Term
|
Definition
| which is a fraud in which later payments on account are used to pay off earlier payments that were stolen? |
|
|
Term
| fraudulent financial reporting |
|
Definition
| associated with as many as 50% of all lawsuits against auditors |
|
|
Term
|
Definition
| a fraud scheme involving bank transfers |
|
|
Term
|
Definition
| type of investment fraud in which money from new investors is used to pay off earlier investors |
|
|
Term
| pressure, opportunity, rationalization |
|
Definition
| conditions usually necessary for a fraud to occur |
|
|
Term
|
Definition
| damages systems using a segment of executable code that attaches itself to software, replicates itself, and spreads to other systems or files |
|
|
Term
|
Definition
| a program that is hidden in a host program and copies and actively transmits itself directly to other systems |
|
|
Term
|
Definition
| entering a system using a back door that bypasses normal system controls |
|
|
Term
|
Definition
| placing unauthorized computer instructions, such as fraudulently increasing an employee's pay, in an authorized and properly functioning program |
|
|
Term
|
Definition
| computer fraud technique that |
|
|
Term
| strategic, compliance, reporting, operations |
|
Definition
| COSO specified types of objectives that management must meet to achieve company goals (in ERM model) |
|
|
Term
|
Definition
| objectives that are high level goals aligned with the company's mission |
|
|
Term
|
Definition
| help the company comply with all applicable laws and regulations |
|
|
Term
|
Definition
| help the company ensure the accuracy, completeness, and reliability of internal and external reports |
|
|
Term
|
Definition
| deal with the effectiveness and efficiency of operations |
|
|
Term
| authorization, recording, custody |
|
Definition
| accounting related functions that must be segregated |
|
|
Term
| Misappropriation of assets |
|
Definition
| is the theft, embezzlement, or misuse of company assets for personal gain (e.g. billing schemes, check tampering, skimming, and theft of inventory). |
|
|
Term
|
Definition
| the wrongful use of a position to gain personal benefit (e.g. kickback schemes and conflict of interest schemes). |
|
|
Term
| Financial statement fraud |
|
Definition
| misrepresenting the financial condition of an entity by intentionally altering amounts or disclosures with the goal of influencing the financial statement users to make decisions they may not otherwise make given the true financial condition of the company. Financial statements can be misstated as a result of intentional efforts to deceive or as a result of undetected asset misappropriations that are so large that they cause misstatement. |
|
|
Term
| Treadway Commission Recommendations |
|
Definition
| What guidance do accountants and auditors have with regard to fraud? |
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
| Denial of service attacks |
|
Definition
|
|
Term
|
Definition
| fake emails to get useful info |
|
|
Term
| Email forgery (aka, spoofing) |
|
Definition
| looks like from someone else |
|
|
Term
|
Definition
|
|
Term
|
Definition
| gaining control of computer for illicit activities |
|
|
Term
|
Definition
| dormant until some event occurs |
|
|
Term
|
Definition
| pull out user names & passwords |
|
|
Term
|
Definition
| uses phone line to tag onto a legit user |
|
|
Term
|
Definition
| =tricking an employee to get into a system |
|
|
Term
|
Definition
| copy software wo permission |
|
|
Term
| Spyware & keystroke loggers= |
|
Definition
| software to monitor computer habits |
|
|
Term
|
Definition
| unsolicited email messages |
|
|
Term
|
Definition
| enter system through backdoor |
|
|
Term
|
Definition
| unauthorized instructions in an authorized program (Denial of service); no replications |
|
|
Term
| bank reconciliation, top level reviews, analytical reviews, reconciling two independently maintained sets of records, comparisons of actual quantities with recorded amounts, double entry acct, and independent reviews, trial balance, periodic comparison of sub ledger totals to control accts |
|
Definition
| methods of internal independent checks |
|
|
Term
| identify threats, estimate risk and exposure, identify controls, and estimate costs and benefits |
|
Definition
| correct order of the risk assessment steps |
|
|
Term
|
Definition
| firewalls would be what type of control? |
|
|
Term
| filtering which packets are allowed to enter and leave a system |
|
Definition
| how are firewalls designed to prevent problems? |
|
|
Term
|
Definition
| process of verifying a user's identity |
|
|
Term
|
Definition
| process of controlling what actions a user is permitted to perform |
|
|
Term
|
Definition
| an authorization control to limit what actions an authenticated user can perform |
|
|
Term
|
Definition
| a detective control that identifies when an attack has occurred |
|
|
Term
|
Definition
| a weakness that an attacker can take advantage of to either disable or take control of a system |
