Term
| Trust Services Framework was developed by: |
|
Definition
|
|
Term
| Trust Services Framework is a subset of what Control Framework? |
|
Definition
|
|
Term
| Trust services framework consists of five principles that contribute to systems reliability. Name them: |
|
Definition
Security
Confidentiality
Privacy
Processing integrity
Availability |
|
|
Term
| The definition of Security in the Trust Services Framework is: |
|
Definition
| Access to the system and its data is controlled and restricted to legitmate users. |
|
|
Term
The definition of Confidentiality in the Trust Service Framework is:
|
|
Definition
| Sensitive organizational information is protected from unauthorized disclosure. |
|
|
Term
| The Definition of Privacy in the Trust Services Framework is: |
|
Definition
| Personal information about customers is collected, used, disclosed, and maintained only in compliance with internal and external regulatory requirements and is protected from unauthorized disclosure. |
|
|
Term
| The definition of Processing Integrity in the Trust Service Framework is: |
|
Definition
| Data are processed accurately, completely, in a timely manner, and only with proper authorization. |
|
|
Term
| The definition of Accountability in the Trust Service Framework is: |
|
Definition
| The system and its information are available to meet operational and contractual obligations. |
|
|
Term
| Name four criteria for successfully implementing the five Trust Service Framework principles: |
|
Definition
1) Developing and documenting policies
2) Effectively communicating policies to authorized users
3) Designing and employing appropriate control procedures to implement policies
4) Monitoring the system and taking corrective action to
maintain compliance with policies.
|
|
|
Term
| ______________is responsible for the internal control structure, including security. |
|
Definition
|
|
Term
| Understanding when a proper level of security and monitoring security has been reached is made more difficult by today's ____________ __________, leading to specialized management roles such as _____, CSO, and __________ _________. |
|
Definition
Information Technology
CIO, Compliance Officers |
|
|
Term
| Management Obligations to the Internal Control System include: |
|
Definition
Developing and documenting policies
Communicating the Policies developed
Designing the control procedures
Monitoring the system
|
|
|
Term
| The ________ an error/irregularity is found, the less ____ it takes to correct and less _____ occurs. |
|
Definition
|
|
Term
| The Training Control is used: |
|
Definition
To facilitate employee understanding and adherance to the organization's security policies including:
Safe computing practices
Social engineering
Piggybacking |
|
|
Term
|
Definition
| The process of verifying the identity of the person or device attempting to access the system with the objective to ensure that only legitimate users can access the system. |
|
|
Term
| Three types of credentials used by Authentication Controls to verify a person's identity are: |
|
Definition
Something they know (Password)
Something they have (Badge/Smart Card)
Something they are (Biometric Identifier) |
|
|
Term
|
Definition
| the process of restricting access of authenticated users to specific portions of the system and limiting what actions they are permitted to perform. |
|
|
Term
| A capability test is performed to match users authentication credentials against authorized actions when an employee attempts to access a particular information resource system and access is granted or denied based upon the privileges authorized to that user. What source lists user access privileges used for the capatibility test? |
|
Definition
|
|
Term
| The Access Control Matrix must be updated for what events?: |
|
Definition
Firings
Promotions
Demotions
Transfers
Job rotation |
|
|
Term
| In addition to people, ________ are also set up with authorization controls. |
|
Definition
|
|
Term
| Card readers at entry ways, man traps, electronic eavesdroping countermeasures and screen guards are all examples of what type of controls? |
|
Definition
|
|
Term
| Firewalls, Routers, war dialing and defense in depth are examples of what type of controls? |
|
Definition
|
|
Term
| Use of an Intrusion Detection System to perform log analysis in efforts to detect unauthorized access to the system is an example of what type of controls? |
|
Definition
|
|
Term
| Use of vulnerability scanners and penetration tests used to attempt unauthorized access to the system are examples of what type of control? |
|
Definition
|
|
Term
| Key component to prompt and effective response to security incidents is the standing up of a: |
|
Definition
| Computer Incident Reponse Team |
|
|
Term
| The Computer Incident Response Team should have as its membership: |
|
Definition
Senior Operations Management
Technical Specialists |
|
|
Term
| The most important document for the effectiveness of the Computer Incident Respons team is: |
|
Definition
| Incident reponse plan including alert process. |
|
|
Term
| The Computer Incident Response Team (CIRT) leads the response to an incident through what 4 steps? |
|
Definition
Recognition that a problem exists.
Containment of the problem.
Recovery. Damage must be repaired.
