INFOS SUMMARY Flashcards
(171 cards)
1
Q
what is data?
A
facts collected, recorded and stored in the system
2
Q
what is information?
A
meaningful and organized data
3
Q
uses for IT?
A
helps decision makers more effectively filter and condense info
4
Q
when is info valuable?
A
when benefits exceed costs of gathering, storing, maintaining
5
Q
what makes info useful?
A
- relevant
- reliable
- complete
- timely
- understandable
- verifiable
- accessible
6
Q
what are business processes?
A
activities and tasks performed to achieve specific organisational goals
7
Q
what is a business transaction?
A
an agreement between two entities to exchange g/s/other that can be measured in economic terms by the entity
8
Q
what is transaction processing?
A
when transactional data is used to create FS
9
Q
what is a basic bus process?
A
transactions betw the bus and third parties:
- revenue cycle (give g/s = get cash)
- expenditure cycle (get g/s = give cash)
10
Q
what is an AIS?
A
a system that collects, records, stores and processes data to produce info for decision makers
11
Q
components of an AIS?
A
- people who use it
- processes
- technology
- controls to safeguard info
12
Q
how does an AIS add value to an org?
A
- improving quality and reduce service costs
- improves efficiency
- improves decision making
13
Q
what is a strategy?
A
the overall goal the org hopes to acheive
14
Q
what does a value chain do?
A
it links together diff activities within an org that provide value to the customer
15
Q
primary value chain activities?
A
provide direct value to the customer
16
Q
value chain support activities?
A
enable primary activities to be efficient and effective
17
Q
what is a data processing cycle?
A
demonstrates the operations performed on data to make the info meaningful for decisions
18
Q
what triggers data processing?
A
a business activity
19
Q
four components of data processing cycle
A
storage
^
input > processing > info output
20
Q
what forms part of (1) data input?
A
data collection/preparation
21
Q
what forms part of (2) data processing?
A
- editing
- correction
- manipulation
22
Q
what data must be collected when a bus activity is initiated?
A
- activity type
- resources affected by the activity
- people who took part in it
23
Q
what is data collection?
A
process which ensures that data are both defined and accurate so that decisions can be valid
24
Q
what is data preparation?
A
manipulation of data into a form more suitable for analysis
25
what happens during data input?
verified data is conv into machine-readable form so that it can be processed. time consuming and requires speed and accuracy.
26
what is a turnaround document?
(source document)
| takes output to an external party who returns the output back to the company as an input (after adding things)
27
what is a transaction processing system?
IS that processes data generated from bus transactions
28
what are the objectives of a TPS?
- carries out day-to-day transactions
- supplies necessary info to orgs that enables business functions
- supplies data to other IS
29
what is a transaction?
a business event that modifies/generates data stored in an IS
30
TPS characteristics?
- rapid processing (info available when needed speedily)
- processing reliability
- controlled access
- must be efficient and meet ACID requirements
31
what are the ACID requirements?
Atomicity (complete)
Consistency (valid according to rules)
Isolation
Durability (can't be undone)
32
what is the design of a TPS based on?
- data content and format
- execution details of transactions
- rules to be enforced
33
what are TPSs capable of?
- enforcing rules and work procedures
- detecting errors/missing data
- automating certain dec-mak functions
34
what are the four types of data processing?
C reating new records
R eading existing data
U pdating previous records / data
D eleting data
35
methods of data processing?
batch processing
online real-time processing
online batch processing
36
adv of batch processing?
- cheaper
- can manage large repeated work easily
- sharing of batch system for multiple users
37
disadv of batch processing?
- time delays (you can't do anything while it's processing)
| - difficult to debug
38
how does real-time processing work?
comp sys processes data immediately after capture and provides updated info to users on a timely basis
39
adv of real-time processing?
- accessible
- cost savings
- service improves dramatically
40
disadv of real-time processing?
- servers must always be online (expensive bc of resources and processing time)
41
what is data storage?
an important stage in the cycle where data are held for future usage. allows for quicker access to processed info so that it can be passed on to the next stage.
42
what is CBS?
computer-based storage
43
what are attributes (CBS)?
facts/properties about an entity
44
what are data values (CBS)?
actual value stored in a field, describing a particular attribute of an entity
45
what are records (CBS)?
a group of fields whose data values describe entity attributes
46
what are fields (CBS)?
this is where attributes of an entity are stored
47
what is the info output stage?
the stage where processed info is transmitted to the user (can be viewed online) to be interpreted and given meaning to guide decisons
48
what do IS produce output for?
- planning
- recording/processing transactions
- monitoring performance
- controlling
- dec-mak
49
what is a file?
a group of media records of an entity
50
what is a masterfile?
what stores all accumulated info about an org
51
what does the transaction file consist of?
all bus transactions that occurred during a specific time
52
what does an enterprise resource planning system do?
integrates activities from the entire org (revenue, exp, production)
53
adv of ERPSs?