|
|
Term
|
Definition
| the code for taking advantage of a weakness |
|
|
Term
|
Definition
| code designed to fix a weakness |
|
|
Term
|
Definition
| involves the creation and use of a pair of public and private keys |
|
|
Term
|
Definition
| users the same secret key to both encrypt and decrypt |
|
|
Term
|
Definition
| involves storing a copy of the encryption key in a safe location |
|
|
Term
|
Definition
| Training would be what type of control |
|
|
Term
|
Definition
| penetration testing would be what kind of control |
|
|
Term
|
Definition
| detective control designed to identify weaknesses |
|
|
Term
|
Definition
| enhances the effectiveness of security procedures and increases the likelihood that users will comply with security policies |
|
|
Term
|
Definition
| compatibility test would be what type of control |
|
|
Term
|
Definition
| an authorization of control that uses an access control matrix to determine what actions an authenticated user is allowed to perform |
|
|
Term
|
Definition
| biometric tools like fingerprint readers are what type of control |
|
|
Term
| fingerprint reader/biometrics |
|
Definition
| authentication control used to verify the identity of someone attempting access the system |
|
|
Term
|
Definition
| a preventive control that preserves the confidentiality of sensitive information |
|
|
Term
|
Definition
| encryption would be what type of control |
|
|
Term
|
Definition
| detective control that can be sued to identify unauthorized actions taken by users |
|
|
Term
|
Definition
| log analysis would be what type of control |
|
|
Term
|
Definition
| the process of applying vendor supplied code to correct existing vulnerabilities |
|
|
Term
|
Definition
| modifying default configurations to improve security |
|
|
Term
|
Definition
| process used to identify modems |
|
|
Term
|
Definition
| sequentially prenumbering source documents and using turnaround documents |
|
|
Term
|
Definition
| a record of company data sent to an external party and then returned by the external party to the system as input |
|
|
Term
| cancellation of documents |
|
Definition
| stamp paid, or "canceled" for electronic documents; NOT disposal |
|
|
Term
| forms design, cancellation of storage of documents, authorization & segregation of duties, visual scanning |
|
Definition
| input controls for processing integrity |
|
|
Term
|
Definition
| scan source documents for reasonableness and propriety before entering into the system |
|
|
Term
|
Definition
| determines if the characters in a filed are of the proper type |
|
|
Term
|
Definition
| determines if the data in a filed have the appropriate arithmetic sign |
|
|
Term
|
Definition
| tests a numerical amount to ensure that id doesn't exceed a predetermined value |
|
|
Term
|
Definition
| similar to a limit check except that is has both upper and lower limits |
|
|
Term
|
Definition
| ensures that the input data will fit into the assigned field |
|
|
Term
|
Definition
| determines if all required data items have been entered |
|
|
Term
|
Definition
| compares the ID code or account number in transaction data with similar data in the master field to verify that the account exists |
|
|
Term
|
Definition
| determines the correctness of the logical relationship between two data items |
|
|
Term
|
Definition
| ensures all necessary data are entered; system requests each input data item and waits for an acceptable response |
|
|
Term
|
Definition
| system displays a document with highlighted blank spaces and waits for the data to be entered |
|
|
Term
|
Definition
| checks the accuracy of input data b using it to retrieve and display other elated information |
|
|
Term
|
Definition
| indicate when an error has occurred, which item is in error, and what the operator should do to correct it |
|
|
Term
|
Definition
| includes a detailed record of all transaction data; a unique transaction identifier; date and time; sequence |
|
|
Term
|
Definition
| most important component of ERM |
|
|
Term
management philosophy, operating style and risk appetite
the board of directors
commitment to integrity, ethical values, and competence
organizational structure
methods of assigning authroity and respojsiblity
human resource standards
external influences |
|
Definition
| 7 components of internal environment |
|
|
Term
| internal environment, objective setting, event identification, risk assessment and response, control activities, finroatmion and communication, monitoring |
|
Definition
|
|
Term
proper authorization
segregation of duties
project development and acquisition controls
change management controls
design and use of documents and records
safeguard assets, records and data
independent checks on performance |
|
Definition
|
|
Term
|
Definition
| risk response to high impact low probability |
|
|
Term
|
Definition
| risk response to low impact low probability |
|
|
Term
|
Definition
| risk response to high probability high impact |
|
