SU 11

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

A fast-growing service company is developing its information technology internally. What is the first step in the company's systems development life cycle? A. Analysis. B. Implementation. C. Testing. D. Design.

A. Analysis. Answer (A) is correct. The correct order of the steps in a formal systems development life cycle is: project definition, feasibility analysis, systems analysis, systems design, program development, system testing, implementation, and maintenance.

Two phases of systems planning are project definition and project initiation. All of the following are steps in the project initiation phase except A. Preparing the project proposal. B. Informing managers and employees of the project. C. Assembling the project team. D. Training selected personnel.

A. Preparing the project proposal. Answer (A) is correct. The project initiation phase includes promptly informing managers and employees about the project, assembling the project team (possibly including systems analysts, programmers, accountants, and users), training selected personnel to improve necessary skills and enhance communication among team members, and establishing project controls (e.g., by implementing a project scheduling technique such as PERT). Preparing the project proposal is a part of the project definition phase, as are conducting feasibility studies, determining project priority, and submitting the proposal for approval.

A hospital is evaluating the purchase of software to integrate a new cost accounting system with its existing financial accounting system. Which of the following describes the most effective way for the internal audit activity to be involved in the procurement process? A. The internal audit activity evaluates whether performance specifications are consistent with the hospital's needs. B. The internal audit activity evaluates whether the application design meets internal development and documentation standards. C. The internal audit activity determines whether the prototyped model is validated and reviewed with users before production use begins. D. The internal audit activity has no involvement since the system has already been developed externally.

A. The internal audit activity evaluates whether performance specifications are consistent with the hospital's needs. Answer (A) is correct. The internal audit activity should be involved to ensure the existence of performance specifications consistent with the hospital's needs. Incomplete or erroneous specifications may result in the acquisition of unusable software or an unenforceable contract with the software vendor.

ABC, Inc., assessed overall risks of IT systems projects on two standard criteria: technology used and design structure. The following systems projects have been assessed on these risk criteria. Which of the following projects holds the highest risk to ABC?

B. New Technology Sketchy Structure Answer (B) is correct. New and unfamiliar technology holds more risks than known and stable technology. Also, sketchy design structure makes for greater uncertainty and thus higher risk.

The least risky strategy for converting from a manual to a computerized accounts receivable system would be a A. Direct conversion. B. Parallel conversion. C. Pilot conversion. D. Database conversion.

B. Parallel conversion. Answer (B) is correct. The least risky strategy for converting from a manual to a computerized system is a parallel conversion in which the old and new systems are operated simultaneously until satisfaction is obtained that the new system is operating as expected. Slightly more risky is a pilot conversion in which the new system is introduced by module or segment.

Which of the following controls most likely could prevent computer personnel from modifying programs to bypass programmed controls? A. Periodic management review of computer utilization reports and systems documentation. B. Segregation of duties within computer for computer programming and computer operations. C. Participation of user department personnel in designing and approving new systems. D. Physical security of computer facilities in limiting access to computer equipment.

B. Segregation of duties within computer for computer programming and computer operations. Answer (B) is correct. Programmers and analysts can modify programs, data files, and controls. Thus, they should have no access to programs used to process transactions. Segregation of programming and operations is a control necessary to prevent unauthorized modifications of programs.

The process of learning how the current system functions, determining the needs of users, and developing the logical requirements of a proposed system is referred to as A. Systems maintenance. B. Systems analysis. C. Systems feasibility study. D. Systems design.

B. Systems analysis. Answer (B) is correct. A systems analysis requires a survey of the existing system, the organization itself, and the organization's environment to determine (among other things) whether a new system is needed. The survey results determine not only what, where, how, and by whom activities are performed but also why, how well, and whether they should be done at all. Ascertaining the problems and informational needs of decision makers is the next step. The systems analyst must consider the entity's key success variables (factors that determine its success or failure), the decisions currently being made and those that should be made, the factors important in decision making (timing, relation to other decisions, etc.), the information needed for decisions, and how well the current system makes those decisions. Finally, the systems analysis should establish the requirements of a system that will meet user needs.

An Internet firewall is designed to provide adequate protection against which of the following? A. A computer virus. B. Unauthenticated logins from outside users. C. Insider leaking of confidential information. D. A Trojan horse application.

B. Unauthenticated logins from outside users. A firewall is a combination of hardware and software that separates two networks and prevents passage of specific types of network traffic while maintaining a connection between the networks. Generally, an Internet firewall is designed to protect a system from unauthenticated logins from outside users, although it may provide several other features as well.

