Exam 1 Flashcards
(124 cards)
1
Q
an intentional act where the intent is to destroy a system or some of its components
A
sabotage
2
Q
a text file created by Web site and stored on a visitor’s hard drive. Store information about who the user is and what the user has done on the site.
A
Cookie
3
Q
Any and all means a person uses to gain an unfair advantage over another person
A
fraud
4
Q
typically business people who commit fraud. Usually resort to trickery or cunning, and their crimes usually involve a violation of trust or confidence
A
White-collar criminals
5
Q
dishonest conduct by those in power which often involves actions that are illegitimate, immoral, or incompatible with ethical standards. Examples include bribery and bid rigging.
A
Corruption
6
Q
Misrepresenting or leaving out facts in order to promote and investment that promises fantastic profits with little or no risk. Examples include Ponzi schemes and securities fraud
A
investment fraud
7
Q
theft of company assets by employees
A
misappropriation of assets
8
Q
intentional or reckless conduct, whether by act or omission, that results in materially misleading financial statements.
A
fraudulent financial reporting
9
Q
pressure, rationalization, and opportunity
A
fraud triangle
10
Q
a person’s incentive or motivation for committing fraud; could be financial, lifestyle, or emotional. Also management characteristics, industry conditions, and financial can lead to financial statement fraud
A
pressure
11
Q
the condition or situation that allows a person or organization to commit and conceal a dishonest act and convert it to personal gain. Commit, conceal, and convert
A
opportunity
12
Q
concealing the theft of cash by means of a series of delays in posting collection to accounts receivable
A
lapping
13
Q
creating cash using the lag between the time a check is deposited and the time it clears the bank.
A
check kiting
14
Q
the excuse that fraud perpetrators use to justify their illegal behaviors. Ex. “I’m only borrowing it,” “The company owes me, I am only taking what is rightfully mine.”
A
rationalization
15
Q
any type of fraud that requires computer technology to perpetrate
A
computer fraud
16
Q
easiest type of computer fraud, involves falsifying or altering computer input
A
input fraud
17
Q
includes unauthorized system use, including the theft of computer time and services
A
processor fraud
18
Q
includes tampering with company software, copying software illegally, using software in an unauthorized manner, and developing software to carry out an unauthorized activity
A
computer instructions fraud
19
Q
illegally using, copying, browsing, searching, or harming computer data
A
data fraud
20
Q
displayed or printed output that is stolen or copied or misused
A
output fraud
21
Q
controls that deter problems before they arise.
A
preventive controls
22
Q
controls designed to discover control problems that were not prevented
A
detective controls
23
Q
controls that identify and correct problems as well as correct and recover from the resulting errors.
A
corrective controls
24
Q
controls designed to make sure tan organization’s information system and control environment is stable and well managed.
A
general controls
25
controls that prevent, detect, and correct transaction errors and fraud in application programs
application controls
26
system that describes how a company creates value, helps employees understand management's vision, communicates company core values, and inspires employees to live by those values
belief system
27
system that helps employees act ethically by setting boundaries on employee behavior
boundary system
28
system that measures, monitors, and compares actual company progress to budgets and performance goals.
diagnostic control system
29
system that helps managers to focus subordinates' attention on key strategic issues and to be more involved in their decisions
interactive control system
30
a security and control framework that allows (1) management to benchmark the security and control practices of IT environments, (2) users of IT services to be assured that adequate security and control exist, (3) auditors to substantiate their internal control opinions and advise on it security and control matters.
Control Objectives for information and related technology (COBIT)
31
includes Control Environment, Risk assessment, control activities, information and communication, and monitoring as guidance for evaluating and enhancing internal control systems
Committee of Sponsoring Organizations (Coso) Internal Control-Integrated framework
32
Includes Internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication, and monitoring as guidance for evaluating and enhancing internal control systems
Enterprise Risk Management framework (ERM)
33
The company culture that is the foundation for all other ERM components as it influences how organizations establish strategies and objectives; structure business activities and identify, assess, and respond to risk.
