lack of Efficiency and Effectiveness

Answer 61

* Isolating the System * Hardening: turning off any unnecessary features of the legacy systems to reduce exposure * Virtual Patches * Monitoring: frequent review and monitoring

Answer 62

lean manufacturing concept that is aimed to achieve a discrete flow of work contrary to batch production approach. one step at a time

Answer 63

lean manufacturing concept that is aimed to achieve a discrete flow of work contrary to batch production approach. one step at a time

Answer 64

* testing should involve the acquired software, any developed software, and the change management process * purpose: * determine whether the software is operating as expected * discover errors, defects, missing components, or gaps * verify that end product meets expectation

Answer 65

* Unit Test: used to validate the smallest component (unit) of the system * goal is to isolate testing of each part to show that individual parts are functioning properly * Integration Test: determines if the units, once combined, function as designed * goal is to test if components integrate effectively * System Test: evaluate system as w whole * goal is to test whether system meets the functional and technical specifications as well as specified quality standards * enable quality assurance (QA) * Acceptance Testing/ Application: determine whether the software works correctly for the intended user in normal work environment * Most important * conducted by a QA team

Answer 66

* Functional Tests: focus on testing the functions performed by the system * run realistic business scenarios to validate * Black-box Testing: little information about how the product is designed * focusing on design * test system in same manner the end user would to validate * White-Box Testing: provides many details and is focused on code and design improvement as apposed to functionality * Exploratory Testing: utilized for the less-common or exception based situations with no specified test cases * Performance Testing: designed to test run-time or speed performance of software when processing required work load * Recovery Testing: check system's ability to recover from failures * Security Testing: verifies that system protection mechanisms prevent improper penetration or data alteration and validate that authorized access levels function properly * Regression Testing: rerun previous test cases with the entire application after new features or functionalities have been incorporated * Stress Testing: test to see how well it deals with abnormal resource demands (quantity, frequency, and volume) * Sanity Testing: exercises logical reasoning and behavior of the software to determine whether system logic is functioning as designed

Answer 67

* Alpha Testing: initial version of completed software is tested by the customer under the supervision of the developer at the developer's site * Beta Test: later version of the complete software is tested by customer at his or her own site without developer present

Answer 68

* Identify: determine what asset exist and identify and document the risk associated with those assets * Assess: determine the likelihood of the risk materializing and the level of the impact of that threat to the organization * Protect: mitigation strategies must be put in place. * developing and communicating security polices and procedures * developing internal controls * Monitor: continually monitor activities and acquisitions for new risks and ensure that current risk mitigation efforts are still effective

Answer 69

* Technology Risk: risk of disruption to business as a result of any information technology activity * can be pervasive and affect organization's reputation, operations, financial position, and overall strategy * all other risks are under this umbrella * Security Risk: risks associated with unauthorized access or use of an organization's information technology * external threats such as hackers * internal misuse of information, assets, and reputation with stakeholders * Availability Risk: risk that an organization will not be able to access and utilize its information technology as needed * result of some type of system failure or external event * Operational Risk: risk that an organization is unable to operate effectively or efficiently due to issues concerning information technology * includes utilizing software that does not meet the needs of the organization or having correct software but utilizing it ineffectively * Financial Risk: risk of losing financial resources as a result of them being misused, lost, wasted, or stolen * employee using company printer for personal use * Compliance Risk: focused on issues related to information technology not sufficiently meeting the requirements of regulatory bodies * vary by industry * Strategic Risk: risk of misalignment of business and IT strategies

Answer 70

* Natural and Political Disasters: * earthquakes, floods, fires, storms, and floods * transportation accidents * events related to hazardous materials * terrorist attacks * political uprising or war * Errors in software and equipment malfunctions * software crashes or viruses * hardware failures * power outages * Accidental Actions * human errors * negligence * omitted data * data lost, modified or destroyed in transmission or storage * ineffective software training * Intentional Actions * fraud * sabotage * corruption * computer crimes such as viruses, phishing, malware, social engineering, and computer hijacking * financial statement fraud * misappropriation of assets (theft)

Answer 71

* Integrate management of IT Risk into the overall risk management of the enterprise * make well-informed decisions about the nature and extent of the risk, the potential risk appetite, and the risk tolerance of the enterprise. * Develop response to risk

Answer 72

* Systems development life-cycle standards and controls * physical and logical controls over infrastructure * business resiliency management * change management procedures * software acquisition, development, operations, and maintenance controls

Answer 73

* built into typical business processes that use computer application * implement preventive, detective, and corrective control around transactions in order to address effors, deficiencies, and fraud in applications * accurate → complete → valid → authorized

Answer 74

* Manual Controls: control performed b a person without making direct use of automated systems * Automated Controls: performed by an automated systems * embedded with IT infrastructure to provide continuous controls based on established rules * accuracy → timeliness → efficiency → security * IT-Dependent Manual Control: individual performing a control function with some use of an IT component

Answer 75

* Preventive Control: takes precautions to prevent problems in future * hiring qualified and competent personnel * security awareness training * segregation of duties * physical access control (locks/ guards) * Technical control (firewalls/ antivirus software/ security configuration management) * Detective Controls: to find and reveal issues or deficiencies not averted by preventive controls * second line of defense * bank or account reconciliations * physical security such as surveillance cameras * intrusion detection systems * Corrective Controls: have ability to identify, repair, restore, and recover from issues that cause damage to system or process * applying operating system upgrades * maintaining data and system backups * fixing data entry or transaction errors

Answer 76

* Packet-Filtering Firewall: utilizes a router to inspect the header information found in packets of data that travel between the organization's network and the internet and to determine whether to allow or block the exchange * Application-Based Firewall: allows for exchange of information but not the direct exchange of packets. can apply to entire network or for a specific host * Stateful Inspections: Monitor both the packet header and destination

Answer 77

* Hardening: reduce their surface vulnerability by turning off features or functions that are not needed during operations * Patch Management: as vulnerabilities are discovered, should be addressed by patches (r fixes) before they are exploited * Anti-malware Program: implementing robust procedures around the uses of external devices, accessing certain websites, and executing suspicious programs

Answer 78

* involves using password or a digital key to scramble a readable (plaintext) message into unreadable (ciphertext) message * intended recipient of message then uses digital key to decrypt message back to plain text * System Types: * Symmetric: sender and recipient use same shared key * Asymmetric: uses two keys

Answer 79

form of data security electronic documents that are created and digitally signed by a trusted party certify the identify of owners of a particular public key

Answer 80

* system and processes used to issue and management asymmetric keys and digital certificates

Answer 81

location that is equipped with the necessary hardware and possibly software

Chapter 6 Flashcards

(106 cards)