(help MONITOR, CONTROL, AUTOMATE)
- greater monitoring capabilities for mgmt
- improved access of control of data
- increases productivity thru automation
54
disadv of ERPSs?
- costly
- complex
- lots of time to implement
55
what are some threats to an AIS?
- natural/political disasters
- software errors/malfunctions of equ
- un/intentional acts
56
what is fraud?
any means a person uses to gain an unfair advantage over another
- false statement, material facts which induces victim to act, intends to deceive
57
what are the two main categories of fraud?
- misappropriation of assets (theft of comp assets)
| - fraudulent financial reporting
58
elements of misappropriation of assets?
- an org's assets taken through trickery/deceit not force
| - the act of asset theft, concealment and conversion must be present
59
when can misappropriation of assets occur?
- before they are recorded in the books (skimming)
- while A are being held by the org (larcency)
- during purchasing process
60
examples of misappropriation of assets?
skimming, larcency, misuse of equ/inv/cash
61
what are the three conditions for fraud?
- pressure
- opportunity
- rationalization
62
how to prevent and detect fraud?
- make it less likely to occur
- make it harder to commit
- improve detection
- reduce fraud losses
63
how to make fraud less likely to occur?
- create a culture of integrity
- develop and communicate the security policy
- assign authority for bus obj and hold them accountable for achieving those goals
64
how to make fraud difficult to commit?
- strong int controls
- require independent checks
- restrict access
- use encryption / sys authentification
65
how to improve fraud detection?
- ext/int audits
- audit trails of sys transactions
- install fraud detection software
66
how to reduce fraud losses?
- insurance
- monitor sys activity
- store backup copies of data files in secure location
67
why do many orgs experience major control failure?
- increased no. of IS = more people accessing info
- decentralized networks are harder to control than cen
- wide area networks give cust and supp access to each other's sys and data
68
what are some common business exposures?
- erroneous bookkeeping
- fraud, cybercrime
- excessive costs
- loss of resources
69
what is a cryptocurrency?
a digital/virtual currency that is secured by cryptography so it cannot be counterfeited. many are decentral networks based on blockchain tech. are immune to gov intervention.
70
what is a blockchain used for in cryptocurrency?
ensuring the integrity of transactional data
71
uses for cryptocurrency
- prevent fraud
- verify transaction correctness
- ensure security
72
what is a blockchain?
at type of database that stores data in blocks that are chained together in chronological order. new data entered into a fresh block when it comes in and is chained to previous block.
73
business risk of cryptocurrency?
- not backed by a central party and their value is determined by what market participants place on them. loss in confidence = collapse of trading activities = drop in value
74
cyber risk of cryptocurrency?
- criminals can break into exchanges and drain crypto wallets and infect computers with malware that steals cc
- cc is highly reliant on unregulated companies that may lack proper int control -- more susceptible to fraud and theft
- can't recover keys if lost/stolen
75
operational risk of cryptocurrency?
access to money in account cannot be restored if keys are lost / stolen
76
regulatory/compliance risk of cryptocurrency?
some countries do not allow the use of cc
77
market risk of cryptocurrency?
there are liquidity concerns and market may be easily manipulated
78
accounting risks of cryptocurrency?
- not cash/backed by a gov and are thus volatile and have a significant risk of changes in value
- do not give owners a contractual right/obl to receive cash / financial asset (cannot be considered a financial instrument)
79
why do we need controls?
- to provide assurance that the goals of each bus process are being achieved
- to mitigate the risk that the entity is exposed to
- to provide assurance that the comp is in compliance with gov regulations
80
name some basic control concepts?
- input / output
- processing
- standard
- sensor
- comparator
- effector
- feedback/forward
- ctrl objectives
81
what do feedback loops do?
they gather info on the past performance from the output of a system which is then used to govern future performance by adjusting the input
82
what does a negative feedback aim to do?
attempt to change the direction of the actual movement of the system to bring it back in line with the plan
83
what does a positive feedback aim to do?
will cause a system to repeat or amplify a certain action
84
how does a feedforward ctrl system work?
if forecast costs start to rise above budget then action may be prompted on a feedforward principle to prevent such a deviation from ever actually occurring
85
what do int controls aim to do?
provide reasonable assurance of:
- efficient, effective operations
- reliable FR
- compliance with laws
86
what are controls framed by?
- what is to be attained
| - the means to attain those goals
87
main objectives of controls?
- to safeguard assets
- to check accuracy & reliability of accounting data
- promote operation efficiency
88
what is the primary objective of an AIS?
to control the org so that it can achieve its objectives
89
functions of internal controls?
prevent
detect
correct
90
what are general controls?
these are designed to ensure an org's control environment is stable and well-managed
- security mgmt
- IS mgmt
- IT infrastructure controls
91
what are application controls?
pdc transactions with errors and fraud. concerned with data VAC and authorization.
