Information Technology (15-25%) Flashcards
(34 cards)
What is the COBIT Model?
Control OBjectives for related and Information Technologies (COBIT)
provides framework for implementation of IT into control system & understand risks of doing so - guide to managers and users to adopt best IT practices
aimed at figuring out 3 main things (PRO):
1 - OBJECTIVES - what are our business requirements of IT system?
2 - RESOURCES - what IT resources would be necessary to implement such system?
3 - PROCESSES - what IT processes do we need to figure out how to implement such system?
What are the 4 main domains of the COBIT Model?
DAMP
1 - PLANNING & ORGANIZATION - how IT system helps accomplish objectives
2 - ACQUISITION & IMPLEMENTATION - how acquires and develops IT solutions and automated solutions that address objectives
3 - DELIVERY & SUPPORT - how can best deliver required IT services including operations, security, continuous service, and training
4 - MONITORING - how can periodically assess IT processed for quality and control
What are the 7 attributes of desired information from COBIT Model?
ICCAREE 1 - effective 2 - efficient 3 - confidential 4 - integrity 5 - available 6 - compliant 7 - reliable
What is an IT Risk Assessment?
3 main risk management components:
1 - EVALUATION - to identify and evaluate properties and characteristics
2 - ASSESSMENT - to discover threats and vulnerabilities that pose risk to assets
3 - MITIGATION - to address risk by transferring, eliminating, or accepting it
What is Change Management?
policies and procedures governing change within organization
follows basic logical steps of implementing change:
- identify need for change
- create plan outlining objectives of change
- obtain approval from management, create budget, map out general timeline
- identify risks of implementing change
- test change
- implement change
- review and monitor
What are the 3 Risks associated with Change Management?
1 - ACQUSITION RISKS:
inability to consider all effects of implementing new system/software - could be incompatibilities with existing systems or with organizational objectives
2 - INTEGRATION RISKS:
EEs resisting adoption of new system/software, lack of adequate resources to correctly implement change, possibility of unforeseen incompatibility
3 - OUTSOURCING RISKS:
outside organization does not have same understanding/knowledge of objectives, security of sensitive information
What are the 7 stages of Systems Development Lifecycle (SDLC)?
PADDTIM
1 - PLANNING & FEASABILITY
- technical feasibility - possible with current IT system?
- economic feasibility - do benefits outweigh costs?
- operational feasibility - will system work?
2 - ANALYSIS - identifies what system must accomplish
3 - DESIGN - interactions among systems/users-flowcharted
4 - DEVELOPMENT
5 - TESTING
6 - IMPLEMENTATION
- parallel implementation - old system and new system run side by side, until clear new system works
- cold turkey - old system dropped, new system implemented all at once
- phased implementation - new system implemented in phases
- pilot implementation - users divided into small groups and one group at a time implements new system
7 - MAINTENANCE - user groups/help desks used to monitor issues as time goes on
What is involved in the documentation of an IT system? What are the 4 levels of documentation?
documentation required in order to:
- evaluate system
- train EEs on using system
- re-create or re-deploy system after crisis
- for auditors to use during audits
- can be in many different forms - questionnaires, narrative description, flow charts, diagrams, decision tables, etc.
SOUP
1 - SYSTEM documentation - gives overview of programs/data and how system works together
2 - PROGRAM documentation - is record of programming logic - mainly used for programmers
3 - OPERATOR documentation - run manual is necessary information to run programs - used by computer operators
4 - USER documentation - helps untrained user to understand and use system
What are the IT System Access types of Controls?
2 types of control:
1 - LOGICAL controls:
within computer systems - prevent authorization access - user authentication, ability to read/write, firewalls, etc.
2 - PHYSICAL ACCESS controls:
physical measures taken to protest information of organization - keycards to open certain doors, fingerprint scanners, etc.