internal environment
34
the amount of risk a company is willing to accept to achieve its goals and objectives, To avoid undue risk, risk appetite must be in alignment with company strategy
Risk appetite
35
the outside, independent board of director members responsible for financial reporting, regulatory compliance, internal control, and hiring and overseeing internal and external auditors
audit commitee
36
a document that explains proper business practices, describes needed knowledge and experience, explains document procedures, explains how to handle transactions, and lists the resources provided to carry out specific duties
policy and procedures manual
37
an investigation of a prospective or current employee that involves verifying their educational and work experience, talking to references, checking for a criminal record or credit problems, and examining other publicly available information
background check
38
high level goals that are aligned with and support the company's mission and create shareholder value
strategic objectives
39
objectives that deal with the effectiveness and efficiency of company operations and determine how to allocate resources
operations objectives
40
objectives to help ensure the accuracy, completeness, and reliability of company reports; improve decision making; and monitor company activities and performance
reporting objectives
41
objectives to help the company comply with all applicable laws and regulations
compliance objectives
42
a positive or negative incident or occurrence from internal or external sources that affects the implementation of strategy or the achievement of objectives.
event
43
the susceptibility of a set of accounts or transactions to significant control problems in the absence of internal control
inherent risk
44
the risk that remains after management implements internal controls or some other response to risk
residual risk
45
Impact x likelihood= . . .
the product of the potential dollar loss that would occur should a threat become a reality and the risk or probability that the threat will occur
Expected loss
46
policies, procedures and rules that provide reasonable assurance that control objectives are met and risk responses are carried out
control activities
47
separating the accounting functions of authorization, custody, and recording to minimize an employee's ability to commit fraud
segregation of duties
48
cooperation of two or more people in an effort to thwart internal controls
collusion
49
employing multiple layers of controls to avoid a single point failure
defense-in-depth
50
implementing a combination of preventive, detective, and corrective controls that protect information assets long enough to enable an organization to recognize that an attack is occurring and take steps to thwart it before any information is lost or compromised
time-based model of security
51
using deception to obtain unauthorized access to information resources
social engineering
52
verifying the identity of the person or device attempting to access the system; usually includes something you know, something you have, or some physical or behavioral characteristic
authentication
53
a physical or behavioral characteristic that is used as an authentication credential
biometric identifier
54
the use of two or more types of authentication credentials in conjunction to achieve a greater level of security
multifactor authentication
55
the use of multiple authentication credentials of the same type to achieve a greater level of security
multimodal authentication
56
the process of restricting access of authenticated users to specific portions of the system and limiting what actions they are permitted to perform
authorization
57
a table used to implement authorization controls
access control matrix
58
matching the user's authentication credentials against the access control matrix to determine whether that employee should be allowed to access that resource and perform the requested action.
compatibility test
59
a device that connects an organization's information system to the internet
border router
60
a special-purpose hardware device or software running a general purpose computer that controls both inbound and outbound communication between the system behind the firewall and other networks
firewall
61
a separate network located outside the organizations internal information system that permits controlled access from the internet
demilitarized zone
62
special purpose devices that are assigned to read the source and destination address fields in IP packet headers to decide where to send the packet next
routers
63
a set of if-then rules used to determine what to do with arriving packets
access control list (ACL)
64
a process that uses various fields in a packet's IP and TCP headers to decide what to do with the packet
packet filtering
65
a process that examines the data in the body of a TCP packet to control traffic, rather than looking only at the information in the IP and TCP headers. Usually takes longer but is more secure
deep packet inspection
66
software or hardware that monitor patterns in the traffic flow to identify and automatically block attacks
intrusion prevention systems (IPS)
67
a standard method for verifying the identify of users attempting to connect via dial-in access
remote authentication dial-in user service (radius)
68
searching for an idle modem by programming a computer to dial thousands of phone lines
war dialing
69
collective term for the workstations,servers, printers and other devices that comprise an organizations network
endpoints
70
flaws in programs that can be exploited to either crash the system or take control of it
vulnerabilities
71
automated tools designed to identify whether a given system possesses any unused and unnecessary programs that represent potential security threats.
vulnerability scanners
72
the process of modifying the default configuration of endpoints to eliminate unnecessary settings and devices
hardening
73
the formal process used to ensure that modifications to hardware, software, or processes do not reduce systems reliability
change control and change management
74
the process of examining logs to identify evidence of possible attacks
log analysis
75
a system that creates logs of all network traffic that was permitted to pass the firewall and then analyzes those logs for signs of attempted or successful intrusions.