92
what are some general ctrls wthin IT environments?
- org level
- personnel
- file security
- computer facility
... controls
93
what are the five interrelated components of int control?
1) control environment
2) risk assessment
3) control activities
4) info and communication
5) monitoring
94
what is IT governance concerned with?
- IT's value delivery to the business
| - mitigating IT risks
95
what does IT governance involve?
- strategic IT alignment
- value delivery
- risk, resource, performance mgmt
96
how does a framework address the issue of control?
five key principles:
1) customize bus processes to make an IS that adds value
2) integrates IT and processes
3) applying a single integrated framework
4) applies an approach that results in effective gov and mgmt of IT functions
5) separates governance and management
97
what is the COSO?
a private sector group that issued the framework which defines internal controls and provides guidance for evaluating and enhancing control systems
98
what does ERM stand for?
enterprise risk management
99
what does the BoD and mgmt use ERM for?
to set strategy
identify events that may effect the entity
manage risk
provide assurance the comp achieves its objectives
100
what are the basic principles of ERM?
- comps are formed to create value for owners
- mgmt must decide how much uncertainty it will accept
- uncertainty = risk = negatively effects ability to create value or opportunity = positive effects
- ERM manages uncertainty = can create/preserve value
101
what are the kinds of objectives of ERM?
- strategic
- operational
- reporting
- compliance
102
strategic obj of ERM?
should provide assurance that the board is informed of the progress on the achievement of bus goals
103
operational obj of ERM?
provide a guide for org to reach operational goals = effective use of resources
104
reporting obj of ERM?
ensures continued flow of capital to meet strategic obj
105
what does the internal environment consist of?
```
mgmt philosophy, operating style, risk appetite
commitment to integrity, ethical values
organizing structure
methods of assigning authority
HR standards
```
106
how does ERM ensure objective setting?
it ensures there is a plan in place to formulate objectives that support the comp mission and consistent with their risk tolerance
107
what is event identification?
identify risks or factors that prevent an org from achieving goals
108
what is risk severity = to?
risk prob x risk impact
109
how do we assess risk?
in terms of potential impact and probability
110
monitoring in ERM?
can recommend any changes to the ERM
| aims to ensure ERM program functions as designed
111
five components of the COSO ERM frmwrk?
- gov and culture
- strategy/obj setting
- performance
- review and revision
- info, comm, reporting
112
governance and culture in COSO ERM?
forms basis of other components by providing on board oversight resp, operating structure, leadership tone
113
strategy/obj setting in COSO ERM?
focuses on strategic planning and how the org can assess risk. provides guidance on risk appetite and forming obj
114
performance in COSO ERM?
guides org identifies and assesses risk after developing a strategy and how to respond to risk
115
review and revision in COSO ERM?
opportunity to see how the ERM can be improved
116
info, comm, reporting in COSO ERM?
sharing info from int/ext sources throughout the org. systems are used to process, capture and report business risk, culture and performance
117
what are the components of risk culture?
risk appetite/ tolerance
resp and accountability for IT risk mgmt
awareness and comm
risk culture
118
what does risk governance do?
provides policies, controls and op guidelines that enable IT leaders to manage risk and weigh bus value
119
types of risk?
capacity (amount able to take)
universe (all possible risks)
tolerance (capacity minus appetite)
appetite (willing to take)
120
what is the risk profile?
something that will outline the number/type of risks and the effects thereof. allows the org to anticipate additional costs and disruptions to ops.
121
controls for info security / trust services framework?
- sys reliability
- confidentiality
- privacy
- processing integrity
- availability
- security
122
security in trust services framework?
access to system and data is controlled and restricted to legit users
123
confidentiality in trust services framework?
implies a relationship between two or more persons in which the info com betw them is kept in confidence. sensitive org data is protected
124
privacy in trust services framework?
privacy of data/info is necessity to preserve and protect personal info from the org from being accessed by a third party
125
processing integrity in trust services framework?
data are processed accurately, completely, timely and with proper auth
126
security life cycle?
1) assess threats, select risk response
2) develop and comm policy
3) acquire and implement systems
4) monitor performance
repeat
risks can change and threats can inc so policy may need to be revisited
127
defense in depth security approach?
multiple layers of control (prevent and detect) to avoid a single point of failure?
128
security is effective if?
P > D + C
(time it takes hacker to break through Prev ctrls)
(time it takes to Detect)
(time it takes to respond to the attack and Correct)
129
steps used by criminals to attack IS?