|
Term
|
Definition
| risk response to high probability low impact |
|
|
Term
| more proactive, risk based approached with a future oriented focus; incorporates IC but adds additional components |
|
Definition
| differences in new ERM model compared to COSO internal control model |
|
|
Term
| security, privacy, confidentiality, availability, processing integrity |
|
Definition
| 4 components of systems reliability |
|
|
Term
|
Definition
| time based model of security |
|
|
Term
| the time for an attacker to break the preventative controls |
|
Definition
|
|
Term
| the time for the company to detect than an attack has occurred |
|
Definition
|
|
Term
| the time for company to respond and correct the effects of the attack |
|
Definition
|
|
Term
| something they have, know, or physical |
|
Definition
|
|
Term
| using position/influence to get personal gain (kickbacks, bribes) |
|
Definition
|
|
Term
|
Definition
| opportunity trail aspects |
|
|
Term
|
Definition
| only area where we have control in the opportunity triangle |
|
|
Term
| opportunity, rationalization, pressure |
|
Definition
|
|
Term
| attitude, justification, lack of personal integrity |
|
Definition
| aspects of rationalization triangle |
|
|
Term
| financial, lifestyle, emotional |
|
Definition
| aspects of pressure triangle |
|
|
Term
| swiftness, certainty, severity |
|
Definition
| aspects important to making punishment effective |
|
|
Term
|
Definition
| unauthorized access to a system |
|
|
Term
|
Definition
|
|
Term
|
Definition
| theft of data/confidentiality issue |
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
| most complicated restoration |
|
|
Term
|
Definition
| when a person pretends to be a friend to get information they need |
|
|
Term
|
Definition
|
|
Term
|
Definition
| email that looks like it is from a legitimate source |
|
|
Term
| PCAOB (public company accounting oversight board) in charge of auditors |
|
Definition
|
|
Term
| how to audit internal controls, how transactions are initiated, processed, and recorded; risk assessment |
|
Definition
|
|
Term
| if the control is working, it's actually mitigating the risk that it's supposed to mitigate |
|
Definition
|
|
Term
|
Definition
| if a control is deigned correctly, that its working properly |
|
|
Term
|
Definition
| something that can get thru the controls that would misstate the financial materially and change the mind of a reasonable investor that controls don't prevent or detect |
|
|
Term
|
Definition
| The committee of sponsoring organizations was created by what commission |
|
|
Term
|
Definition
| internal control framework created that is used as a benchmark to assess controls |
|
|
Term
|
Definition
| the standard in the US for assessing controls |
|
|
Term
| internal/external audits, fraud consultants, systems consultants, employee fraud hot lines |
|
Definition
|
|
Term
|
Definition
| back up each day's work on each day |
|
|
Term
| recording, authorization, custody, and reconciliation |
|
Definition
| separation of accounting duties |
|
|
Term
|
Definition
|
|
Term
| prenumbering, place for authorization/signatures, dates, company names/IDs/address, amounts, quantity, description, price, completeness check, salesperson |
|
Definition
| tools for proper design and use of documents and records |
|
|
Term
| double counting, run reports, reconciliations |
|
Definition
| examples of independent checks on performance |
|
|
Term
|
Definition
| process implemented by management and the board to achieve our control objectives |
|
|
Term
| management, notice, choice and consent, collection, use and retention, access, disclosure to third parties, security, quality, monitoring and enforcement |
|
Definition
| trust services privacy framework-10 best standards |
|
|
Term
|
Definition
| establish policies and procedures to protect privacy of personal information collected; assign responsibility to a particular person or group |
|
|
Term
|
Definition
| notify individuals when their information is collected |
|
|
Term
|
Definition
| give customers a choice to opt our or opt in to the collection of their personal information |
|
|
Term
|
Definition
| means collect only what is needed |
|
|
Term
|
Definition
| means retain only as long as needed |
|
|
Term
|
Definition
| allow customers to access, review, and delete their information |
|
|
Term
disclosure to third parties |
|
Definition
provide to third parties only per policy and require the same protection |
|
|
Term
|
Definition
| take reasonable steps to protect the information from loss or unauthorized disclosure |
|
|
Term
|
Definition
| maintain the integrity of the information |
|
|
Term
| monitoring and enforcement |
|
Definition
| assign a third part to assure and verify compliance |
|
|
Term
|
Definition
| unauthorized access and use of computer systems, usually by a means of a personal computer and a telecommunications network |
|
|
Term
|
Definition
| gaining control of someone else’s computer to carry out illicit activities without the user’s knowledge |
