Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
57 Cards in this Set
- Front
- Back
|
exposure/impact
|
the potential dollar loss should a particular threat become a reality
|
|
|
internal control
|
the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that control objectives are achieved
|
|
|
preventive control
|
deter problems before they arise
|
|
|
detective control
|
needed to discover problems as soon as they arise
|
|
|
corrective control
|
remedy problems that have been discovered
|
|
|
general control
|
designed to make sure an organization’s control environment is stable and well managed
|
|
|
application control
|
prevent, detect, and correct transaction errors and fraud
|
|
|
Foreign Corrupt Practices Act
|
the primary purpose is to prevent the bribery of foreign officials in order to obtain business
|
|
|
Sarbanes-Oxley Act (SOX)
|
intended to prevent financial statement fraud
|
|
|
Public Company Accounting Oversight Board (PCAOB)
|
created to control the auditing profession
|
|
|
diagnostic control system
|
measures company progress by comparing actual performance to planned performance
|
|
|
Control Objectives for Information and Related Technology (COBIT)
|
a framework of generally applicable information systems security and control practices for IT control
|
|
|
Committee of Sponsoring Organizations (COSO)
|
a private-sector group consisting of the American Accounting Association, the AICPA, the Institute of Internal Auditors, the Institute of Management Accountants, and the Financial Executives
|
|
|
Enterprise Risk Management--Integrated Framework (ERM)
|
expands on the elements of the internal control integrated framework and provides an all-encompassing focus on the broader subject of enterprise risk management
|
|
|
internal environment
|
influences how organizations establish strategies and objectives, structure business activities, and identify/assess/respond to risk
|
|
|
audit committee
|
composed of outside independent directors; responsible for overseeing the corporation’s internal control structure and financial reporting process
|
|
|
residual risk
|
the risk that remains after management implements internal controls
|
|
|
control activities
|
policies, procedures, and rules that provide reasonable assurance that management’s control objectives are met and risk responses are carried out
|
|
|
digital signature
|
signing a document with a piece of data that cannot be forged
|
|
|
segregation of accounting duties
|
achieved when authorization, recording, and custody are separated
|
|
|
collusion
|
two or more people working together to override the preventive aspect of the internal control system
|
|
|
segregation of systems duties
|
control procedures implemented to divide authority and responsibility
|
|
|
data control group
|
ensures that source data have been properly approved, monitors the flow of work through the computer, maintains a record of input errors, and distributes systems output
|
|
|
response time
|
how long it takes the system to respond
|
|
|
audit trail
|
exists when individual company transactions can be traced through the system from where they originate to where they end up on financial statements
|
|
|
time-based model of security
|
focuses on the relationship between preventive, detective, and corrective controls
|
|
|
defense-in-depth
|
employs multiple layers of controls in order to avoid having a single point of failure
|
|
|
authentication
|
focuses on verifying the identity of the person or device attempting to access the system
|
|
|
access control matrix
|
a table specifying which portions of the system users are permitted to access and what actions they can perform
|
|
|
social engineering
|
attacks that use deception to obtain unauthorized access to information resources
|
|
|
firewall
|
is either a special-purpose hardware device or software running on a general-purpose computer
|
|
|
demilitarized zone (DMZ)
|
a separate network that permits controlled access from the Internet to selected resources
|
|
|
Transmission Control Protocol (TCP)
|
specifies the procedures for dividing files and documents into packets to be sent over the Internet and the methods for reassembly of the original document or file at the destination
|
|
|
Internet Protocol (IP)
|
specifies the structure of previously mentioned packets and how to route them to the proper destination
|
|
|
access control list (ACL)
|
a set of rules that determine which packets are allowed entry and which are dropped
|
|
|
static packet filtering
|
screens individual IP packets based solely on the contents of the source and/or destination fields in the IP packet header
|
|
|
stateful packet filtering
|
maintains a table that lists all established connections between the organization's computers and the Internet
|
|
|
intrusion prevention systems (IPS)
|
designed to identify and drop packets that are part of an attack
|
|
|
vulnerabilities
|
flaws that can be exploited to either crash the system or take control of it
|
|
|
encryption
|
the process of transforming plaintext into ciphertext
|
|
|
decryption
|
the reverse process of encryption
|
|
|
key escrow
|
a process which involves making copies of all encryption keys used by employees and storing the copies securely
|
|
|
symmetric encryption systems
|
use the same key both to encrypt and decrypt
|
|
|
asymmetric encryption systems
|
use two keys to encrypt and decrypt
|
|
|
public key
|
widely distributed and available to everyone
|
|
|
private key
|
kept secret and known only to the owner of that pair of keys
|
|
|
hashing
|
a process that takes plaintext of any length and transforms it into a hash
|
|
|
digital signature
|
information encrypted with the creator's private key
|
|
|
digital certificate
|
an electronic document that certifies the identity of the owner of a particular public key
|
|
|
public key infrastructure (PKI)
|
processes used to issue and manage asymmetric keys and digital certificates
|
|
|
certificate authority
|
the organization that issues public and private keys and records the public key in a digital certificate
|
|
|
intrusion detection systems (IDS)
|
create logs of network traffic that was permitted to pass the firewall and then analyze those logs for signs of attempted or successful intrusions
|
|
|
vulnerability scans
|
use automated tools designed to identify whether a given system possesses any well-known vulnerabilities
|
|
|
computer emergency response team (CERT)
|
responsible for dealing with major security incidents; leads through the 4 steps of Recognition, Containment, Recovery, and Follow-Up
|
|
|
exploit
|
the set of instructions for taking advantage of a vulnerability
|
|
|
patch
|
code released by software developers that fixes a particular vulnerability
|
|
|
patch management
|
the process for regularly applying patches and updates to all software used by the organization
|
