Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
140 Cards in this Set
- Front
- Back
threat
exposure/impact likelihood |
-potential adverse occurrence or unwanted event that could harm AIS
-potential dollar loss if a threat happens -probability a threat will happen |
|
internal control
|
a process implemented by the BODs, mgmt, etc to provide a reasonable assurance the control objectives are achieved
|
|
3 functions of internal controls (3 controls)
|
preventative, detective, corrective
|
|
2 kinds of internal controls
|
general controls-to make sure control environment is stable and well managed (sec. mgmt ctrls, IT infra.)
application controls- prevent, detect, and correct transaction errors and fraud (accuracy, completeness of data in the system) |
|
PCAOB
|
public company accounting oversight board- to control auditing profession; part of SOX; SEC appoints; 3 non CPAs
|
|
belief system
boundary system diagnostic control system interactive control system |
4 levers to reconcile conflict b/t creativity and controls
-communicate cores values to inspire employees -help to act ethically by setting limits (ie- min stds of perform, off limit activities) -compare actual to planned performance to ensure efficient and effective achievement of goals -for top management and high level activities that need regular attention (developing strategy, setting objectives) |
|
3 control frameworks to help internal control
|
COBIT- control objectives for information related technology
COSO Internal control framework- Committee of Sponsoring Organizations COSO ERM Framework |
|
COBIT- what it is and 3 dimensions
|
generally applicable info systems security and control practices for IT ctrl; helps mgrs to balance risk and control
business objectives, IT resources, IT processes |
|
Internal Control- Integrated Framework
what is and components |
defines controls and provides guidance for enhancing them
-control environment, control activities, risk assessment, information and communication, and monitoring |
|
Enterprise Risk Management- Integrated Framework
what is and elements (3D block) |
expands on Internal Control Framework- a comprehensive process
-Objectives, Units (subsidiary, business unit, division, entity-level), and 8 risk and control components |
|
Objectives of ERM framework
|
strategic (high level goals)
operations (effectiveness and efficiency) reporting (accuracy, completeness, reliability) compliance (with laws and regs) *reporting and compliance assured |
|
8 risk and control components of ERM
|
Internal Environment
Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information and Communication Monitoring |
|
risk appetite
|
part of internal environment; amount of risk willing to accept to achieve goals
|
|
audit committee
|
entirely outside, independent directors (no fees)- oversee internal control
|
|
Policies and Procedure manual
|
part of Internal Environment; method to assigning authority and responsibility; explains proper practices, experience needed, policies, etc
|
|
fidelity bond insurance
|
protects companies from losses that arise from fraud by bonded employees
|
|
Event
|
event- incident emanating from internal or external source that affects implementation of strategy/achievement of objectives; can be positive or negative
*identify to determine risk appetite |
|
2 types of risk
|
inherent- risk that exists before management takes steps to control the likelihood of a risk
residual- risk that remains after mgmt implements internal controls |
|
4 ways to respond to risk
|
reduce the likelihood and impact
accept and don't act to prevent it share it (ie insurance) avoid it and don't do the activity |
|
expected loss (cost) and value of an internal control
|
impact*likelihood
value is the difference between the expected loss with the procedure and expected loss without it |
|
control activities- what they do
|
provide assurance that control objectives are met and ensure compliance
|
|
authorization, digital signature
|
empowers employees to perform activities; documented via
-digital signature- sign doc on a computer with data that can't be forged |
|
types of authorization
|
general- employees handle routine activities
specific- activities or transactions of great consequence that requires management review |
|
segregation of accounting duties
|
separate authorization, recording and custody functions
|
|
systems administrators
|
ensure different parts of the information system is running smoothly
|
|
network managers
|
make sure all applicable devices are hooked to the network and that the networks operate continuously
|
|
security management
|
ensure system is secure and protected from threats
|
|
change management
|
manage changes to info system and make sure they are made smoothly to prevent errors
|
|
users of systems
|
record transactions, authorize data to be processed, and use output
|
|
system analyst
|
help determine info needs and design systems to meet needs
|
|
programmers
|
use analyst's design to write computer programs
|
|
computer operators
|
run software on computers and make sure data properly processed input and needed output is produced
|
|
information system library
|
storage area that contains corporate databases, files, and programs
|
|
data control group
|
ensure source data is properly approved, monitors computer work, and errors
|
|
strategic master plan
|
to align information system with strategies; show projects to be completed, goals, requirements, etc.