- reconnaissance
- attempting social engineering (spear fishing)
- scan and map target
- research
- execute attack
- cover tracks (back doors)
130
what is confidentiality?
implies a relationship between persons in which the info comm betw them is to be kept in confidence
(org intellectual property, plans, secrets)
131
what is data/info privacy?
the necessity to protect any personal info collected by an org from being accessed by a third party
(personal info of employees, vendors, cust)
132
how to protect the priv/conf of sensitive info?
- identify/classify the info to protect (location, access)
- encrypt the info by protecting it in transit/storage (only accessed by auth people)
- add access controls
- training users of the info
133
what is data masking?
concealing/encrypting selected info (such as when third parties access reports but aren't authorized to see certain info)
134
what is data exfiltration?
when malware carries out an unauth transfer from a computer (data theft)
135
what are the gen accepted privacy principles?
(sets out how users may collect, store, use and disclose personal info)
- mgmt (policies with assigned with resp)
- notice (tell people about policies)
- choice and consent (opt-in/out)
- collection (only needed info)
- quality
- use and retention (for bus purposes)
- disclosure to third parties
- access (cust should be able to access/review data)
- security (protect from loss, unauth access)
- monitoring and enforcement (compliance)
136
what influences encryption strength?
- key length
- algorithm
- mgmt policy
137
what is an encryption key?
a random string of bits created explicitly for scrambling and unscrambling data. reverses encryption process to make info readable.
138
what is cipher text?
encrypted text
139
what happens in pub/priv encryption?
multiple people access the public key (encodes messages)
| one or a few people access the private key which decodes messages
140
what creates a hash?
a hashing algorithm
141
what is cryptography?
the science of de/coding messages to keep them secure
142
what is a hash?
a number generated from a string of text, in a way that a similar hash with the same value cannot be produced. fixed length.
143
what are hashes used for?
used to validate content integrity, by detecting mods, and changes to a hash output. reflects every bit in a doc.
144
what does encryption do?
encodes data for the primary purpose of maintaining data conf and security
145
hashing vs encryption diff
encryption is two way function that incl encryption and decryption (reversible). hashing is a one way function that changes plain text to a unique irreversible digest.
146
hashing vs encryption sim
- both ideal in handling data, messages, info
| - both change data into a diff format
147
what is a digest?
is a cryptographic hash
148
how is a hash encrypted
with the private key of the person who created it
149
encryption/decryption for a message?
sender encrypts using receiver's public key, receiver decrypts using their private key
150
encryption/decryption for a digital signature?
created by encrypting the hash using sender's private key. it is decrypted with the sender's public key
151
what is key escrow?
a data security measure in which a cryptographic key is entrusted to a third party
152
what is a cryptographic key used for?
encrypts and decrypts data
153
symmetric system vs asymmetric
same key encrypts and decrypts
vs
encrypt with public key, decrypt with private
154
if symmetric system key is stolen?
the attacker can access any info encrypted with
155
if asymmetric system key is stolen?
public key is widely distributed. private key stored securely. if private key is compromised, the attacker can decrypt all info sent to you that was encrypted with your public key, but can also impersonate you with you private key (create dig signatures)
156
what is a digital signature?
a way to ensure that an electronic doc is authentic (not modified, who created it). relies on encryption.
157
what is authentication?
verifying that info is coming from a trusted source
158
creating a digital signature?
- the document creator creates a hash (algorithm) of the og document
- they use their private key to encrypt the hash, which becomes a legally-binding DS
159
what is non-repudiation?
the assurance that someone cannot deny the validity of something. provides proof of date origin and integrity. digital signatures (combined w other stuff) can offer this.
160
what can digital signatures assure?
that someone cannot enter into a digital transaction and deny that they have done so and refuse to fulfil their side of the contract
161
if hashes are identical?
docs are identical
162
if something can be decrypted with someone's public key?
it must have been enc with their private key
163
symmetric encryption?
- one key to dec and enc
- both parties need to know the key and need to securely comm it. cannot be shared w multiple parties. they each get their own key (same one) from the org
- encrypting large amts of info
164
adv and disadv of symmetric enc?
- speed
- requires sep key for everyone who wishes to comm
- must find a secure way to share keys
165
risks of both asymm and symm enc?
protecting shared key from loss / theft
166
adv of asym enc?
- everyone can use ur public key to comm w u
| - no need to store keys for each party
167
disadv of asym enc?
- slow
| - requires PKI to validate ownership of public keys
168
primary use of asym enc?
- creating digital signatures
| - secure exchanges of sym keys via email
169
what is a PKI?
(public key infrastructure)
a set of roles, policies, procedures needed to create, manage, distribute, store, revoke DS and manage public key encryption
170
what does a VPN do?
- extends a private network across a public network and allows users to send and receive data across public networks as if their devices were directly connected in a private network
- securely transmits encrypted data between two individuals with the appropriate enc/dec keys
171
what is a hash code/value?
a numeric value of fixed length that uniquely identifies data. represents large amounts of data. used as DS.