Which implemented control would best assist in meeting the control objective that a system have the capability to hold users accountable for functions performed? A. Programmed cutoff. B. Redundant hardware. C. Activity logging. D. Transaction error logging.

C. Activity logging. Activity logging provides an audit trail of user activity.

Which of the following issues would be of most concern to an auditor relating to an organization's Internet security policy? A. Auditor documentation. B. System efficiency. C. Data integrity. D. Rejected and suspense item controls.

C. Data integrity. Controls are intended to ensure the integrity, confidentiality, and availability of information. An auditor relies on the integrity of the system's data and programs in making critical decisions throughout the audit process.

Which of the following should be reviewed before designing any system elements in a top-down approach to new systems development? A. Types of processing systems used by competitors. B. Computer equipment needed by the system. C. Information needs of managers for planning and control. D. Controls in place over the current system.

C. Information needs of managers for planning and control. Answer (C) is correct. The functionality that the system will provide to the end users is always the first consideration.

Ordinarily, the analysis tool for the systems analyst and steering committee to use in selecting the best system alternative is A. Pilot testing. B. User selection. C. Decision tree analysis. D. Cost-benefit analysis.

D. Cost-benefit analysis. Answer (D) is correct. Feasibility studies should include an analysis of the cost-benefit ratio of any system alternatives. In many cases, the best possible system may not be cost effective. Thus, once the decision makers have determined that two or more systems alternatives are acceptable, the cost-benefit relationship should be used to select the best system for a particular application.

Which of the following is an important senior management responsibility with regard to information systems security? A. Assessing exposures. B. Assigning access privileges. C. Identifying ownership of data. D. Training employees in security matters.

A. Assessing exposures. Senior management is responsible for risk assessment, including identification of risks and consideration of their significance, the likelihood of their occurrence, and how they should be managed. Senior management is also responsible for establishing organizational policies regarding computer security and implementing a compliance structure. Thus, senior management should assess the risks to the integrity, confidentiality, and availability of information systems data and resources.

An organization installed antivirus software on all its personal computers. The software was designed to prevent initial infections, stop replication attempts, detect infections after their occurrence, mark affected system components, and remove viruses from infected components. The major risk in relying on antivirus software is that antivirus software may A. Not detect certain viruses. B. Make software installation overly complex. C. Interfere with system operations. D. Consume too many system resources.

A. Not detect certain viruses.

Object technology has become important in companies' strategic use of information systems because of its potential to A. Permit quicker and more reliable development of systems. B. Maintain programs written in procedural languages. C. Minimize data integrity violations in hierarchical databases. D. Streamline the traditional "waterfall" systems development methodology.

A. Permit quicker and more reliable development of systems. Answer (A) is correct. An object-oriented approach is intended to produce reusable code. Because code segments can be reused in other programs, the time and cost of writing software should be reduced.

To be more responsive to its customers, a bank wants a system that will permit account representatives to consolidate information about all the accounts belonging to individual customers. Bank management is willing to experiment with different approaches because the requirements are evolving rapidly. The best development approach for this system is A. Prototyping. B. System development life cycle model. C. Structured analysis and design technique. D. Hierarchy-input-process-output.

A. Prototyping. Answer (A) is correct. Prototyping is an approach that involves creating a working model of the system requested, demonstrating it for the user, obtaining feedback, and making changes to the underlying code. This process repeats through several iterations until the user is satisfied with the system's functionality. Formerly, this approach was derided as being wasteful of resources and tending to produce unstable systems, but with vastly increased processing power and high-productivity development tools, prototyping can, in some cases, be an efficient means of systems development.

Which of the following is considered to be a server in a local area network (LAN)? A. The cabling that physically interconnects the nodes of the LAN. B. A device that stores program and data files for users of the LAN. C. A device that connects the LAN to other networks. D. A workstation that is dedicated to a single user on the LAN.

B. A device that stores program and data files for users of the LAN. Answer (B) is correct. A file server is a computer in a network that operates as a librarian. It stores programs and data files for users of the LAN and manages access to them.

Which of the following is an indication that a computer virus is present? A. Frequent power surges that harm computer equipment. B. Unexplainable losses of or changes to data. C. Inadequate backup, recovery, and contingency plans. D. Numerous copyright violations due to unauthorized use of purchased software.