|
|
project controls:
project development plan project milestones performance evaluations |
-how project will be completed
-significant points at which project is reviews -of project team members when project completed |
|
data processing schedule
|
how to organize data processing tasks to maximize use of computer resources
|
|
steering committee
|
formed to guide and oversee systems development and acquisition
|
|
systems performance measures and types
|
to evaluate systems:
-throughput- output per unit of time -utilization- % of time system is being productively used response time- how long it takes a system to respond |
|
post implementation review of development project
|
to determine if beliefs of project were achieved
|
|
systems integrator
|
vendor who uses common standards and manages a cooperative systems development effort
|
|
change management controls
|
make sure system changes don't negatively affect systems reliability, security, confidentiality
|
|
analytical reviews
|
examine relationships between different sets of data (credit sales and A/R, etc) to detect fraud
|
|
primary purpose of AIS
|
gather, record, process, store, summarize, and communicate info about the organization
|
|
audit trail
|
individual transactions can be traced through system from origin to financial statements
|
|
CSO
CCO |
-computer security officer- in charge of AIS security; independent from IS function
-chief compliance officer- deals with compliance issues, esp relating to SOX |
|
forensic accountants
CFE |
specialize in fraud detections and investigation
-certified fraud examiner |
|
computer forensics specialists
|
discover, extract, document computer evidence such that it is authentic, accurate, and will hold up legally
|
|
neural networks
|
programs that mimic the brain and have learning capabilities; identify suspected fraud
|
|
trust services framework=5 principles that contribute to systems reliability objective of AIS
|
security, confidentiality, privacy, processing integrity, availability
|
|
COBIT domains in which processes are grouped
|
PO- plan and organize
AI- acquire and implement DS- deliver and support ME- monitor and evaluate |
|
info security concepts
|
-security is a mgmt issue, not a tech problem
-time based model of security -defense in depth |
|
time based model of security and how to invest
|
this must be true:
P>D+C p=time it takes to break through preventative controls d=time it takes to detect c= time it takes to respond *invest in which ever one is the larger improvement |
|
preventative controls
|
authentication, authorization, training, controlling physical access, controlling remote access, host and application hardening, encryption,
|
|
authentication controls
and what to have to authenticate multifactor authentication |
verify identity of person attempting to access the system
-need something you have, something you know, and a biometric identifier (physical characteristic) -using two or more of the above methods of authentication |
|
authorization controls
|
restrict access of authenticated users
|
|
access control matrix and compatibility test
|
to implement authorization controls; table that specifies which portions of system users are permitted
-matches users credentials against control matrix when a user tries to access an IS resource |
|
NIC and MAC
|
network interface card- to connect to internal network
media access control- unique identifier that each NIC has - access is restricted to only devices that have a MAC |
|
perimeter defense for controlling remote access
|
border router- connects info system to internet
firewall- behind router IPS- intrusion prevention system- filter to identify and drop packets that are part of an attack |
|
DMZ
|
demilitarized zone- separate network that permits controlled access from internet to selected resources
|
|
TCP/IP
|
protocols that govern the process for transmitting info over the internet
TCP- transmission control protocol- specifies procedures for dividing files and docs into packets and methods for reassembly of original doc IP- internet protocol- specifies structure of packets and how to route them to proper destination |
|
parts of packet
|
header- includes origin and destination info and type of data
body- actual info in packet |
|
router
|
special purpose device that reads destination address fields in IP packet header to determine where to send packet
|
|
ACL
|
access control list- a set of rules that determines which packets are allowed entry; used by routers
|
|
static packet filtering
|
performed by routers; screens individual IP packets based on source and destination fields in header; examines in isolation (as opposed to stateful packet filtering)
|
|
stateful packet filtering
|
used by firewalls; uses info in header to determine if the info is from an ongoing communication; maintains table that lists all established connections between organizations computers and Internet;
