Flashcards in Information Technology Deck (103):
Which IT personnel roles should always be segregated?
What are the duties of a systems analyst?
Designs or purchases IT system
Responsible for flowcharts
Liaison between Users and Programmers
Note: Think IT Manager
What is the primary duty of a Systems Administrator?
A Systems Administrator controls database access.
What are the duties of a Systems Programmer?
Writes- Updates- Maintains- & Tests software- systems- and compilers
Which duties should a Systems Programmer NOT have?
In order to maximize internal control- a Systems Programmer should NOT have application programming duties/abilities or be an Operator on the system.
What are the duties of a Systems Operator?
Schedules and Monitors Jobs
Runs IT Help Desk
What duties should a System Operator NOT have?
For internal control purposes- they should not be a Programmer on the system.
If it is not possible to segregate duties in an IT System- what actions should be taken to compensate for internal control purposes?
Include Computer Logs.
Control Group should review the logs.
What is the purpose of a Management Information System (MIS)?
To assist with decision making.
What is an Accounting Information System (AIS)?
A type of Management Information System (MIS) that processes accounting transactions.
What are the characteristics of an Executive Information System (EIS)?
Specialized for Company Executive needs
Assists with Strategy Only
No Decision-Making Capabilities
What are the characteristics of an Expert System (ES)?
Computer uses reasoning
No human interpretation needed
What are the characteristics of a Decision Support System (DSS)?
Computer provides data
Gives Interactive Support
Human interpretation needed
What are the characteristics of an Ad Hoc computer report?
User initiates the report.
The report is created upon demand.
When are Exception reports generated?
Exception reports are produced when Edit Tests- Check Digits- or Self-Checking Digits identify a problem
What is a query?
A type of Ad Hoc report- initiated by a user.
What is End-User Computing?
The User develops and executes their own application.
What is the primary benefit of E-commerce?
E-commerce makes business transactions easier.
What are the risks of E-commerce?
Compromised data or theft.
Less paper trail for auditors.
What are the benefits of Electronic Data Interchange?
Uses globally-accepted standardsEfficient
EDI: more expensive, secure, slower batch, VAN( private)
What is a File Server?
A file server stores shared programs and documents.
What is the purpose of a Database?
Database : files that are interrelated and coordinated
Located on a File Server- a Database allows users to share documents.
What is the purpose of a LAN (Local Area Network)?
It connects computers in close proximity.
What is the purpose of a WAN (Wide Area Network)?
It connects computers that are far apart.
What are the characteristics of a VAN (Value-Added Network)?
Serves as 3rd Party Between 2 Companies
Routes EDI Transactions
Accepts wide range of Protocols
What is the purpose of a Firewall?
Prevents unauthorized access to a network.
What are the characteristics of a virus?
Takes over a computer
Needs a host program to run
What are the characteristics of a computer worm?
Takes over multiple computers
Doesn't need a host program to run
What is the purpose of Automated Equipment Controls?
They prevent and detect hardware errors.
What is RAM?
Random Access Memory.
Internal memory in the computer used during immediate processing.
What is a CPU?
Computer Processing Unit
It processes commands within a computer.
What is Job Control Language?
It schedules and allocates system resources.
What are examples of input devices?
Magnetic Ink Reader
Magnetic Tape Reader
Point of Sale Scanner
What are examples of Output Devices?
What are the characteristics of Magnetic Tape storage?
Sequential Access - Sorts data in order
Slower data retrieval
Header Label prevents Operator error by loading wrong tape
External Labels prevent accidental destruction by operator
What are the characteristics of Magnetic Disks?
Random Access - Finds data in random spots
Faster data retrieval
Uses Boundary Protection for data
What is a Gateway?
Connects one network to another
Note: the Internet is connected by Gateways
What are Parity Checks?
A control that detects internal data errors.
A bit is added to each character- it checks to see if a bit was lost.
What is an Echo Check?
Transmitted data is returned to the sender for verification (it echoes back to the sender)
What is a Change Control?
It authorizes program changes and approves program test results.
What is security software?
Software that controls access to IT systems.
Note: Don't confuse this with anti-virus software
What is the purpose of a Digital Signature?
It confirms a message has not been altered.
List the types of computers from smallest to largest
Microcomputer - PC- Laptop (cost-effective)
Minicomputer - Like a Mainframe- but smaller
Mainframe - Large computer with terminals attached
Supercomputer - Very powerful and very big
What are the units of computer data from smallest to largest?
Bit - 1 (on) and 0 (off)
Byte - 8 bits to a byte/character
Field - group of related characters/bytes (i.e. Name- Zip Code- Serial #)
Record - Group of related fields (i.e. Member name- address- phone number)
File - Group of related records (i.e. Membership directory)
What is the duty of a design engineer?
Determine language used for a specific computer- on a computer-to-computer basis
What are object programs?
Programs written in base computer language- not similar to English.
How can source programs be recognized?
They are written in a language close to English.
What is the purpose of a Compiler?
