Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
95 Cards in this Set
- Front
- Back
AIS Threats
|
-Natural and political disasters
-Software errors and equipment malfunctions -Unintentional Acts -Intentional acts |
|
Cookie
|
data that Web sites store on your computer to identify their Web sites to your computer and to identify you to the Web site so you don't have to log on every time you visit
|
|
Fraud Requirements
|
-False statement or respresentation
-A material fact -Intent to deceive -A justifiable reliance -an injury or loss |
|
Fraud Triangle
|
-Opportunity
-Rationalization -Pressure |
|
Opportunity
|
Perpetrator must be able to
-Commit -Conceal -Convert to cash |
|
Lapping Scheme
|
perpetrator steals the csah or check that Customer A mails in and then pays back with a check from Customer B which is in turn paid back by a check from customer C
|
|
Kiting scheme
|
perpetrator creates cash by taking advantage of the timing lag between depositing a check and the check clearing the bank
|
|
Computer fraud
|
Any illegal act for which knowledge of computer technology is essential for its perpetration, investigation, or prosecution
|
|
Processor Fraud
|
fraud committed through an unauthorized system use, including the theft of computer time and services
|
|
Computer Instructions Fraud
|
Tampering with the software that processes company data
|
|
Data Fraud
|
Illegal use of company data, typically to copying it, using it, or searching it without permission
|
|
Torpedo Software
|
Destroys competing malware, resulting in "malware warfare" between competing developers
|
|
Exposure
|
The potential dollar loss should a particular threat become a reality, also called impact
|
|
Internal Control
|
process implemented by the board of directors, management and those under their direction to provide reasonable assurance
|
|
Foreign Corrupt Practices Act
|
Prevent bribery of foreign officials in order to obtain business
|
|
PCAOB (Public Company Accounting Oversight Board)
|
A five-member team to control the auditing profession
|
|
Boundary System
|
helps employees act thically by setting limits beyond which an employee must not pass
|
|
diagnostic control system
|
measures company progress by comparing actual performance to planned performance
|
|
Interactive Control system
|
helps top-level managers with high-level activities that demand frequent and regular attention, such as developing company strategy, setting company objectives, understanding threats and risks, monitoring changes, and developing responses and action plans to proactively deal with high-level issues
|
|
COBIT (Control objectives for Information and Related Technology)
|
a framework of generally applicable information systems security and control practices for IT control
|
|
COSO (Committee of Sponsoring Organizations)
|
a private-sector group consisting of the American Accounting Association, the AICPA, the institute of Intern Auditors, the Institute of Management Accountants, and the Financial Executives Institute
|
|
Strategic Objectives
|
high-level goals that are aligned with and support the company's mission
|
|
Operations objectives
|
deal with the effectiveness and efficiency of company operations, such as performance and profitability goals and safeguarding assets
|
|
Reporting objectives
|
help ensure the accuracy, completeness, and reliability of internal and external company reports, of both a financial and nonfinancial nature
|
|
Compliance objectives
|
help the company comply with all applicable laws and regulations
|
|
risk appetite
|
the amount of risk a company is willing to accept in order to achieve its goals and objectives
|
|
audit committee
|
composed entirely of outside(nonemployee), independent directors
|
|
policy and procedures manual
|
explains proper business practices, describes the knowledge and experience needed by key personnel, spells out management policy for handling specific transactions, and documents the systems and procedures employed to process those transactions
|
|
event
|
an incident or occurence emanating from internal or external sources that affects implementation of strategy or achievement of objectives
|
|
inherent risk
|
the risk that exists before management takes any steps to control the likelihood or impact of a risk
|
|
residual risk
|
the risk that remains after management implements internal controls, or some other response to risk
|
|
four ways to reduce risk
|
reduce, accept, share, avoid
|
|
control activities
|
policies, procedures, and rules that provide reasonable assurance that management's control objectives are met and the risk responses are carried out
|
|
authorization
|
policies for employees to follow which empower them to perform certain tasks and make decisions
|
|
digital signature
|
signing a document with a piece of data that cannot be forged
|
|
segregation of duties
|
achieved when the following functions are separated: authorization, recording, and custody
|
|
systems administrators
|
responsible for ensuring that the different parts of an information system operate smoothly and efficiently
|
|
systems administrators
|
responsible for ensuring that the different parts of an information system operate smoothly and efficiently
|
|
network managers
|
ensure that all applicable devices are linked to the organization's internal and external networks and that the networks operate continuously and properly
|
|
network managers
|
ensure that all applicable devices are linked to the organization's internal and external networks and that the networks operate continuously and properly
|
|
analytical review
|
an examination of the relationships between different sets of data
|
|
time-based model of security
|
focuses on the relationship between preventive, detective, and corrective controls
|
|
defense-in-depth
|
to employ multiple layers of controls in order to avoid having a single point of failure
|
|
authentication
|
focuses on verifying the identity of the person or device attempting to access the system
|
|
multifactor authentication
|
