Term
| How do you maintain control over information security (IS)? |
|
Definition
| Through the enactment of a comprehensive, entity-wide information security plan. |
|
|
Term
| ability to make use of any computer-based system is dependent on |
|
Definition
uninterrupted flow of electricity
protection of computer hardware from environmental hazards
protection of software and data files from unauthorized alteration
preservation of functioning communications channels between devices |
|
|
Term
| volatile transaction trails |
|
Definition
| In a computer-based environment, complete audit trails may not exist or be readable. In online and real-time systems, data are entered directly into the computer, eliminating portions of the audit trail traditionally provided by source documents. |
|
|
Term
| How does a computer system affect the chance of detecting errors? |
|
Definition
| B/c employees who enter transactions may never see the final results, the potential for detecting errors is reduced. Also, output from a computer system often carries a mystique of infallibility, reducing the incentive of system users to closely examine reports and transaction logs. |
|
|
Term
| How does computer processing affect transaction processing? |
|
Definition
Computer processing uniformly subjects like transactions to the same processing instructions, therefore virtually eliminating clerical error. Thus, it permits consistent application of predefined business rules and the performance of complex calculations in high volume.
However, programming errors result in all like transactions being processed incorrectly. |
|
|
Term
|
Definition
combination of hardware and software that separates an internal network from an external network and prevents passage of traffic deemed suspicious;
needed to protect computerized records that are otherwise not as easily protected |
|
|
Term
|
Definition
| duplicate and periodically store offsite computer files (hard drive crash should not lose all data). |
|
|
Term
| reduced individual authorization of transactions |
|
Definition
Certain transactions may be initiated automatically by a computer-based system.
This reduced level of oversight for individual transactions is an important compensating control in the absence of segregation of duties and reduced individual authorization. A third party performs the verification. |
|
|
Term
| advantages to outsourcing IT (ASACFA) |
|
Definition
| access to expertise, superior service quality, avoidance of changes in the organization's IT infrastructure, cost predictability, freeing of human and financial capital, and avoidance of fixed costs. |
|
|
Term
| disadvantages to outsourcing IT (ILVD) |
|
Definition
| inflexibility of the relationship, the loss of control, vulnerability of important information, and often dependency on a single vendor. |
|
|
Term
|
Definition
| any program code that enters a computer system that has the potential to degrade that system |
|
|
Term
|
Definition
| apparently innocent program that includes a hidden function that may do damage when activated |
|
|
Term
|
Definition
| program that copies itself from file to file (spread through email attachments and downloads) |
|
|
Term
|
Definition
| from computer to computer |
|
|
Term
| denial-of-service (DOS) attack |
|
Definition
| attempt to overload a system w/ messages so that it cannot function |
|
|
Term
|
Definition
| method of electronically obtaining confidential information through deceit by setting up a legitimate-looking website that is a scam |
|
|
Term
| Control Objectives for Information and Related Technology (COBIT) |
|
Definition
| best-known control and governance framework that addresses IT |
|
|
Term
| four main domains of COBIT (PADM) |
|
Definition
| planning and organization, acquisition and implementation, delivery and support, monitoring |
|
|
Term
| planning and organization |
|
Definition
| deals with how the IT system helps accomplish business objectives |
|
|
Term
| acquisition and implementation |
|
Definition
| deals with how the business acquires and develops IT solutions that address business objectives |
|
|
Term
|
Definition
| deals with how the company can best deliver required IT services including operations, security, and training |
|
|
Term
|
Definition
| deals with how the company can periodically assess the IT processes for quality and control |
|
|
Term
| 5 Key Principles of COBIT 5 |
|
Definition
| Meeting stakeholder needs, Covering the enterprise end-to-end, applying a single, integrated framework, enabling a holistic approach, and separating governance from management. |
|
|
Term
|
Definition
| created in response to stakeholder needs |
|
|
Term
|
Definition
| drawn up to address the enterprise goals |
|
|
Term
| enablers & categories of enablers (PPOCISP) |
|
Definition
support pursuit of the IT-related goals
Categories of enablers:
principles, policies, and frameworks
processes
organizational structures
culture, ethics, and behavior
information
services, infrastructure, and applications
people, skills, and competencies |
|
|
Term
|
Definition
| setting overall objectives and monitoring progress toward those objectives (BOD) |
|
|
Term
|
Definition
| carrying out of activities in pursuit of enterprise goals (executive management under the CEO) |
|
|
Term
|
Definition
| planning, organizing, leading/directing, and controlling |
|
|
Term
| How does IT implementation affect risk? |
|
Definition
| IT introduces some risks and helps to mitigate others; ex) automated verification. |
|
|
Term
| operational effectiveness |
|
Definition
| degree to which a system (automated or not) serves its intended purpose |
|
|
Term
|
Definition
| to aid in decision-making. Reports that cannot do this are useless. |
|
|
Term
| information security (IS) |
|
Definition
| encompasses not only computer hardware and software but all of an organization's information, no matter what medium it resides on; it involves far more than just user IDs and passwords. |
|
|
Term
| 3 principal goals for IS programs (CIA) |
|
Definition
| confidentiality, integrity, availability of data |
|
|
Term
| steps in creating an IS plan |
|
Definition
identify threats to the organization's information
identify the risks that these threats entail.
