Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
119 Cards in this Set
- Front
- Back
threat
|
any potential adverse occurrence or unwanted event that could be injurious to either the AIS or the organization
|
|
exposure/impact
|
the potential dollar loss should a particular threat become a reality
|
|
likelihood
|
the probability that a threat will happen
|
|
internal control
|
the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that control objectives are achieved
|
|
preventive control
|
deter problems before they arise
|
|
detective control
|
needed to discover problems as soon as they arise
|
|
corrective control
|
remedy problems that have been discovered
|
|
general control
|
designed to make sure an organization’s control environment is stable and well managed
|
|
application control
|
prevent, detect, and correct transaction errors and fraud
|
|
Foreign Corrupt Practices Act
|
the primary purpose is to prevent the bribery of foreign officials in order to obtain business
|
|
Sarbanes-Oxley Act (SOX)
|
intended to prevent financial statement fraud
|
|
Public Company Accounting Oversight Board (PCAOB)
|
created to control the auditing profession
|
|
belief system
|
communicates company core values to employees and inspires them to live by them
|
|
boundary system
|
helps employees act ethically by setting limits beyond which an employee must not pass
|
|
diagnostic control system
|
measures company progress by comparing actual performance to planned performance
|
|
interactive control system
|
helps top-level managers with high-level activities that demand frequent and regular attention
|
|
Control Objectives for Information and Related Technology (COBIT)
|
a framework of generally applicable information systems security and control practices for IT control
|
|
Committee of Sponsoring Organizations (COSO)
|
a private-sector group consisting of the American Accounting Association, the AICPA, the Institute of Internal Auditors, the Institute of Management Accountants, and the Financial Executives
|
|
Internal Control--Integrated Framework
|
issued by COSO; defines internal controls and provides guidance for evaluating and enhancing internal control systems
|
|
Enterprise Risk Management--Integrated Framework (ERM)
|
expands on the elements of the internal control integrated framework and provides an all-encompassing focus on the broader subject of enterprise risk management
|
|
strategic objective
|
high-level goals that are aligned with and support the company’s mission
|
|
operations objective
|
deal with the effectiveness and efficiency of company operations, such as performance and profitability goals and safeguarding assets
|
|
reporting objective
|
help ensure the accuracy, completeness, and reliability of internal and eternal company reports, of both a financial and nonfinancial nature; improve decision making and monitor company activities and performance more efficiently
|
|
compliance objective
|
help the company comply with all applicable laws and regulations
|
|
internal environment
|
influences how organizations establish strategies and objectives, structure business activities, and identify/assess/respond to risk
|
|
risk appetite
|
the amount of risk a company is willing to accept in order to achieve its goals
|
|
audit committee
|
composed of outside independent directors; responsible for overseeing the corporation’s internal control structure and financial reporting process
|
|
policy and procedures manual
|
explains proper business practices, describes the knowledge and experience needed by key personnel, spells out management policy for handling specific transactions, and documents the systems/procedures employed to process those transactions
|
|
background check
|
includes verifying educational and work experience, talking to references, checking for a criminal record, and checking credit records
|
|
event
|
an incident or occurrence emanating from internal or external sources that affects implementation of strategy or achievement of objectives; they represent uncertainty
|
|
inherent risk
|
the risk that exists before management takes any steps to control the likelihood or impact of a risk
|
|
residual risk
|
the risk that remains after management implements internal controls
|
|
expected loss
|
expected loss = impact x likelihood
|
|
control activities
|
policies, procedures, and rules that provide reasonable assurance that management’s control objectives are met and risk responses are carried out
|
|
authorization
|
empowerment of employees to follow established policies
|
|
digital signature
|
signing a document with a piece of data that cannot be forged
|
|
specific authorization
|
management review and approval required for certain things
|
|
general authorization
|
employees are authorized to handle routine transactions without special approval
|
|
segregation of accounting duties
|
achieved when authorization, recording, and custody are separated
|
|
collusion
|
two or more people working together to override the preventive aspect of the internal control system
|
|
segregation of systems duties
|
control procedures implemented to divide authority and responsibility
|
|
systems administrator
|
responsible for ensuring that the different parts of an information system operate smoothly and efficiently
|
|
network manager
|
ensure that all applicable devices are linked to the organization’s internal and external networks and that the networks operate continuously and properly
|
|
security management
|
ensures that all aspects of the system are secure and protected from all internal and external threats
|
|
systems analyst
|
help users determine their information needs and then design an information system to meet those needs
|
|
programmer
|
take the design provided by systems analysts and create an information system by writing computer programs
|
|
computer operator
|
run the software on the company’s computers and ensure that data are input properly
|
|
information system library
|
a separate storage area of corporate databases, files, and programs
|
|
data control group
|
ensures that source data have been properly approved, monitors the flow of work through the computer, maintains a record of input errors, and distributes systems output
|
|
strategic master plan
|
shows the projects that must be completed to achieve long-range company goals and addresses the company’s hardware, software, personnel, and infrastructure requirements
|
|
project development plan
|
shows how a project will be completed
|
|
project milestone
|
significant points when progress is reviewed and actual and estimated completion times are compared
|
|
performance evaluation
|
evaluation made of team members as each project is completed
|
|
data processing schedule
|
what data processing tasks are organized to
|
|
steering committee
|
formed to guide and oversee systems development
|
|
system performance measurements
|