intrusion detection system (IDS)
76
an authorized attempt to break into the organizations information system
penetration test
77
a team that is responsible for dealing with major security incidents
computer incident response team (CIRT)
78
a program designed to take advantage of a known vulnerability
exploit
79
code released by software developers that fixes a particular vulnerability
patch
80
the process of regularly applying patches and updates to software
patch management
81
running multiple systems simultaneously on one physical computer
virtualization
82
using a browser to remotely access software, data storage, hardware, and applications
cloud computing
83
a record of company data sent to an external party and then returned by the external party for subsequent input to the system
turnaround document
84
an edit check that tests whether the characters in a field are of the correct field type (ex. numeric data in numeric fields)
field check
85
an edit check that verifies that the data in a field have the appropriate arithmetic sign
sign check
86
an edit check that tests a numerical amount against a fixed value
limit check
87
an edit check that tests whether a data item falls within predetermined upper and lower limits
range check
88
an edit check that ensures that the input data will fit into the assigned field.
size check
89
an edit check that verifies that all data required have been entered
completeness check (or test)
90
an edit test that compares the ID code or account number in transaction data with similar data in the master file to very f that the account exists
validity check
91
an edit check of the logical correctness of relationships among data items
reasonableness test
92
ID numbers (such as employee number) can contain a check digit computed from the other digits
check digit
93
recalculating a check digit to verify that a data entry error has not been made
check digit verification
94
an edit check that determines if a batch of input data is in the proper numerical or alphabetical sequence
sequence check
95
the sum of a numerical item for a batch of documents, calculated prior to processing the batch, when the data are entered, and subsequently compared with computer-generated totals after each processing step to verify that the data was processed correctly
batch totals
96
a type of batch total that equals the sum of a field that contains monetary values, or something that you would normally add like total hours worked
financial total
97
a type of batch total generated by summing values for a field that would not usually be totaled
hash total
98
a type of batch total that equals the number of records processed at a given time
record count
99
an online data entry completeness check that request each required item of input data and then waits for an acceptable response before requesting the next required
prompting
100
an input validation method that uses data entered into the system to retrieve and display other related information so that the data entry person can verify the accuracy of the input data
closed-loop verification
101
type of internal label that appears at the beginning of each file and contains the file name, expiration date, and other file identification information.
header record
102
type of internal label that appears at the end of a file; in transaction files, the trailer record contains the batch totals calculated during input
trailer record
103
an error that results when numbers in two adjacent columns are inadvertently exchanged
transposition error
104
a processing control which verifies accuracy by comparing two alternative ways of calculating the same total
cross-footing balance test
105
a processing control that verifies that the balance of a control account equals zero after all entries to it have been made
zero-balance test
106
controls that lock out users to protect individual records from errors that could occur if multiple users attempted to update the same record simultaneously
concurrent update controls
107
a data transmission control that uses a hash of a file to very accuracy
checksum
108
an extra bit added to every character; used to check transmission accuracy
parity bit
109
a data transmission control in which the receiving device recalculates the parity bit to verify accuracy of transmitted data
parity checking
110
the capability of a system to continue performing when there is a hardware failure
fault tolerance
111
a fault tolerance technique that records data on multiple disk drives instead of just one to reduce the risk of data loss
redundant arrays of independent drives (RAID)
112
an alternative power supply device that protects against the loss of power and fluctuations in the power level by using battery power to enable the system to operate long enough to back up critical data and safely shut down
uninterruptible power supply (UPS)
113
a copy of a database, file or software program
backup
114
the amount of data the organization is willing to reenter or potentially
recovery point objective (RPO)
115
to restore an organization's information system following a disaster, representing the length of time that the organization is willing to attempt to function without its information system
recovery time objective (RTO)
116
maintaining complete copies of a database at two separate data centers and updating both copies in real-time as each transaction occurs
real-time mirroring
117
exact copy of an entire database
full backup
118
a type of partial backup that involves copying only the data items that have changed since the last partial backup. This produces a set of incremental backup files, each containing the results of one day's transactions
incremental backup
119
a type of partial backup that involves copying all changes made since the last full backup. Thus, each new differential backup file contains the cumulative effects of all activity since the last full backup.
differential backup
120
a copy of a database, master file, or software that is retained indefinitely as a historical record, usually to satisfy legal and regulatory requirements
archive
121
a plan to restore an organization's IT capability in the event that its data center is destroyed
disaster recovery plan (DRP)
122
a disaster recovery option that relies on access to an alternative facility that that is prewired for necessary telephone and internet access, but does not contain any computing equipment
Cold site
123
a disaster recovery option that relies on access to a completely operational alternative data center that is not only prewired but also contains all necessary hardware and softeware
hot site
124
a plan that specifies how to resume not only IT operations but all business processes in the event of a major calamity
business continuity plan (BCP)