design compensating controls based on risk analysis.
incorporate controls into a coherent, enterprise-wide IS plan, listing how the controls will be put in place and how they will be enforced.
create policies |
|
|
Term
|
Definition
| determine the likelihood of identified threats and the level of damage that could potentially be done should the threats materialize |
|
|
Term
| 3 major types of IS controls |
|
Definition
| physical, logical, and policy |
|
|
Term
|
Definition
| that which governs the information resources to which individuals have access and how the level of access will be tied to their job duties. |
|
|
Term
| 3 major types of internal controls |
|
Definition
| preventive, detective, and corrective |
|
|
Term
| IS classic division of controls |
|
Definition
general (aggregate IT environment) vs. application (specific to computers)
general = macro
application = micro |
|
|
Term
|
Definition
| sustain the conditions under which application controls can function properly |
|
|
Term
| Should IT be a separate function? If so, how should this be done? |
|
Definition
| Yes. Treating IT as a separating functional area of the organization involves the designation of a CIO or CTO and the establishment of an IS steering committee to set a coherent direction for the organization's systems and prioritize IT projects. |
|
|
Term
|
Definition
| built into the equipment by the manufacturer; they ensure the proper internal handling of data as they are moved and stored. |
|
|
Term
|
Definition
| limit physical access and environmental damage to computer equipment, data, and important documents |
|
|
Term
|
Definition
| established to limit access in accordance with the principle that all persons should have access only to those elements of the organization's IS that are necessary to perform their job duties. Focused on both authentication and authorization. |
|
|
Term
|
Definition
| act of assuring that the person attempting to access the system is in fact who he/she says he/she is. Accomplished through IDs and passwords. |
|
|
Term
|
Definition
| practice of ensuring that, once in the system, the user can only access those programs and data elements necessary for his/her job duties |
|
|
Term
|
Definition
| regulate traffic to an entire network, such as an organization's LAN through packet filtering |
|
|
Term
|
Definition
| The firewall examines the header of each packet. Depending on the rules set up by the network security administrator, packets can be denied entry to the network based on their source, destination, or other data in the header. Packets from a particular source address that repeatedly fail to gain access to the network might indicate a penetration attempt. The firewall can notify network security personnel who can then investigate. |
|
|
Term
|
Definition
| regulate traffic to a specified application, such as email or file transfer |
|
|
Term
| Is a firewall alone enough for IS? |
|
Definition
| A firewall alone is not an adequate defense against computer viruses; specialized antivirus software is a must. |
|
|
Term
|
Definition
| built into each application; designed to ensure that only correct, authorized data enter the system and that the data are processed and reported properly. |
|
|
Term
|
Definition
| designed to prevent unauthorized, invalid, or duplicate data from entering the system (thus authorization) |
|
|
Term
|
Definition
|
|
Term
|
Definition
| some data elements can only contain certain characters, and any transaction that attempts to use an invalid character is halted. (Soc. Sec. number). |
|
|
Term
| Limit (Reasonableness) and Range Checks |
|
Definition
| based on known limits for given information, certain entries can be rejected by the system. |
|
|
Term
|
Definition
| in order for a transaction to be processed, some other record must already exist in another file. |
|
|
Term
|
Definition
| processing efficiency is greatly increased when files are sorted on some designated field(s), called the “key,” before operations such as matching. |
|
|
Term
| Check Digit Verification (Self-Checking Digits) |
|
Definition
| an algorithm is applied to, for instance, a product number and incorporated into the number; this reduces keying errors such as dropped and transposed digits. |
|
|
Term
|
Definition
| the system will reject any transaction or batch thereof in which the sum of all debits and credits does not equal 0. |
|
|
Term
|
Definition
| provide reasonable assurance that processing has been performed as intended for the particular application |
|
|
Term
|
Definition
| record that does not match to master file record is identified and rejected |
|
|
Term
|
Definition
| cross-footing compares an amount to the sum of its components |
|
|
Term
|
Definition
| control adds the debits and credits in a transaction or batch to ensure they sum to 0. |
|
|
Term
|
Definition
| record's “key” is the group of values in designated fields that uniquely identify the record; no application process should be able to alter the data in these key fields |
|
|
Term
|
Definition
| provide assurance that the processing result is accurate and that only authorized personnel receive the output. These procedures are performed at the end of processing to ensure that all transactions the user expected to be processed were actually processed. |
|
|
Term
|
Definition
| every action performed in the application is logged along with the date, time, and ID in use when the action was taken. |
|
|
Term
|
Definition
| all transactions rejected by the system are printed and distributed to the appropriate user department for resolution |
|
|
Term
|
Definition
| the total number of records processed by the system is compared to the number the user expected to be processed |
|
|
Term
| run-to-run control totals |
|
Definition
| the new financial balance should be the sum of the old balance plus the activity that was just processed |
|
|
Term
|
Definition
| the arithmetic sum of a numeric field, which has no meaning by itself, can serve as a check that the same records that should have been processed were processed. Ex) sum of all Soc. Sec. numbers. |
|
|
Term
|
Definition
| IS goal of data availability is primarily the responsibility of the IT function. |
|
|
Term
|
Definition
| continuation of business by other means during the period in which computer processing is unavailable or less than normal |
|
|
Term
|
Definition
| process of resuming normal information processing operations after the occurrence of a major interruption |
|
|
Term
| 3 major types of contingencies |
|
Definition
| those in which the data center is physically available (power failure, random intrusions (viruses), deliberate intrusions (hacking incidents)), and those in which it is not (natural disasters). |
|
|
Term
| most basic part of any disaster recovery/business continuity plan |
|
Definition
| periodic backup and offsite recovery |
|
|
Term
| Which is more valuable to an organization. Its data? Or its hardware? |
|
Definition
|
|
Term
|
Definition
Involves duplicating all data files and application programs periodically (once a month).
