Study Unit 14

Question 1

System Availability

Answer 1

uninterrupted flow of electricity
protection of computer hardware from environmental hazards
protection of software and data files from unauthorized alteration
preservation of functioning comm channels bet devices

Question 2

Risks associated with Business Information Systems

Answer 2

System Availability
Volatile Trans Trails- short lived
Decreased human involvement
Uniform processing of transactions
unauthorized access
data vulnerability
reduced segregation of duties
reduced indiv authorization of transactions
malware

Question 3

Malware

Answer 3

any program code that enters a computer with potential to degrade it
trojan horse
virus
-logic bombs
worm
denial of service
phishing
back door

Question 4

Trojan horse

Answer 4

appears innocent but includes hidden function that can damage when activated

Question 5

virus

Answer 5

program that copies itself from file to file, may destroy data or programs

logic bombs-type of virus triggered by predetermined event

Question 6

worm

Answer 6

copies itself not from file to file but from computer to computer, very rapidly
repeated replication overloads a system by depleting memory or overwhelming ntwk

Question 7

COBIT- 5 Key principle

Answer 7

govt framewk that addresses IT

1) Meet Stakeholder needs
2) Cover Enterprise End 2 End
3) Apply Single, Integrated Frmwk
4) Holistic Approach
5) Separate Governance from Mgt

Question 8

Stakeholder Needs

Answer 8

value creation most basic stakeholder need; fundamental goal

value creation- realization of benefits, optimization of risk, optimal use of resources

Question 9

Covering Enterprise E2E

Answer 9

comprehensive look @ fucntions and processes req enterprise wide IT

Question 10

Applying Single, Integrated Framework

Answer 10

stds consistently applied

Question 11

Enabling a Holistic Approach

Answer 11

7 categories that support comprehensive IT governance and mgt
-principles, policies, frmwk
-processes
-org structure
-culture, ethics, behavior
-info
-svc, infrastructure, apps
-ppl, skills, competencies
Last 3 items are resources; should be optimized

Question 12

Separating Governance from mgt

Answer 12

req treatment as distinct activities
gov - setting of overall objectives, monitoring progress (BOD)
mgt- carrying out activities to pursue enterprise goals
-4 responsibility areas addressed: plan, build, run, monitor

Question 13

3 principal goals for info security programs

Answer 13

data confidentiality- protect from disclosure to unauthorized persons
data availability- ensure IS up and running for access
data integrity-ensure data accurately reflects business events & not tampered with or destroyed

Question 14

Step to Create information security plan

Answer 14

ID threats to info
ID risks the threats entail- 2 phases (likelihood of threat and potential level of damage)
Design controls for risks
Make controls part of enterprise wide info security plan
Set up policies

Question 15

General controls

Answer 15

umbrella under which IT operates; affect entire processing environment include controls over

• data center and ntwk ops
• systems sftwr acquistion, change, maintenance
• access security
• app sys acq, development, maint

Question 16

Controls over data center and network ops

Answer 16

ensure efficient and effective ops of computer activity

include control env and risk assessment

Question 17

controls over software acquisition, change, maintenance

Answer 17

ensure proper software is available to use

Question 18

controls over access encompass

Answer 18

to hdwr (physical access) and to data and programs through the system (logical access)

Question 19

Application controls

Answer 19

particular to org’s apps
input- assurance data rec’d has proper auth; data not lost, improperly changed (relate to rejection)
concurrent update- ensure correct result for concurrent ops are generated
processing-processing performed as intended for the application. all trans processed as auth; no auth trans omitted; no unauth trans added
output- ensure accuracy of processing result and receipt of output by auth personnel only

Question 20

Hardware controls

Answer 20

built into the eqt by the mfr; ensure proper internal handling of data as moved and stored
-include parity checks, echo check, read-after-write checks, and built into eqt to ensure data integrity

Question 21

Physical control

Answer 21

limit physical access and environmental damage to computer eqt, data, important docs
includes access controls
-passwords, ID #s
-device auth table
-system access log
-encryption
-callback- req remote user to call give ID and wait for call to authorized #
-controlled disposal of docs
-biometric tech
-auto log-off
-security personnel

Question 22

logical controls

Answer 22

limit access based on elements that person needs to perform their job

• elements of user account mgt
• -change pword periodically, unique ID needed for access,, policy prevents employees from leaving IDs/pwords written down in plain sight

Question 23

GC examples

Answer 23

firewall, logical controls, hardware controls

Question 24

firewall

Answer 24

combo of hardware and software that separates internal ntwk from external ntwk; stops passage of suspicious traffic
2 types
-ntwk - regulate traffic to entire ntwk (LAN)
-application- regulate traffic to specified app (email or file transfer)

Question 25

Network firewall

Answer 25

examines each query, based on rules of network security admin, denies entry to network based on source, destination, ect. Queries from a source address w/ repeated failed attempts may be penetration attempt firewall can notify personnel

Question 26

Input controls

Answer 26

ensure only correct, authorized data enter systems and data are processed and reported properly provide assurance data submitted for processing are authorized, complete, and accurate

Question 27

Types of input controls

Answer 27

preformat- screen looks like doc edit (field) check- allow certain characters (SS#) limit (reasonableness) check- rejection based on known limits validity check- to process other records must exist in another file (invoice accepted b/c vendor MF) sequence check - file sorted on designated field, the "key" before match (A/P file and MF sorted before match) closed-loop - user input transmitted and displayed on screen check-digit (self-check digit)- algorithm applied and incorporated into number entered by user zero- balance check- system reject trans when sum of all debits and credits doesn't = 0

Question 28

Batch input controls

Answer 28

mgt release record count- # records matched number calculated by user financial total- sum of $ amounts = amounts user calc hash total-sum of numeric field, has no meaning by itself ( sum of SS#s)

Question 29

Processing control

Answer 29

assurance data submitted are processed and only approved data are processed validation completeness arithmetic control sequence check run 2 run control total- controls wrt given batch checked after each stage to check all trans processed key integrity- record's key is group of values in designated fields that uniquely ID the record

Question 30

Output control

Answer 30

Trans logs error listing record count run 2 run control total- new balance = old balance + any activity

Question 31

DBA

Answer 31

develop and maintain org db and establish control to protect integrity - only 1 to update data dictionary - perform some fx of DBMS

Question 32

Network tech

Answer 32

maintains bridges, hubs, routers, switches, cabling, other devices that interconnect comp's responsible for maintaining connection to other ntwks

Question 33

Webmaster

Answer 33

responsible for website content | works w/ programmers and ntwk tech to ensure proper content displayed and site is available to users

Question 34

Computer operators

Answer 34

day 2 day fx of data center load data, mount storage devices, operate eqt should not be assigned programming duties or system design shouldn't be able to make changes in programs and systems bc they operate the eqt

Question 35

Librarians

Answer 35

maintain ctrl over and accountability for doc, programs, data storage media

Question 36

Systems programmers

Answer 36

maintain and fix ops systems on medium/large comps may modify programs, data files, controls no access to data center ops/production programs or data

Question 37

Application programmres

Answer 37

design write test and doc computer programs according to specifications provided by end users

Question 38

Systems analyst

Answer 38

determine how app should be best designed for users' needs duties combined w/ app programmer no access to data center ops, production programs, data files

Question 39

Help desk

Answer 39

log users' problems, resolve minor issues, fwd difficult problems to appropriate person

Question 40

Info security officer

Answer 40

develop info security policies, comment on security controls in new apps, monitor and investigate unsuccessful login attemps

Question 41

End users

Answer 41

able to change production data, not programs