|
|
Term
|
Definition
| emailing or text messaging the same unsolicited message to many people at the same time, often in a n attempt to reach potential customers to steel them something |
|
|
Term
|
Definition
| change data before, during, or after it is entered into the system to delete, alter, add, or incorrectly update key system data |
|
|
Term
|
Definition
| unauthorized copying of company data |
|
|
Term
|
Definition
| process for regularly Applying patches and updates to all software used by the organization |
|
|
Term
|
Definition
| process of examining logs to monitor security (leave audit trail) |
|
|
Term
|
Definition
| log analysis is what type of control |
|
|
Term
| Intrusion detection systems |
|
Definition
| create logs of network traffic that was permitted to pass the firewall and then analyze those logs for signs of attempted or successful intrusions |
|
|
Term
| vulnerability scans and penetration test |
|
Definition
| two types of security testing as a detective control |
|
|
Term
|
Definition
| use automated tools designed to identify whether a given system possesses any well known vulnerabilities |
|
|
Term
|
Definition
| an authorized attempt by either an internal audit team or an external security consulting firm to break into the organization’s information system |
|
|
Term
| Computer emergency response team computer emergency response team (CERT) |
|
Definition
| technical specialists and senior operations management |
|
|
Term
|
Definition
| Cert would be what type of control |
|
|
Term
| design ,implement, and promote sound security policies and procedures; corrective |
|
Definition
| cheif information security officer plays what role in what type of contorl |
|
|
Term
| security, confidentiality, privacy, processing integrity, availability |
|
Definition
| Five fundamental principles that contribute to the overall objective of systems reliability: |
|
|
Term
|
Definition
| focus on verifying the identity of the person or device attempting to access the system; ensure that only l legitimate users can access the system |
|
|
Term
| Passwords, tokens, biometrics, MAC addressee |
|
Definition
| tools used for authenication |
|
|
Term
|
Definition
| restricts access of authenticated users to specific portions of the system and specifies what actions they are permitted to perform |
|
|
Term
| compatiblity test, access control matrix |
|
Definition
|
|
Term
|
Definition
| a table specifying which portions of the system users are permitted to access and what actions they can perform |
|
|
Term
|
Definition
| matches the user’s authentication credentials against the access control matrix to determine whether that employee should be allowed to access that resource and perform the requested action |
|
|
Term
|
Definition
| final layer of preventive controls; the process of transforming normal text (plaintext) into unreadable gibberish (cipher text) |
|
|
Term
|
Definition
| a company pays invoices an employee fraudulently submits to obtain payments he or she is not entitled to receive |
|
|
Term
|
Definition
| the most expensive asset misappropriations. |
|
|
Term
|
Definition
| use a fake entity established by a dishonest employee to bill a company for goods or services it does not receive. The employee converts the payment to his or her own benefit. |
|
|
Term
|
Definition
| use a shell company established by an employee to purchase goods or services for the employer, which are then marked up and sold to the employer through the shell. The employee converts the mark-up to his or her own benefit. |
|
|
Term
|
Definition
| involve an employee purposely causing an overpayment to a legitimate vendor. When the vendor returns the overpayment to the company, the employee embezzles the refund. |
|
|
Term
| Personal-purchase schemes |
|
Definition
| consist of an employee’s ordering personal merchandise and charging it to the company. In some instances, the crook keeps the merchandise; other times, he or she returns it for a cash refund. |
|
|
Term
|
Definition
| any and all means a person uses to gain an unfair advantage over another person. |
|
|
Term
– A false statement (oral or in writing)
– About a material fact
– Knowledge that the statement was false when said (i.e. the person has to have the intent to commit the act, not just say something false because they did not know it was false)
– The victim relies on the statement and therefore suffers a loss |
|
Definition
| legal requirements for defining fraud are: |
|
|
Term
| misapporporation of assets |
|
Definition
| the theft, embezzlement, or misuse of company assets for personal gain (e.g. billing schemes, check tampering, skimming, and theft of inventory). |
|
|
Term
|
Definition
| the wrongful use of a position to gain personal benefit (e.g. kickback schemes and conflict of interest schemes). |
|
|
Term
| Financial statement fraud |
|
Definition