Incremental changes are then backed up and taken to the offsite location (once a week).
Application programs must be backed up in addition to data since programs change too. |
|
|
Term
| characteristics of offsite location |
|
Definition
| temperature- and humidity controlled and guarded against physical intrusion. Just as important, it must be geographically remote enough from the site of the organization's main operations that it would not be affected by the same natural disaster. |
|
|
Term
| What's the maximum amount of information that the organization can afford to lose due to interruptions in normal processing? |
|
Definition
| In case of an interruption of normal processing, the organization's systems can be restored such that, at most, 7 days of business information is lost. |
|
|
Term
|
Definition
identifying and prioritizing the organization's critical applications
Determining minimum recovery time and hardware requirements.
Developing a recovery plan.
Dealing with specific types of contingencies. |
|
|
Term
| Dealing with specific types of contingencies |
|
Definition
| power failures, attacks, natural disasters |
|
|
Term
|
Definition
| deal with by the purchase of backup electrical generators. These can be programmed to automatically begin running as soon as a dip in the level of electric current is detected (the "reorder point" for electricity). |
|
|
Term
| attacks (virus, denial-of-service, etc.) |
|
Definition
The system must be brought down “gracefully” to halt the spread of the infection.
The IT staff must know about the latest viruses to know how to isolate the damage and bring the system back to full operation. |
|
|
Term
|
Definition
Contract for alternate processing facility.
Take backup files to recovery center if processing is no longer possible at the principal site. |
|
|
Term
| alternate processing facility |
|
Definition
| physical location maintained by an outside contractor for the express purpose of providing processing facilities for customers in case of disaster |
|
|
Term
|
Definition
| fully operational processing facility that is immediately available. |
|
|
Term
|
Definition
| hot site with the latest data and software that permit startup within a few minutes or even a few seconds |
|
|
Term
|
Definition
| facility with limited hardware, such as communications and networking equipment, that is already installed but is lacking the necessary servers and client terminals |
|
|
Term
|
Definition
| shell facility lacing most infrastructure but is readily available for the quick installation of hardware and software |
|
|
Term
|
Definition
identifying and prioritizing the organization's critical applications
Determining minimum recovery time and hardware requirements.
Developing a recovery plan.
Dealing with specific types of contingencies. |
|
|
Term
| Dealing with specific types of contingencies |
|
Definition
| power failures, attacks, natural disasters |
|
|
Term
|
Definition
| deal with by the purchase of backup electrical generators. These can be programmed to automatically begin running as soon as a dip in the level of electric current is detected (the "reorder point" for electricity). |
|
|
Term
| attacks (virus, denial-of-service, etc.) |
|
Definition
The system must be brought down “gracefully” to halt the spread of the infection.
The IT staff must know about the latest viruses to know how to isolate the damage and bring the system back to full operation. |
|
|
Term
|
Definition
Contract for alternate processing facility.
Take backup files to recovery center if processing is no longer possible at the principal site. |
|
|
Term
| alternate processing facility |
|
Definition
| physical location maintained by an outside contractor for the express purpose of providing processing facilities for customers in case of disaster |
|
|
Term
|
Definition
| fully operational processing facility that is immediately available. |
|
|
Term
|
Definition
| hot site with the latest data and software that permit startup within a few minutes or even a few seconds |
|
|
Term
|
Definition
| facility with limited hardware, such as communications and networking equipment, that is already installed but is lacking the necessary servers and client terminals |
|
|
Term
|
Definition
| shell facility lacing most infrastructure but is readily available for the quick installation of hardware and software |
|
|
Term
| fault-tolerant computer system |
|
Definition
| has additional hardware and software as well as a backup power supply. |
|
|
Term
|
Definition
| has additional chips and disk storage; this technology is used for mission-critical applications that cannot afford to suffer downtime. |
|
|
Term
| redundant array of inexpensive discs (RAID) |
|
Definition
| grouping of multiple hard drives with special software that allows for data delivery along multiple paths. If one drive fails, the other discs can compensate for the loss; enabling technology for fault-tolerance |
|
|
Term
| high-availability computing |
|
Definition
| used for less-critical applications because it provides for a short recovery time rather than the elimination of recovery time |
|
|