what a system is evaluated by (throughput, utilization, and response time)
|
|
throughput
|
output per unit of time
|
|
utilization
|
percentage of time the system is productively used
|
|
response time
|
how long it takes the system to respond
|
|
post-implementation review
|
performed after a development project is completed to determine if the anticipated benefits were achieved
|
|
systems integrator
|
a vendor who uses common standards and manages a cooperative systems development effort involving its own development personnel and those of the client and other vendors
|
|
change management
|
the process of making sure changes do not negatively affect systems reliability, security, confidentiality, integrity, and availability
|
|
analytical review
|
an examination of the relationships between different sets of data
|
|
audit trail
|
exists when individual company transactions can be traced through the system from where they originate to where they end up on financial statements
|
|
computer security officer (CSO)
|
in charge of AIS security and should be independent of the information system function and report to the COO or CEO
|
|
chief compliance officer (CCO)
|
handles all compliance issues
|
|
forensic accountant
|
specialize in fraud detection and investigation
|
|
computer forensics specialists
|
discover, extract, safeguard, and document computer evidence such that its authenticity will not succumb to legal challenges
|
|
neural network
|
programs that mimic the brain and have learning capabilities
|
|
fraud hot line
|
an effective way to comply with the law and anonymously report fraud
|
|
time-based model of security
|
focuses on the relationship between preventie, detective, and corrective controls
|
|
defense-in-depth
|
employs multiple layers of controls in order to avoid having a single point of failure
|
|
authentication
|
focuses on verifying the identity of the person or device attempting to access the system
|
|
biometric identifier
|
some physical characteristic used to authenticate a user (i.e., a fingerprint)
|
|
multifactor authentication
|
the use of two or all three methods of authentication in conjunction
|
|
authorization
|
restricts access of authenticated users to specific portions of the system and specifies what actions they are permitted to perform
|
|
access control matrix
|
a table specifying which portions of the system users are permitted to access and what actions they can perform
|
|
compatibility test
|
matches a user’s authentication credentials against the access control matrix to determine whether that employee should be allowed to access
|
|
social engineering
|
attacks that use deception to obtain unauthorized access to information resources
|
|
border router
|
connects an organization’s information system to the Internet
|
|
firewall
|
is either a special-purpose hardware device or software running on a general-purpose computer
|
|
demilitarized zone (DMZ)
|
a separate network that permits controlled access from the Internet to selected resources
|
|
Transmission Control Protocol (TCP)
|
specifies the procedures for dividing files and documents into packets to be sent over the Internet and the methods for reassembly of the original document or file at the destination
|
|
Internet Protocol (IP)
|
specifies the structure of previously mentioned packets and how to route them to the proper destination
|
|
routers
|
special-purpose devices designed to read the destination address fields in IP packet headers to decide where to send the packet next
|
|
access control list (ACL)
|
a set of rules that determine which packets are allowed entry and which are dropped
|
|
static packet filtering
|
screens individual IP packets based solely on the contents of the source and/or destination fields in the IP packet header
|
|
stateful packet filtering
|
maintains a table that lists all established connections between the organization’s computers and the Internet
|
|
deep packet inspection
|
firewalls examining data in the body of an IP packet to provide more effective access control
|
|
intrusion prevention systems (IPS)
|
designed to identify and drop packets that are part of an attack
|
|
Remote Authentication Dial-In User Service (RADIUS)
|
a standard method used to verify the identity of users attempting to obtain dial-in access to the network
|
|
war dialing
|
does a periodic check for the existence of rogue (unauthorized) modems by calling every telephone number assigned to the organization to identify those which are connected to modems
|
|
hosts
|
workstations/servers/printers/other devices
|
|
vulnerabilities
|
flaws that can be exploited to either crash the system or take control of it
|
|
hardening
|
the process of turning off unnecessary features
|
|
encryption
|
the process of transforming plaintext into ciphertext
|
|
plaintext
|
normal text
|
|
ciphertext
|
unreadable gibberish text
|
|
decryption
|
the reverse process of encryption
|
|
key escrow
|
a process which involves making copies of all encryption keys used by employees and storing the copies securely
|
|
symmetric encryption systems
|
use the same key both to encrypt and decrypt
|
|
asymmetric encryption systems
|
use two keys to encrypt and decrypt
|
|
public key
|
widely distributed and available to everyone
|
|
private key
|
kept secret and known only to the owner of that pair of keys
|
|
hashing
|
a process that takes plaintext of any length and transforms it into a hash
|
|
hash
|
a short code
|
|
digital signature
|
information encrypted with the creator’s private key
|
|
digital certificate
|
an electronic document that certifies the identity of the owner of a particular public key
|
|
public key infrastructure (PKI)
|
processes used to issue and manage asymmetric keys and digital certificates
|
|
certificate authority
|
the organization that issues public and private keys and records the public key in a digital certificate
|
|
e-signature
|
a cursive-style imprint of a person’s name applied to an electronic document
|
|
log analysis
|
the process of examining logs to monitor security
|
|
intrusion detection systems (IDS)
|
create logs of network traffic that was permitted to pass the firewall and then analyze those logs for signs of attempted or successful intrusions
|
|
vulnerability scans
|
use automated tools designed to identify whether a given system possesses any well-known vulnerabilities
|
|
penetration test
|
an authorized attempt to break into the organization’s information system
|
|
computer emergency response team (CERT)
|
responsible for dealing with major security incidents; leads through the 4 steps of Recognition, Containment, Recovery, and Follow-Up
|
|
exploit
|
the set of instructions for taking advantage of a vulnerability
|
|
patch
|
code released by software developers that fixes a particular vulnerability
|
|
patch management
|
the process for regularly applying patches and updates to all software used by the organization
|