|
|
Deep packet inspection
|
part of IPS- looks at info in the body of the packet as well as the header; slow; can be performed by firewalls
|
|
RADIUS
|
remote authentication dial in user service-to verify identity of users attempting to obtain dial in access (ie- login credentials)
|
|
rogue modem
and war dialing |
single, unauthorized modem- connection not filtered by main firewall
war dialing- call every # assigned to org. to identify those connected to modems to identify rogue modems |
|
hosts and how to make more secure
hardening |
workstations, servers, printers, other devices
more secure by modifying their configurations -hardening- turn off programs when not being used because they have vulnerabilities/flaws that can be exploited |
|
encryption
|
process of transforming plain text (normal text) into cipher text (unreadable gibberish)
|
|
key and algorithm
|
what you need to encrypt and decrypt
key- string of binary digits of fixed length algorithm- formula for combining the key and text |
|
key escrow
|
make copies of all encryption keys used and store them - so if an employee leaves, you can always decrypt info...better to use a built in master key
|
|
types of encryption systems
|
symmetric- use same key to encrypt and decrypt
asymmetric- use a public and a private key- either can be used to encrypt, but only the other can decrypt |
|
hashing
|
process that takes plain text of any length and transforms it into a short code called a hash; not reversible
|
|
digital signature
and process |
info encrypted with creator's private key- makes sure message that was decrypted is the same as the original message
-sender runs message through hashing algorithm and then encrypt -receiver of message uses public key to decrypt digital signature which produces the hash of the original document -decrypt encrypted document -run plain text through same hashing algorithm and see if hash matches the digital signature |
|
digital certificate
|
e-document created and digitally signed by a 3rd party that certifies the identity of the owner of a public key
|
|
PKI
|
Public Key Infrastructure- system and processes used to issue and manage asymmetric keys and digital certificates
|
|
Certificate Authority
|
organization that issues public and private keys and records public key in the digital certificate
|
|
e-signature
|
cursive style imprint of name that is applied to an e-document ; register with company to get one; legally binding
|
|
detective controls
|
log analysis, IDS, managerial reports, security testing
|
|
log analysis
|
examine logs of who accesses system and what they do to monitor security
|
|
IDS and where located
|
Intrusion Detection System- to automate monitoring- create logs of network traffic permitted in and analyze logs for signs of attempted/successful intrusion; usually located just inside of main firewall
|
|
types of security testing
|
vulnerability scans- use automated tools to determine if a system possesses any well known vulnerabilities
penetration test- attempt to break into info system to test for weaknesses |
|
corrective controls
|
CERT, CISO, patch management
|
|
CERT and steps
|
computer emergency response team- to respond to security incidents promptly
-recognition -containment -recovery -follow up |
|
CISO-
|
chief information security officer- independent of IS functions; integrates physical and information security; works closely with security builder and involved in the PO (planning an d organizing)
|
|
patch management, patch, exploits, script kiddie
|
regularly applying patches and updates to all software to avoid exploits
-patch- code that fixes vulnerabilities in software -exploit- set of instructions for taking advantage of a vulnerability -script kiddies run exploits |
|
controls to satisfy confidentiality principle
|
encryption (VPNs), access controls, training of employees
|
|
VPN
|
virtual private network- functionality of a private network but on the internet; encrypt info while being sent over internet which creates private communication channels (tunnels)
|
|
Cookie
|
text file created and stored on visitor's hard drive - info about what was done on website- thought to violate privacy
|
|
groups of application controls
|
input, processing, output
|
|
field check
|
if characters in a field are the proper type
|
|
sign check
|
if data in a field have appropriate arithmetic sign
|
|
limit check
|
test if numerical amounts to see if they exceed a certain amount
|
|
range check
|
like a limit check but with upper and lower limits
|
|
size check
|
ensures data will fit into an assigned field
|
|
completeness check
|
all required data are entered
|
|
validity check
|
compare ID code/account number in transaction data to a master file to make sure it is a valid customer
|
|
