Study Unit 14 Flashcards Preview

Gleim BEC > Study Unit 14 > Flashcards

Flashcards in Study Unit 14 Deck (41)
Loading flashcards...

System Availability

uninterrupted flow of electricity
protection of computer hardware from environmental hazards
protection of software and data files from unauthorized alteration
preservation of functioning comm channels bet devices


Risks associated with Business Information Systems

System Availability
Volatile Trans Trails- short lived
Decreased human involvement
Uniform processing of transactions
unauthorized access
data vulnerability
reduced segregation of duties
reduced indiv authorization of transactions



any program code that enters a computer with potential to degrade it
trojan horse
-logic bombs
denial of service
back door


Trojan horse

appears innocent but includes hidden function that can damage when activated



program that copies itself from file to file, may destroy data or programs

logic bombs-type of virus triggered by predetermined event



copies itself not from file to file but from computer to computer, very rapidly
repeated replication overloads a system by depleting memory or overwhelming ntwk


COBIT- 5 Key principle

govt framewk that addresses IT
1) Meet Stakeholder needs
2) Cover Enterprise End 2 End
3) Apply Single, Integrated Frmwk
4) Holistic Approach
5) Separate Governance from Mgt


Stakeholder Needs

value creation most basic stakeholder need; fundamental goal

value creation- realization of benefits, optimization of risk, optimal use of resources


Covering Enterprise E2E

comprehensive look @ fucntions and processes req enterprise wide IT


Applying Single, Integrated Framework

stds consistently applied


Enabling a Holistic Approach

7 categories that support comprehensive IT governance and mgt
-principles, policies, frmwk
-org structure
-culture, ethics, behavior
-svc, infrastructure, apps
-ppl, skills, competencies
Last 3 items are resources; should be optimized


Separating Governance from mgt

req treatment as distinct activities
gov - setting of overall objectives, monitoring progress (BOD)
mgt- carrying out activities to pursue enterprise goals
-4 responsibility areas addressed: plan, build, run, monitor


3 principal goals for info security programs

data confidentiality- protect from disclosure to unauthorized persons
data availability- ensure IS up and running for access
data integrity-ensure data accurately reflects business events & not tampered with or destroyed


Step to Create information security plan

ID threats to info
ID risks the threats entail- 2 phases (likelihood of threat and potential level of damage)
Design controls for risks
Make controls part of enterprise wide info security plan
Set up policies


General controls

umbrella under which IT operates; affect entire processing environment include controls over
-data center and ntwk ops
-systems sftwr acquistion, change, maintenance
-access security
-app sys acq, development, maint


Controls over data center and network ops

ensure efficient and effective ops of computer activity
include control env and risk assessment


controls over software acquisition, change, maintenance

ensure proper software is available to use


controls over access encompass

to hdwr (physical access) and to data and programs through the system (logical access)


Application controls

particular to org's apps
input- assurance data rec'd has proper auth; data not lost, improperly changed (relate to rejection)
concurrent update- ensure correct result for concurrent ops are generated
processing-processing performed as intended for the application. all trans processed as auth; no auth trans omitted; no unauth trans added
output- ensure accuracy of processing result and receipt of output by auth personnel only


Hardware controls

built into the eqt by the mfr; ensure proper internal handling of data as moved and stored
-include parity checks, echo check, read-after-write checks, and built into eqt to ensure data integrity


Physical control

limit physical access and environmental damage to computer eqt, data, important docs
includes access controls
-passwords, ID #s
-device auth table
-system access log
-callback- req remote user to call give ID and wait for call to authorized #
-controlled disposal of docs
-biometric tech
-auto log-off
-security personnel


logical controls

limit access based on elements that person needs to perform their job
-elements of user account mgt
--change pword periodically, unique ID needed for access,, policy prevents employees from leaving IDs/pwords written down in plain sight


GC examples

firewall, logical controls, hardware controls



combo of hardware and software that separates internal ntwk from external ntwk; stops passage of suspicious traffic
2 types
-ntwk - regulate traffic to entire ntwk (LAN)
-application- regulate traffic to specified app (email or file transfer)


Network firewall

examines each query, based on rules of network security admin, denies entry to network based on source, destination, ect.

Queries from a source address w/ repeated failed attempts may be penetration attempt
firewall can notify personnel


Input controls

ensure only correct, authorized data enter systems and data are processed and reported properly

provide assurance data submitted for processing are authorized, complete, and accurate


Types of input controls

preformat- screen looks like doc
edit (field) check- allow certain characters (SS#)
limit (reasonableness) check- rejection based on known limits
validity check- to process other records must exist in another file (invoice accepted b/c vendor MF)
sequence check - file sorted on designated field, the "key" before match (A/P file and MF sorted before match)
closed-loop - user input transmitted and displayed on screen
check-digit (self-check digit)- algorithm applied and incorporated into number entered by user
zero- balance check- system reject trans when sum of all debits and credits doesn't = 0


Batch input controls

mgt release
record count- # records matched number calculated by user
financial total- sum of $ amounts = amounts user calc
hash total-sum of numeric field, has no meaning by itself ( sum of SS#s)


Processing control

assurance data submitted are processed and only approved data are processed

arithmetic control
sequence check
run 2 run control total- controls wrt given batch checked after each stage to check all trans processed
key integrity- record's key is group of values in designated fields that uniquely ID the record


Output control

Trans logs
error listing
record count
run 2 run control total- new balance = old balance + any activity