using two or all three methods of authentication (something they know, something they have, some physical characteristic) in conjunction
|
|
access control matrix
|
a table specifying which portions of the sytem users are permitted to access and what actions they can perform
|
|
social engineering
|
a person uses deception to obtain unauthorized access to information resources
|
|
border router
|
connects an organization's information system to the internet
|
|
demilitarized zone (DMZ)
|
a separate network that permits controlled access from the internet to selected resources, such a the organization's e-commerce Web server
|
|
Transmission Control Protocol (TCP)
|
specifies the procedures for dividing files and documents into packets to be sent over the internet and the methods for reassembly of the original document or file at the destination
|
|
Internet Protocol (IP)
|
specifies the structure of packets and how to route them to the proper destination
|
|
routers
|
read the destination address fields in IP packet headers to decide where to send the packet next
|
|
access control list (ACL)
|
determines which packets are allowed entry and which are dropped
|
|
static packet filtering
|
screens individual IP packets based solely on the contents of the source and/destination fields in the IP packet header
|
|
stateful packet filtering
|
maintains a table that lists all established conections between the organization's computers and the Internet
|
|
deep packet inspection
|
examine the data in the body of an IP packet to provide more effective access control than those that look only at information in the IP header
|
|
intrusion prevention systems (IPS)
|
identify and drop packets that are part of an attack
|
|
hardening
|
process of turning off unecessary features
|
|
encryption
|
process of transforming normal text, call plaintext, into unreadable gibberish, called ciphertext
|
|
decryption
|
reverses the process of encryption
|
|
Symmetric encryption systems
|
use the same key both to encrypt and to decrypt
|
|
Assymmetric encryption systems
|
uses two keys, one to encrypt and one to decrypt
|
|
hashing
|
an irreversible process that takes plaintext of any length and transforms it into short code
|
|
digital certificate
|
an electronic document, created and digitally signed by a trusted third party, that certifies the identity of the owner of a particular public key
|
|
public key infrastructure (PKI)
|
refers to the system and processes used to issue and manage asymmetric keys and digital certificates
|
|
certificate authority
|
organization that issues public and private keys and records the public key in a digital certificate
|
|
e-signature
|
a cursive-style imprint of a person's name that is applied to an electronic document
|
|
Log analysis
|
the process of examining logs to monitor security
|
|
Intrusion Detection systems (IDS)
|
create logs of network traffic that was permitted to pass the firewall and then analyze those logs for signs of attempted or successful intrusions
|
|
patch
|
code released by software developers that fixes a particular vulnerability
|
|
Virtual Private Network (VPN)
|
encrypting information before sending it over the Internet to provide the functionality of a privately owned network, while using the internet
|
|
sequence check
|
tests if a batch of input data is in the proper numerical or alphabetical sequence
|
|
financial total
|
sums a field that contains dollar values, such as the total dollar amount of all sales for a batch of sales transactions
|
|
hash total
|
sums a nonfinancial numeric field, such as the total of the quantity ordered field in a batch of sales transactions
|
|
record count
|
sums the number of records in a batch
|
|
prompting
|
system requests each input data item and waits for an acceptable response
|
|
closed-loop verification
|
checks the accuracy of input data by using it to retrieve and display other related information
|
|
Concurrent update controls
|
protect records from errors that occur when two or more users attempt to update the same record simultaneously
|
|
parity bit
|
an extra digit used to detect errors due to some bits that are lost or received incorrectly due to media disruptions or failures
|
|
echo check
|
calculates a summary statistic such as the number of bits in the message and sends the result back to the sending unit
|
|
fault tolerance
|
enabling a system to continue functioning in the even that a particular component fails
|
|
uninterruptible power supply (UPS)
|
provides protection in the event of a prolonged power outage
|
|
incremental backup
|
copying only the data items that have changed since the last backup
|
|
differential backup
|
coppies all changes made since the last full backup
|
|
recovery point objective
|
represents the maximum length of time for which it is willing to risk the possible loss of transaction
|
|
archive
|
a copy of a database, mater file, or software that will be retained indefinitely as an historical record
|
|
recovery time objective (RTO)
|
represents the time following a disaster by which the organization's information system must be available again
|
|
financial audit
|
examines reliability and integrity of accounting records
|
|
information systems audit
|
reviews the controls of an AIS to assess its compliance with internal control policies and procedures an dits effectiveness in safeguarding assets
|
|
operational (management) audit
|
concerned with the economical and efficient use of resources and the accomplishment of established goals and objectives
|
|
auditing
|
a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic actions and events to ascertain the degree of correspondence between those assertions and established criteria and communicating the results to interested users
|
|
compensating controls
|
procedures that compensate for deficiency of a control
|
|
test data generator program
|
automatically prepares test data based on program specifications
|
|
integrated test facility (ITF)
|
technique that places a small set of fictitious records in the master files
|
|
audit hooks
|
audit routines that flag suspicious transactions
|