What are the IT Segregation of Duties and Roles?
segregation of: PADDO
- planning
- design
- development
- administration
- operating of IT system
SAAP-SASP-O
- SYSTEMS ANALYST - designs and analyzes - usually lead a team of programmers
- APPLICATION PROGRAMMER - write the programs
- SYSTEM ADMINSTRATOR - grants access to system resources and manages activities within
- SYSTEM PROGRAMMER - maintain and update systems and hardware
- OPERATOR - actual users of system/software
What are 3 main areas regarding sensitive information risk in IT?
1 - critical information
2 - confidentiality
3 - privacy
*numerous ways this information can be stolen, exposed, misused, accessed without authorization
What are the 6 categories of General IT Controls?
1 - PREVENTIVE controls - prevent error before occurs
2 - DETECTIVE controls - detect error after occurs
3 - CORRECTIVE controls - reverse effects of error
4 - FEEDBACK controls - results evaluated/adjusted
5 - GENERAL controls - apply all parts
6 - APPLICATION controls - apply to specific parts
What are the 3 types of Application IT Controls?
1 - INPUT controls - ensure transactions are Valid, Complete, and Accurate (ACV)
2 - PROCESSING controls - ensure updates and processes work accurately, completely, and detect unauthorized transactions
3 - OUTPUT controls - ensure reports generated are accurate and only distributed to authorized individuals
What are a few examples of Input Controls under the Application IT Controls?
ACV - accurate, complete, valid
- DEFAULT VALUES - help reduce mistakes, such as date on order page being auto filled in with current days date
- AUTOMATED DATA CAPTURE - barcode allows fast data entry and reduces mistakes
- REASONABLENESS CHECK - compares 2 fields, such as hours worked with paycheck total, makes sure values reasonable
- CLOSED LOOP VERIFICIATION - reduces data entry errors - retrieves related information, if comes up wrong, user knows typed wrong
- SEQUENCE CHECK - verifies all numbers in sequence accounted for, such as check numbers
- HASH TOTAL - total for field with no actual meaning, can prevent errors, such as adding up numbers of customer account
What are a few examples of Processing Controls under the Application IT Controls?
REI
- ELECTRONIC AUDIT TRAIL - list of transactions written to a log, provides trail
- RUN TO RUN - counts that monitor number of units in batch as move from one procedure to another
- INTERNAL LABELS - tells program using correct files for update process
What are a few examples of Output Controls under the Application IT Controls?
SAD
- SPOOLING CONTROLS - jobs sent to printer, held in queue, access to queue is restricted
- ABORTED PRINT JOBS - control to dispose of partial printouts or aborted print jobs - can contain sensitive data
- DISTRIBUTION LOGS - record of who receives what reports, make sure only those authorized receive
What is Encryption? and what are the 2 types?
process of converting regular text to code, can only be deciphered by intended recipient (ideally) - usually a type of system/software is converting message
- SYMMETRIC encryption - simple, easy to use - less secure - single algorithm
- ASYMMETRIC encryption - more complicated to use - more secure - 2 algorithms used
What is a peer-to-peer network (P2P)?
when different nodes all share communications management - no central controlling server (2 of more PCs share files & access to devices) - how Bitcoin (BTC) operates
What is a local area network (LAN)? What is a wide area network (WAN)?
LAN - confined to small geographic area such as one office or even just one floor
WAN - cover large geographic areas, such as national network
What is a node?
electronic device that is attached to a network, and is capable of creating, receiving, or transmitting information over a communication channel
What is an extensive markup language (XML)?
What is hypertext markup language (HTML)?
What is extensible business reporting language (XBRL)?
XML - protocol for encoding documents in a machine readable form
HTML - language for web pages
XBRL - protocol for encoding and tagging business and accounting/financial specific information in electronic form
What is transmission control protocol (TCP)/internet protocol (IP)?
What is file transfer protocol (FTP)?
TCP/IP - transmission protocol of internet
FTP - protocol used to transfer files from client to server
What is social engineering?
set of techniques used by fraudster to get sensitive information from EEs - getting information from people instead of actually hacking computer systems
What are the 4 electrical systems risks?
1 - failure/outage
2 - reduced voltage (brownout)
3 - spike/surges
4 - electromagnet interference