B. Unexplainable losses of or changes to data. The effects of computer viruses range from harmless messages to complete destruction of all data within the system. A symptom of a virus would be the unexplained loss of or change to data.

Which of the following IT developments poses the least risk to organizational security? A. Adoption of wireless technology. B. Use of public-key encryption. C. Outsourcing of the IT infrastructure. D. Enterprise-wide integration of functions.

B. Use of public-key encryption. Answer (B) is correct. Encryption is essential when electronic commerce is conducted over public networks, such as the Internet. Thus, the use of public-key encryption is a response to risk, not a source of risk.

Program documentation is a control designed primarily to ensure that A. Programmers have access to production programs. B. Programs do not make mathematical errors. C. Programs are kept up to date and perform as intended. D. No one has made use of the computer hardware for personal reasons.

C. Programs are kept up to date and perform as intended. Answer (C) is correct. Complete, up-to-date documentation of all programs and associated operating procedures is necessary for efficient operation of a computer installation. Maintenance of programs is important to provide for continuity and consistency of data processing services to users. Program documentation (the program run manual) consists of problem statements, systems flowcharts, operating instructions, record layouts, program flowcharts, program listings, test data, and approval and change sheets.

Which of the following is the best program for the protection of a company's vital information resources from computer viruses? A. Stringent corporate hiring policies for staff working with computerized functions. B. Existence of a software program for virus prevention. C. Prudent management policies and procedures instituted in conjunction with technological safeguards. D. Physical protection devices in use for hardware, software, and library facilities.

C. Prudent management policies and procedures instituted in conjunction with technological safeguards. Acceptably safe computing can be achieved by carefully crafted policies and procedures used in conjunction with antivirus and access control software.

Which of the following is the best policy for the protection of a company's vital information resources from computer viruses? A. Stringent corporate hiring policies for staff working with computerized functions. B. Existence of a software program for virus prevention. C. Prudent management procedures instituted in conjunction with technological safeguards. D. Physical protection devices in use for hardware, software, and library facilities.

C. Prudent management procedures instituted in conjunction with technological safeguards. Answer (C) is correct. Acceptably safe computing can be achieved by carefully crafted policies and procedures used in conjunction with antivirus and access control software.

The best source of evidence to determine if ex-employees continue to have access to a company's computer systems is A. Discussing the password removal process with the information security officer. B. Reviewing computer logs of access attempts. C. Reconciling current payroll lists with database access lists. D. Reviewing access control software to determine whether the most current version is implemented.

C. Reconciling current payroll lists with database access lists. To determine if ex-employees are accessing the company's computer systems, the auditor should obtain the log showing system accesses. This log should be compared with current payroll lists to see if anyone not on the payroll is still accessing or is able to access the systems.

Assigning passwords to computer users is a control to prevent unauthorized access. Because a password does not conclusively identify a specific individual, it must be safeguarded from theft. A method used to protect passwords is to A. Require that they be displayed on computer screens but not printed on hard copy output. B. Set maximum character lengths. C. Require passwords to be changed periodically. D. Eliminate all records of old passwords.

C. Require passwords to be changed periodically. Security measures include changing passwords frequently, that is, establishing a relatively short maximum retention period; not displaying or printing passwords; setting minimum lengths; prohibiting the use of certain words, character strings, or names; mandating a minimum retention period so users cannot promptly change passwords back to their old and convenient values; and retaining old passwords to prevent their use.

A client communicates sensitive data across the Internet. Which of the following controls will be most effective to prevent the use of the information if it is intercepted by an unauthorized party? A. A firewall. B. An access log. C. Passwords. D. Encryption.

D. Encryption. Answer (D) is correct. Encryption technology converts data into a code. Encoding data before transmission over communications lines makes it more difficult for someone with access to the transmission to understand or modify its contents.

Which of the following is a computer program that appears to be legitimate but performs some illicit activity when it is run? A. Hoax virus. B. Web crawler. C. Trojan horse. D. Killer application.

C. Trojan horse. A Trojan horse is a computer program that appears friendly, for example, a game, but that actually contains an application destructive to the computer system.

Attacks on computer networks may take many forms. Which of the following uses the computers of innocent parties infected with Trojan horse programs? A. A distributed denial-of-service attack. B. A man-in-the-middle attack. C. A brute-force attack. D. A password-cracking attack.