| misrepresenting the financial condition of an entity by intentionally altering amounts or disclosures with the goal of influencing the financial statement users to make decisions they may not otherwise make given the true financial condition of the company. Financial statements can be misstated as a result of intentional efforts to deceive or as a result of undetected asset misappropriations that are so large that they cause misstatement. |
|
|
Term
Treadway Commission Recommendations
SAS-99 Requirements |
|
Definition
| What guidance do accountants and auditors have with regard to fraud? |
|
|
Term
• Auditors must:
– Understand fraud
– Discuss the risks of material fraudulent misstatements
– Obtain information
– Identify, assess, and respond to risks
– Evaluate the results of their audit tests
– Communicate findings
– Document their audit work
– Incorporate a technology focus |
|
Definition
|
|
Term
– A worm is a stand-alone program, while a virus is only a segment of code hidden in a host program or executable file.
– A worm will replicate itself automatically, while a virus requires a human to do something like open a file. |
|
Definition
| • A worm is similar to a virus except for: |
|
|
Term
|
Definition
| any potential adverse occurrence or unwanted event that could be injurious to either the AIS or the organization |
|
|
Term
|
Definition
| The potential dollar loss should a particular threat become a reality |
|
|
Term
|
Definition
| Probability that the threat will happen |
|
|
Term
|
Definition
| the process implemented by the board of directors, mgmt, and those under their direction to provide reasonable assurance the control objectives are achieved |
|
|
Term
|
Definition
| needed to discover problems as soon as they arise (bank recs, trial balances) |
|
|
Term
|
Definition
| remedy control problems that have been discovered (backup copies) |
|
|
Term
|
Definition
| designed to make sure an organization’s control environment is stable and well managed |
|
|
Term
|
Definition
| prevent, detect, and correct transaction errors and fraud (concerned with accuracy, completeness, validity and authorization of data captured, entered, processed, stored, transmitted, and reported) |
|
|
Term
| applies to publicly held companies and their auditors; intended to prevent financial statement fraud, make financial reports more transparent, provide protection to investors, strengthen the internal controls at public companies, and punish executives who perpetrate fraud |
|
Definition
| some objectives of Sarbanes Oxley act |
|
|
Term
|
Definition
| Control objectives for information and related technology |
|
|
Term
| expands on the elements of the internal control integrated framework and provides an all encompassing focus on the broader subject of enterprise risk management; risk based vs. controls based; oriented toward the future and constant change |
|
Definition
|
|
Term
| Enterprise risk management |
|
Definition
| a process, affected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives |
|
|
Term
|
Definition
| The possibility that something will occur to affect adversely the company’s ability to create value or to erode existing value |
|
|
Term
|
Definition
| The possibility that something will occur to affect positively the company’s ability to create or preserve value |
|
|
Term
| strategic, operations, reporting, comliance |
|
Definition
| Four types of objectives that management must meet to achieve company goals |
|
|
Term
|
Definition
| high level goals that are aligned with and support the company’s mission |
|
|
Term
|
Definition
| deal with the effectiveness and efficiency of company operations, such as performance and profitability goals and safeguarding assets |
|
|
Term
|
Definition
| help ensure the accuracy, completeness, reliability of internal/external company reports, of both a financial and nonfinancial nature; improve decision making and monitory company activities/performance efficiently |
|
|
Term
|
Definition
| help the company comply with all applicable laws and regulations |
|
|
Term
| internal environment, objective setting, event identification, risk assessment, risk response, control activities, monitoring, information and communication |
|
Definition
| 8 interrelated risk and control components of COSO |
|
|
Term
|
Definition
| tone or culture of company; helps determine how risk conscious employees are; foundation for all other ERM components, providing discipline and structure |
|
|
Term
|
Definition
| mgmt puts into place a process to formulate strategic, operations, reporting, and compliance objectives that support the company’s mission and that are consistent with the company’s tolerance for risk |
|
|
Term
|
Definition
| requires management to identify events that may affect the company’s ability to implement its strategy and achieve its objectives; determine if events are risks or opportunities |
|
|
Term
|
Definition
| how to manage risks; how risks affect company’s ability to achieve objectives |
|
|
Term
|
Definition
