Study Unit 14 Flashcards Preview

Gleim BEC > Study Unit 14 > Flashcards

Flashcards in Study Unit 14 Deck (41)
Loading flashcards...
1

System Availability

uninterrupted flow of electricity
protection of computer hardware from environmental hazards
protection of software and data files from unauthorized alteration
preservation of functioning comm channels bet devices

2

Risks associated with Business Information Systems

System Availability
Volatile Trans Trails- short lived
Decreased human involvement
Uniform processing of transactions
unauthorized access
data vulnerability
reduced segregation of duties
reduced indiv authorization of transactions
malware

3

Malware

any program code that enters a computer with potential to degrade it
trojan horse
virus
-logic bombs
worm
denial of service
phishing
back door

4

Trojan horse

appears innocent but includes hidden function that can damage when activated

5

virus

program that copies itself from file to file, may destroy data or programs

logic bombs-type of virus triggered by predetermined event

6

worm

copies itself not from file to file but from computer to computer, very rapidly
repeated replication overloads a system by depleting memory or overwhelming ntwk

7

COBIT- 5 Key principle

govt framewk that addresses IT
1) Meet Stakeholder needs
2) Cover Enterprise End 2 End
3) Apply Single, Integrated Frmwk
4) Holistic Approach
5) Separate Governance from Mgt

8

Stakeholder Needs

value creation most basic stakeholder need; fundamental goal

value creation- realization of benefits, optimization of risk, optimal use of resources

9

Covering Enterprise E2E

comprehensive look @ fucntions and processes req enterprise wide IT

10

Applying Single, Integrated Framework

stds consistently applied

11

Enabling a Holistic Approach

7 categories that support comprehensive IT governance and mgt
-principles, policies, frmwk
-processes
-org structure
-culture, ethics, behavior
-info
-svc, infrastructure, apps
-ppl, skills, competencies
Last 3 items are resources; should be optimized

12

Separating Governance from mgt

req treatment as distinct activities
gov - setting of overall objectives, monitoring progress (BOD)
mgt- carrying out activities to pursue enterprise goals
-4 responsibility areas addressed: plan, build, run, monitor

13

3 principal goals for info security programs

data confidentiality- protect from disclosure to unauthorized persons
data availability- ensure IS up and running for access
data integrity-ensure data accurately reflects business events & not tampered with or destroyed

14

Step to Create information security plan

ID threats to info
ID risks the threats entail- 2 phases (likelihood of threat and potential level of damage)
Design controls for risks
Make controls part of enterprise wide info security plan
Set up policies

15

General controls

umbrella under which IT operates; affect entire processing environment include controls over
-data center and ntwk ops
-systems sftwr acquistion, change, maintenance
-access security
-app sys acq, development, maint

16

Controls over data center and network ops

ensure efficient and effective ops of computer activity
include control env and risk assessment

17

controls over software acquisition, change, maintenance

ensure proper software is available to use

18

controls over access encompass

to hdwr (physical access) and to data and programs through the system (logical access)

19

Application controls

particular to org's apps
input- assurance data rec'd has proper auth; data not lost, improperly changed (relate to rejection)
concurrent update- ensure correct result for concurrent ops are generated
processing-processing performed as intended for the application. all trans processed as auth; no auth trans omitted; no unauth trans added
output- ensure accuracy of processing result and receipt of output by auth personnel only

20

Hardware controls

built into the eqt by the mfr; ensure proper internal handling of data as moved and stored
-include parity checks, echo check, read-after-write checks, and built into eqt to ensure data integrity

21

Physical control

limit physical access and environmental damage to computer eqt, data, important docs
includes access controls
-passwords, ID #s
-device auth table
-system access log
-encryption
-callback- req remote user to call give ID and wait for call to authorized #
-controlled disposal of docs
-biometric tech
-auto log-off
-security personnel

22

logical controls

limit access based on elements that person needs to perform their job
-elements of user account mgt
--change pword periodically, unique ID needed for access,, policy prevents employees from leaving IDs/pwords written down in plain sight

23

GC examples

firewall, logical controls, hardware controls

24

firewall

combo of hardware and software that separates internal ntwk from external ntwk; stops passage of suspicious traffic
2 types
-ntwk - regulate traffic to entire ntwk (LAN)
-application- regulate traffic to specified app (email or file transfer)

25

Network firewall

examines each query, based on rules of network security admin, denies entry to network based on source, destination, ect.

Queries from a source address w/ repeated failed attempts may be penetration attempt
firewall can notify personnel

26

Input controls

ensure only correct, authorized data enter systems and data are processed and reported properly

provide assurance data submitted for processing are authorized, complete, and accurate

27

Types of input controls

preformat- screen looks like doc
edit (field) check- allow certain characters (SS#)
limit (reasonableness) check- rejection based on known limits
validity check- to process other records must exist in another file (invoice accepted b/c vendor MF)
sequence check - file sorted on designated field, the "key" before match (A/P file and MF sorted before match)
closed-loop - user input transmitted and displayed on screen
check-digit (self-check digit)- algorithm applied and incorporated into number entered by user
zero- balance check- system reject trans when sum of all debits and credits doesn't = 0

28

Batch input controls

mgt release
record count- # records matched number calculated by user
financial total- sum of $ amounts = amounts user calc
hash total-sum of numeric field, has no meaning by itself ( sum of SS#s)

29

Processing control

assurance data submitted are processed and only approved data are processed

validation
completeness
arithmetic control
sequence check
run 2 run control total- controls wrt given batch checked after each stage to check all trans processed
key integrity- record's key is group of values in designated fields that uniquely ID the record

30

Output control

Trans logs
error listing
record count
run 2 run control total- new balance = old balance + any activity