Takes Source language (English) and converts to Object (Computer) Language
How does Online Analytical Processing work?
It uses a Data Warehouse to support management decision making.
What is Data Mining?
Using artificial intelligence and pattern recognition to analyze data stores within a Data Warehouse.
What is the purpose of online transaction processing?
To process a company's routine transactions - master files updates as transaction entered
Req random access storage device
Immediate processing - point of sale/ supermarket/ retail
What are the characteristics of batch processing?
Data held- updates multiple files all at onceLeaves a better audit trailUses Grandfather-Father-Son backup (3 levels of backup kept in 3 locations)
Always a time delay
Often used in traditional system - payroll; GL system - data do not need to be current all the time
Compare manual and computed generated bacth control totals
Uses both random access and/or sequential
What does an output control check for?
Checks to see if output data is valid- distributed and used in an authorized manner.
What does a processing control check?
Checks if data processing produced proper output
What is a hash total?
An input control number- a meaningless sum of values included in the input.
Example would be summing a list of SSNs to make sure the data is the same once entered as it was prior to input into the system.
What is a validity check?
Checks to see if data in existing tables or files belongs in the set
For example- is there a # in an alpha-only field or a letter in a numeric-only field
What is a limit check?
Checks to see if numbers surpass a certain limit- i.e. in an age field is the number greater than 110.
What is a check digit?
An input control that adds an identification number to a set of
digits - usually at the end
What is a field check?
An input check that prevents invalid characters- i.e. checks for alphabetic letters in a SSN field
What is a Hot Site?
A disaster recovery system where if the main system goes down- a Hot Site is ready to take over immediately.
What is a Cold Site?
If a main system goes down- a Cold Site will take time to get set up and running.
What is the most common database language?
SQL - Structured Query Language
What is a Data Definition Language?
Defines SQL Database
Controls SQL Tables
What is a Data Manipulation Language?
Queries SQL Database tables
What is a Data Control Language?
Controls Access to SQL Database
What are the characteristics of a Relational Database?
Uses rows and columns similar to spreadsheet
What are the characteristics of a Hierarchical Database?
Has various levels
Uses trees to store data
What are the advantages of a database?
Data is more accessible
What are the disadvantages of a database?
Cost of installation
Skilled personnel required to maintain
What are the components of a database?
Think: Your desktop computer runs applications and saves to a database
Data input : input verification
trace data to appropriate supporting evidence contributes to validation of the accuracy of the transaction and its authorization
Data processing - transactions processed to keep info curent
whats done to the data: addition, update, and deletion.
methods: batch processing and OLRT
System development life cycle (SDLC)
framework for planning and controlling the detailed activities associated w system development. Ex: waterfall approach
SDLC : A DITTO
System Analysis - first step
Design - conceptual and physical
Operations and Maintenance
Participants in Business Process Design
-Management - top lvl
-Info system steering committee: oversee. high lvl management : controllers, user dptment management. set gov policies for AIS, ensure top mgment participation, and facilitate integration of info system
-Project development team - responsible for successful design and implementation of bus system
-External Parties: major customers or suppliers
Control objectives for information and related technology : COBIT
measures, indicators, processes and best practices to max benefit of information technology
COBIT framework ( 5 )
1) Business objectives: effective decision support, compliance
2) Governance objectives: strategic alignment, value delivery, resource management, risk management, performance measure
3) Information criteria : ICE RACE: integrity, confidentiality, efficiency, reliability, availability, compliance, and effectiveness.
4) IT resources: applications, information, infrastructure, people
5) Domains and Processes: PO AIDS ME
apply to org lvl / control environment and includes:
*system development standards
*change management procedures
*software acquisition, development, operations, and maintenance controls
general controls that regulate the computer activity: Segregation of duties, proper authorization of transactions, and safeguarding assets
application specific subject to I/C - authority, recording, and custody
Prevent, detect, and correct transaction error and fraud
provide reasonable assurance as to the system: accuracy, completeness, validity, and authorization
Input controls - make sure data is reliable (integrity)
Data validation at field lvl: edit checks, meaningful error messages, input masks, ect
Prenumering forms, making it possible to verify that all inputs is accounted for and that no duplicate entry exists
Well-defined source data preparation procedures. Ex collect and prepare source docs, but sometimes no source doc exist bcoz data entered via web application
-Recalculation batch totals
-Cross footing and zero balances
-Write-protection mechanism: against overwrite or erasing
-Database processing integrity procedures - procedures for accessing and updating database by administrators, concurrent updates protect records from errors when two users attempt to update same record
-User Review of output
-Reconciliation procedures (input control totals vs output control totals)
-External data reconciliation - payroll database and ficticious employees
- Output encryption - reduce data interception, error. protect data authenticity and integrity. ex: parity check and message ackwoledgement
Managing Control Activities/ Control procedures - controls related to use of information technology resources
*Appropriate segregation of duties to reduce opportunies to anyone to both perpetrate and conceal errors in the normal course of his/her duties
* Design and use adequate docs and records to help ensure proper recording of transactions
* Limit to asset access in accordance to management's authorization. Ex data librarian controls production data and allow access to it only to authorized ppl
* Info processing controls to ensure proper authorization, accuracy, and completeness of individual transaction.