| management can choose to avoid, reduce, share, or accept risks |
|
|
Term
|
Definition
| most important component of the ERM and internal control frameworks; influences how organizations establish strategies and objectives; structure business activities; and identify, assess, and respond to risk |
|
|
Term
Management’s philosophy, operating style, and risk appetite
The board of directors
Commitment to integrity, ethical values, and competence
Organizational structure
Methods of assigning authority and responsibility
Human resource standards
External influences |
|
Definition
| components of internal environment of COSO |
|
|
Term
|
Definition
| the amount of risk a company is willing to accept in order to achieve its goals and objectives |
|
|
Term
|
Definition
| composed entirely of outside, independent directors; responsible for overseeing the corporation’s internal control structure, financial reporting process, and compliance with laws etc. |
|
|
Term
|
Definition
Defines lines of authority, responsibility, and reporting
Provides framework for planning, directing, executing, controlling, and monitoring operations (centralized v. decentralized) |
|
|
Term
|
Definition
| why the company exists and what it hopes to achieve |
|
|
Term
|
Definition
| “an incident or occurrence mandating from internal or external sources that affects implementation of strategy or achievement of objectives; may have positive or negative impacts or both" |
|
|
Term
|
Definition
| risk that exists before management takes any steps to control the likelihood or impact of a risk |
|
|
Term
|
Definition
| risk that remains after management implements internal controls |
|
|
Term
|
Definition
| risk that remains after management implements internal controls |
|
|
Term
Reduce (internal controls!)
accept
share
avoid |
|
Definition
| four ways to respond to risk: |
|
|
Term
|
Definition
| policies, procedures, and rules that provide reasonable assurance that management’s control objectives are met and the risk responses are carried out |
|
|
Term
Independent checks on performance
Safeguarding assets, records, and data
Design and use of documents and records
Change management controls
Project development and acquisition controls
Proper authorization
Segregation of duties |
|
Definition
| the control activities of COSO |
|
|
Term
| Change management controls |
|
Definition
| the process of making sure changes do not negatively affect systems reliability, security, confidentiality, integrity, and availability |
|
|
Term
|
Definition
| when individual company transactions can be traced through the system from where they originate to where they end up on the financial statements |
|
|
Term
|
Definition
| Foundation of systems reliability |
|
|
Term
| security, confidentiality, privacy, processing integrity, availability |
|
Definition
| Five fundamental principles that contribute to the overall objective of systems reliability |
|
|
Term
|
Definition
| access to the system and its data is controlled and restricted to legitimate users |
|
|
Term
|
Definition
| sensate organizational information is protected from unauthorized disclosure |
|
|
Term
|
Definition
| personal information about customers is collected, used, disclosed and maintained only in compliance with internal policies and external regulatory requirements |
|
|
Term
|
Definition
| data is processed accurately, completely, in a timely manner, and only with proper authorization |
|
|
Term
|
Definition
| the system and its information is available to meet operational and contractual obligations |
|
|
Term
| Time based model of security |
|
Definition
| focuses on the relationship between preventative, detective, and corrective controls; all are necessary |
|
|
Term
|
Definition
| limit actions to those in accord with the organization’s security policy and to not allow undesired actions |
|
|
Term
|
Definition
| to identify when preventive controls have been breached |
|
|
Term
|
Definition
| to repair damage from any problems that occurred and to improve the functioning of both preventative and detective controls in order to reduce the likelihood of future problems |
|
|
Term
|
Definition
| employ multiple layers of controls in order to avoid having a single point of failure |
|
|
Term
authentication, authorization, training,
Physical access controls, Remote access controls, Host and application hardening procedures, Encryption |
|
Definition
| seven major types of preventive controls |
|
|
Term
|
Definition
| focus on verifying the identity of the person or device attempting to access the system; ensure that only l legitimate users can access the system |
|
|
Term
|
Definition
| restricts access of authenticated users to specific portions of the system and specifies what actions they are permitted to perform |
|
|
Term
|
Definition
| involves making copies of all encrypting keys used by employees and storing the copies security |
|
|
Term
| key length, key management policies, nature of the encryption algorithm |