reasonableness test
|
make sure there is a logical relationship between 2 data items
|
|
check digit verification
|
ID number includes a check digit that is computed using the other digits- if error is made in the regular digits, the check digit won't calculate correctly
|
|
batch processing controls
|
sequence check, error log, batch totals
|
|
sequence check
|
test if a batch of input data are in proper sequence (same as master file)
|
|
error log
|
info about data input/processing errors to be reviewed and corrected
|
|
batch totals and types
|
summarize key values for a batch of input records
-financial totals- sums fields w/dollar values -hash total- sums non-financial numeric field -record count-sums number of records in a batch |
|
online data entry controls
|
prompting, preformatting, closed loop verification, transaction log, error messages
|
|
prompting
|
system requests each input data and waits for appropriate response
|
|
preformatting
|
display document with highlighted blanks
|
|
closed loop verification
|
check data accuracy by using it to retrieve other info
|
|
transaction log
|
detailed record of all transaction data
|
|
processing controls
|
data matching (invoice, PO, RR), file labels, recalculate batch totals, crossfooting balance test, zero balance test, write protect info, processing integrity procedures
|
|
internal label parts
|
header record- located at beginning of file; name, date, other ID data
trailer record- end of file; contains batch totals calculated at input |
|
transposition error and how to detect
|
2 adjacent digits reversed; detect via recalculating batch totals
|
|
crossfooting balance test
|
compare results of totals found in 2 different ways to verify accuracy
|
|
concurrent update controls
|
protect records from errors that occur when 2 or more users attempt to update the same record simultaneously
|
|
output controls
|
review output, reconciliation, data transmission controls
|
|
data transmission controls
|
parity checking and message acknowledgment techniques
|
|
parity check and parity bit
|
to ensure proper number of bits to set value equal to zero
parity bit- extra digit added to every character to detect lost bits |
|
echo test
|
receiving unit calculates summary of statistics about message and sends back to see if it matches what the sending unit calculated
|
|
trailer record
|
where sending unit stores control totals and receiving uses to make sure the whole message was received
|
|
availability objectives
|
minimize risk of downtime (via preventative maintenance), disaster recovery and business continuity planning
|
|
how to minimize risk of system downtime
|
fault tolerance, UPS
|
|
fault tolerance
|
user redundant components (dual processors, multiple hard drives, etc) to enable system to keep functioning if a component fails
|
|
UPS
|
uninterruptible power supply- provides protection in event of prolonged power outage (via battery)
|
|
components of data recovery
|
data backup procedures, infrastructure replacement, documentation, testing
|
|
backup and restoration
|
-exact copy of most current version of a database, file, or program
-process of installing the backup for use |
|
types of backup
|
full backup- entire database
partial backups: incremental backup- copy only data items that have been changed differential backup- copy all changes since last full backup (longer, but simpler restoration) |
|
RPO
|
recovery point objective- maximum length of time it is willing to risk the possible loss of transaction data
|
|
real time monitoring
|
2 copies of database are kept at 2 separate data centers updated in real time; expensive
|
|
checkpoint
|
point at which a temporary copy of a database is made
|
|
archive
|
copy of a database, master file, software that will be retained indefinitely as a historical record
|
|
disk vs tape
|
first store on disk, then transfer to tape
disk- faster, less easy to lose tape- cheaper, easier to transport, more durable |
|
RTO
|
recovery time objective- time following a disaster by which the organization's info system must be available again
|
|
reciprocal agreement
|
use another organization's info system resources
|
|
cold site
|
empty building that is prewired and a contract with vendors to get new equip if a disaster happens
|
|
hot site
|
prewired and already has office equipment to use in case of disaster
|
|
IT governance
|
process of overseeing and managing IT concerns; helps assess if org is aligning IT with enterprise, managing IT resources responsibly, recognizing IT opportunities
|
|
how IT governance has changed
|
from ad hoc (as long as it works, doesn't matter how it's built) to formal IT governance structures for a solution
|
|
who is responsible for IT governance
|
shareholders (represented by BOD) and executive management
|
|
IP datagram
|
data packet that conforms to the IP spec
|