* Implementation of security measures and contingency plans: security measures/ data security prevent and detect threats - authorization needed to access, change, and destroy storage media. Contingency plans to minimize disruptions of processing while maintaining data integrity.
Technologies and Security management features
*Safeguard Records and Files
*Backup files: son-father-grandfather, backup of system that can be shut down, and that do not shut down
*Uninterrupted Power Supply
*Program modification controls: track program changes and prevent changes from unauthorized ppl used in production applications
*Data encryption : digital certificates, digital signatures
*Managing passwords: length, complexity
*User Access: initial access, change in position access
Security Policies - how to protect info
secure info in stored info, processed info, and transmitted info
Program lvl policy - highest lvl
Program framework policy
Risk Event identification
Strategic - choose inappropiate technology
Operating - do right things in wrong way
Financial - resources lost, wasted, stolen
Information - loss data integrity, incomplete transaction, hackers
Specific risks: errors, intentional acts, disasters
Risk assessment and control activities
Risk - possibility of harm or loss
Threat - danger
Vulnerability - renders system susceptible to a threat
Safeguards and controls: policies and procedures to reduce vulnerability
Risk assessment: first assess risks and then they can be managed.
Evaluation and types of controls
Risk assessment - steps
1) identify risks
2) evaluate possibility that threat will occur
3) evaluate exposure - potential loss from threat
4) identify controls to guard against threats
5) evaluate costs and benefits of implementing controls
6) implement controls that are cost effective
limit access to program documentation, data files, programs, and computer hardware to those who require it in the performance of their job responsibilities.
Include multilevel security, user identification, user authorization (passwords), limited access room, use of file-level access attributes and firewalls.
access to computer rooms limited to computer operators and other IT ppl. Restriction by specially coded ID cards or keys to entry. Manual key locks. ID cards can be lost or stolen
Electronic Access - unathorized access to data and application programs
User identification codes - w change of passwords. backdoors should be eliminated.
Disconnect hardware devices and deactivate use ID when consecutive failed attempts to access to system occur
Req hardware devices to log-off when not in use or automatically log them off after inactive for certain time
Use password scanning to detect weak passwords
Req dual authentication. ex log in and use a code that was sent by text msg.
File-lvl access attributes: ex. read only access
Firewalls : protect against unauthorized access - hardware and software. Packet filtering (examine data coming in according to established rules
), circuit level gateways (allow data inside network only when inside computer request it). Application gateway/ Proxy (examine data in a more sophisticated way - more secure but slow)
Disaster recovery steps
identify mission critical application and data
develop plan for handling mission critical application
determine responsibility of ppl involved
test disaster recovery plan
Examples of internal checks are as follows:
Limit check, which identifies if data have a value higher or lower than a predetermined amount
Identification, which determines if the data is valid
Sequence check, which checks sequencing
Error log, which is simply an up-to-date log of all identified errors
Transaction log, which provides the basic audit trail
Arithmetic proof, which computes the calculation in order to validate the result - recalculation
accuracy checks performed by an edit program.
accuracy controls include the following:
Use of a current, approved price list
Verification of multiplication and addition
Matching of quantities ordered, received, and invoiced
A DBMS (database management system)
A tool - consists of computer program(s) for organizing, accessing, and modifying a database. It is a collection of programs that enables users to store, modify, or extract information from a database.
A database is a collection of interrelated information that can be used for a variety of purposes. A database is managed by a computer program called a database management system (DBMS).
data security of an online computer system protected by an internal user-to-data access control program
Security dependent upon the controls over the issuance of user IDs and user authentication is the key to enforcing personal accountability
relates to using data for its intended purpose. A local area network would promote data integrity by making data available only to those users having a legitimate reason for access. Centralized access controls would help promote data integrity.
Integrity is the protection of data from unauthorized tampering
Online access controls
Online access controls are absolutely essential in controlling access to and operation of modern computer systems. These controls include:
*user code numbers that restrict access to only authorized users,
*passwords that create a second barrier for access after user code numbers, and
*lists of files and programs along with lists of the type and extent of access a user is entitled to have to those files and programs.
Enterprise resource planning (ERP)
integrates all aspects of an organization's activities into one accounting information system. By combining financial and nonfinancial information, the entity can be more flexible and responsive while having more information available for decision making.
however changes to one module can flow throughout the system
for an online system are able to accumulate separate totals for all transactions processed during the day and then agree the totals to the total of items accepted for processing.
One-for-one checking generally requires manual comparisons of input data elements to processing results.
general controls: user authentication procedures
seeks to determine if the person seeking access is who they say they are. Password masking is a part of this process. Password masking is the technique of either hiding the password as it is typed or displaying other characters so that observers cannot see what characters the user is actually entering.
Public Key Infrastructure (PKI)
PKI refers to the system and processes used to issue and manage asymmetric keys and digital certificates