|
Definition
| Factors of encryption strength |
|
|
Term
| use encryption software that creates built in master key |
|
Definition
| Best way the decrypt data in event an employee leaves |
|
|
Term
| Intrusion detection systems |
|
Definition
| create logs of network traffic that was permitted to pass the firewall and then analyze those logs for signs of attempted or successful intrusions |
|
|
Term
| log analysis, Intrusion detection systems, Managerial reports, Security testing (vulnerability/penetration) |
|
Definition
| examples of detective controls |
|
|
Term
|
Definition
| use automated tools designed to identify whether a given system possesses any well known vulnerabilities |
|
|
Term
|
Definition
| an authorized attempt by either an internal audit team or an external security consulting firm to break into the organization’s information system |
|
|
Term
|
Definition
| The set of instructions for taking advantage of a vulnerability: |
|
|
Term
|
Definition
| code released by software developers that fixes a particular vulnerability |
|
|
Term
|
Definition
| process for regularly Appling patches and updates to all software used by the organization ; Modifications to complex software |
|
|
Term
|
Definition
| Fundamental control procedure for protecting the confidentiality of sensitive information |
|
|
Term
| VPN virtual private network |
|
Definition
| created when encrypting information before sending it over the internet (provides functionality of a privately owned network) |
|
|
Term
| Protecting personal information about customers rather than organizational data |
|
Definition
| How does privacy differ from confidentiality? |
|
|
Term
|
Definition
| establish privacy policies to protect personal info it collects; assigns responsibility and accountability for those policies to a specific person/group |
|
|
Term
|
Definition
| provides notice about privacy policies at or before the time it collects personal information from customers |
|
|
Term
|
Definition
| collect only information needed |
|
|
Term
|
Definition
| a text file created by a web site and stored in a visitor’s hard disk |
|
|
Term
|
Definition
| use personal info only in manner stated; retain only as long as needed |
|
|
Term
| disclosure to third parties |
|
Definition
| discloses to third parties only when stated; third parties provide equivalent protection |
|
|
Term
|
Definition
| ability to access, review, correct, and delete |
|
|
Term
|
Definition
| protect customers’ personal information from loss or unauthorized disclosure |
|
|
Term
|
Definition
| 1. maintains integrity of customers’ personal information |
|
|
Term
| monitoring and enforcement |
|
Definition
| assigns someone to be responsible for assuring compliance with privacy policies |
|
|
Term
| : source data prep/authorization, source data collection/entry, accuracy, completeness, and authenticity checks, processing integrity and validity, output review, reconciliation, and error handling, transaction authenticity and integrity |
|
Definition
| 6 application controls of processing integrity |
|
|
Term
| forms design, cancellation of storage of documents, authorization & segregation of duties, visual scanning |
|
Definition
| input controls for processing integrity |
|
|
Term
| field check, sign check, limit check, range check, size check, completeness check, validity check, reasonableness test, check digit verification |
|
Definition
| data entry controls for processing integrity |
|
|
Term
|
Definition
| use of redundant components, enabling a system to continue functioning in the event that a particular component fails |
|
|
Term
|
Definition
| the process of installing the backup copy for use |
|
|
Term
|
Definition
| exact copy of the most current version of a database, file or software program |
|
|
Term
|
Definition
| represents the maximum length of tie from which it is willing to risk the possible loss of transaction data |
|
|
Term
|
Definition
| involves maintaining two copies of the database at two separate data centers at all times and updating both copies in real time as each transaction occurs; almost entirely eliminates the risk of losing any data |
|
|
Term
|
Definition
| a copy of a database, master file, or software that will be retained indefinitely as an historical record, usually to satisfy legal and regulatory requirements |
|
|
Term
| reciprocal agreement with another organization |
|
Definition
| least expensive method of infrastructure replacement |
|
|
Term
|
Definition
| empty building that is prewired for necessary telephone and internet access, plus a contract with one or more vendors to provide all necessary computer/equipment within a specified period of time |
|
|
Term
|
Definition
| facility that is not only prewired but also contains all the computing and office equipment the organization needs to perform its essential business activities (backup infrastructure designed to provide fault tolerance in major disaster) |
|
|