Follow up. Analysis of what happened, how to prevent it from happening again, and what to do to exact capture and punishment of the perpetrator. |
|
|
Term
| Operating independently of other information systems functions and reporting to the COO, this officer is an impartial assessor and evalutator of the IT environment who is responsibile for insuring that vulnerability and risk assessments are performed regularly and that security audits are carried out periodically. The title of this role is: |
|
Definition
| Chief Information Security Officer (CISO) |
|
|
Term
| When a vulnerabilility is discovered in software a hacker writes an exploit, which instructs how to attack using the vulnerability. What name is given a control that to software updates that eliminate such vulnerabilities? |
|
Definition
|
|
Term
| Virtualization of software and hardware eliminates opportunities for physical access issues but opens up vulnerabilities where information is housed and controlled by another entity that is not under the control of the owner of that information. This type of environment is generally referred to as: |
|
Definition
|
|
Term
| What leads to effective confidentiality for an organization's intellectual property? |
|
Definition
Identify sensitive information (data) that needs to be protected then protect it when is captured, while it is stored, when it is reported/accessed, and when it is disposed of.
|
|
|
Term
| Information in storage should be ______________ to prevent theft by unauthorized access. |
|
Definition
|
|
Term
| In the event of a breach in security at a firm, law requires notification of all customers unless that customer's data was ___________ at the time of the breach. |
|
Definition
|
|
Term
| Spreadsheets require special controls because of the high likelyhood of _________ _____. |
|
Definition
|
|
Term
| Trust Services Framework Principle that states states that a reliable system is one that produces information that is accurate, complete, timely and valid. |
|
Definition
|
|
Term
|
Definition
| Determines whether the characters in a field are the proper type. |
|
|
Term
|
Definition
| Determines whether the data in a field have the appropriate arithmetic sign. |
|
|
Term
|
Definition
| Tests a numerical amount against a fixed value. |
|
|
Term
|
Definition
| Tests whether a numerical amount falls between predetermined lower and upper limits. |
|
|
Term
|
Definition
| Ensures that the input data will fit into the assigned field. |
|
|
Term
|
Definition
| On each input record determines whether all required data items have been entered. |
|
|
Term
|
Definition
| Compares the ID code or account number in transaction data with similar data in the master file to verify that the account exists. |
|
|
Term
|
Definition
| Determines the correctness of the logical relationship between two data items. |
|
|
Term
|
Definition
| Authorized ID numbers can contain a check digit thta is computed from the other digits. Data entry devices can be programmed to perform check digit verification by using all but one first or final digit to calculate the final digit each time the number is entered. |
|
|
Term
|
Definition
| Checks whether a batch of input data is in the proper numerical or alphabetical sequence. |
|
|
Term
|
Definition
| A batch total that sums a field that contains monetary values. |
|
|
Term
|
Definition
| Sums a non-financial numericdal field. |
|
|
Term
|
Definition
| Number of records in a batch. |
|
|
Term
|
Definition
| Systems requests each input data item and waits for an acceptable response, ensures that all necessary data are entered. |
|
|
Term
|
Definition
| Checks the accuracy of input data by using it to retrieve and display other related information. |
|
|
Term
|
Definition
| Detailed record of all transactions, including a unique transaction identifier, the date and time of entry, and who entered the transaction. |
|
|
Term
|
Definition
| In certain cases, two or more items of data must be matched before an action can take place. |
|
|
Term
|
Definition
| File Labels need to be checked to ensure the correct and most current files are being updated. |
|
|
Term
|
Definition
| Located at the beginning of each file, contains the file name, expiration date, and other identification data |
|
|
Term
|
Definition
| Located at the end of the file, contains batch totals calculated during input. |
|
|
Term
| Recalculation of Batch Totals |
|
Definition
| Batch totals should be recalculated as each transaction record is processed, and the total for the batch should then be compared to the values in the trailer record. |
|
|
Term
|
Definition
| Two adjacent digits are inadvertently reversed. |
|
|
Term
|
Definition
| Compare the sum of the sum of rows and the sum of the sum of columns. They should be equal. |
|
|
Term
|
Definition
| Control accounts should zero out after all costs are allocated to expense categories. |
|
|
Term
| Write-Protection Mechanism |
|
Definition
| Protect against overwriting or erasing of data files stored on magnetic media. |
|
|
Term
|
Definition
| Users should carefully examine system output to verify that it is reasonable, that it is complete, and that they are the intended receipients. |
|
|
Term
| External Data Reconciliation |
|
Definition
| Database totals should be periodically reconciled with data maintained outside the system. |
|
|
Term
|
Definition
|
|
Term
| Reconciliation Procedures |
|
Definition
| Periodically, all transactions and other system updates should be reconciled to control reports, file status/update reports, or other control mechanisms. General Ledger accounts should be reconciled to subsidiary account totals on a regular basis. |
|
|
Term
| Data Transmission Controls |
|
Definition
| Controls designed to minimize risk of data transmission errors. |
|
|
Term
|
Definition
| When data are transmitted, the sending device can calculate a hash of the file, called a checksum. The receiving device performs the same calculation and sends the results to the sending device. If the two hashes agree, the transmission is presumed to be acurate. |
|
|
Term
|
Definition
| Extra digit added to the beginning of every character that can be used to check transmission accuracy. |
|
|
