Internal Controls & IT General Controls 3 & CDLC Flashcards Preview

CITP > Internal Controls & IT General Controls 3 & CDLC > Flashcards

Flashcards in Internal Controls & IT General Controls 3 & CDLC Deck (8):
1

What Physical Controls should be considered with a "Computer Center"?

- Computer Center houses main servers and other sensitive IT
- Controlling physical access is high risk
- Purpose is to make it difficult to gain unauth entrance
- Check for physical controls:
(1) Locked doors
(2) Cameras
(3) Monitor incoming traffic
- Electronically, manually, and/or by security guards

2

What Physical Controls should be considered with a "Server Room"?

- Main objective to provide physical access controls at same level as risk and sensitivity, which is very high for servers
(1) Servers s/b in separate room w/ separate physical controls
- 2nd set of controls
(2) Have glass walls around server room so auth personnel in the Computer Center could see an unauth person in server room

3

Name the 3 basic InfoSec “triangle”
primary areas of concern:

CIA
(1) Confidentiality
- Data stored and also in transit
- Objective to
ensure confidentiality of systems, processes, and data created, transported and stored
(2) Integrity (data and processing)
- Focus on accuracy and reliability of data, systems and processes that generate it and info produced from data
(3) Availability
- Data avail when needed for business operations

4

What is Authorization vs. Authentication?

Authorization:
- Login credentials and restricts user access
- Authorization controls by themselves not adequate for higher risks
- Hacker can obtain or guess login and if
successful able to gain access to network, but still unauthorized access
Authentication:
- Objective is the person using credentials is who s/he claims to be
- Authentication controls ex: additional credentials,
temporary PINs, security questions, and biometrics (ultimate and control is person (fingerprint))

5

What is Encryption and its 3 characteristics?

- Scrambles data using algorithm to
prevent translation if intercepted
- Encryption strength is combo of these 3 aspects:
(1) Methods: public keys, private keys
(2) Engines: 128, 192, 256-bit (highest)
(3) Types of authentication: encrypting and decrypting methods

6

What are the 5 Phases in a Control Development Life Cycle (CDLC)?

DIOEM

(1) Design
(2) Implementation
(3) Operational
(4) Effectiveness
(5) Monitoring

7

Under the Control Development Life Cycle (CDLC), what is involved in the "Design" Phase?

Design Phase is 1 (of 5) phases
(1) Begins w/ formal, structured approach to Control Development by mgmt
- Mgmt must ensure expert input consistently applied to the development
- Ensure controls developed as needed and designed effectively
(2) ID controls needed
- ID key business processes associated w/ material items related to financial reporting or critical business processes
- Determine what controls s/b in place to prevent, detect and correct material misstatements
(3) Assess controls for design effectiveness
- Control’s ability to mitigate risk and/or prevent, detect and correct material misstatements, errors or failures related to Policies
(4) Document controls
- Include control objectives, how control operates, and location of entity’s systems and business processes

8

Under the Control Development Life Cycle (CDLC), what is involved in the "Effectiveness" Phase?

- Effectiveness is related to the control objective, likely the mitigation of business or financial reporting risk (RMM)
- Effectiveness also associated w/ consistent application of the control
- Ultimate assurance is a ToC, only perform ToCs if plan to rely on the control
- Cannot rely on control if ITGCs have a SD or MW
- ITGC need to be reliable as a whole before external CITP can rely upon an automated control