A. A distributed denial-of-service attack. Answer (A) is correct. A denial-of-service (DOS) attack is an attempt to overload a system (e.g., a network or Web server) with false messages so that it cannot function (a system crash). A distributed DOS attack comes from multiple sources, for example, the machines of innocent parties infected by Trojan horses. When activated, these programs send messages to the target and leave the connection open. A DOS may establish as many network connections as possible to exclude other users, overload primary memory, or corrupt file systems.

A bank is developing a computer system to help evaluate loan applications. The information systems (IS) staff interview the bank's mortgage underwriters to extract their knowledge and decision processes for input into the computer system. The completed system should be able to process information the same as do the underwriters and make final recommendations regarding loan decisions. This approach is called A. An expert system. B. A neural network. C. An intelligent agent. D. Fuzzy logic.

A. An expert system. Answer (A) is correct. An expert system is a knowledge-intensive computer program that captures the expertise of a human in limited domains of knowledge.

What is a major disadvantage to using a private key to encrypt data? A. Both sender and receiver must have the private key before this encryption method will work. B. The private key cannot be broken into fragments and distributed to the receiver. C. The private key is used by the sender for encryption but not by the receiver for decryption. D. The private key is used by the receiver for decryption but not by the sender for encryption.

A. Both sender and receiver must have the private key before this encryption method will work. Answer (A) is correct. Private-key, or symmetric, encryption is the less secure of the two encryption methods because only one key is used. This single key must be revealed to both the sender and recipient.

Management of a company has a lack of segregation of duties within the application environment, with programmers having access to development and production. The programmers have the ability to implement application code changes into production without monitoring or a quality assurance function. This is considered a deficiency in which of the following areas? A. Change control. B. Management override. C. Data integrity. D. Computer operations.

A. Change control. Answer (A) is correct. Over the life of an application, users are constantly asking for changes. The process of managing these changes is systems maintenance, and the relevant controls are program change controls. Thus, if programmers can implement application code changes into production without monitoring or a quality assurance function, program change controls are deficient.

Systems development audit engagements include reviews at various points to ensure that development is properly controlled and managed. The reviews should include all of the following except A. Conducting a technical feasibility study on the available hardware, software, and technical resources. B. Examining the level of user involvement at each stage of implementation. C. Verifying the use of controls and quality assurance techniques for program development, conversion, and testing. D. Determining if system, user, and operations documentation conforms to formal standards.

A. Conducting a technical feasibility study on the available hardware, software, and technical resources. Answer (A) is correct. The technical feasibility study is conducted by IT professionals, not internal auditors.

The primary objective of security software is to A. Control access to information system resources. B. Restrict access to prevent installation of unauthorized utility software. C. Detect the presence of viruses. D. Monitor the separation of duties within applications.

A. Control access to information system resources. The objective of security software is to control access to information system resources, such as program libraries, data files, and proprietary software. Security software identifies and authenticates users, controls access to information, and records and investigates security related events and data.

Which of the following is a true statement regarding security over an entity's IT? A. Controls should exist to ensure that users have access to and can update only the data elements that they have been authorized to access. B. Controls over data sharing by diverse users within an entity should be the same for every user. C. The employee who manages the computer hardware should also develop and debug the computer programs. D. Controls can provide assurance that all processed transactions are authorized but cannot verify that all authorized transactions are processed.

A. Controls should exist to ensure that users have access to and can update only the data elements that they have been authorized to access. Answer (A) is correct. Authorization is the practice of ensuring that, once in a particular system, a user can only access those programs and data elements necessary for his or her job duties.

Which of the following would be the most appropriate starting point for a compliance evaluation of software licensing requirements for an organization with more than 15,000 computer workstations? A. Determine if software installation is controlled centrally or distributed throughout the organization. B. Determine what software packages have been installed on the organization's computers and the number of each package installed. C. Determine how many copies of each software package have been purchased by the organization. D. Determine what mechanisms have been installed for monitoring software usage.

A. Determine if software installation is controlled centrally or distributed throughout the organization. Answer (A) is correct. The logical starting point is to determine the point(s) of control. Evidence of license compliance can then be assessed. For example, to shorten the installation time for revised software in a network, an organization may implement electronic software distribution (ESD), which is the computer-to-computer installation of software on workstations. Instead of weeks, software distribution can be accomplished in hours or days and can be controlled centrally. Another advantage of ESD is that it permits tracking or metering of PC program licenses.

The marketing department's proposal was finally accepted, and the marketing employees attended a class in using the report writer. Soon, the marketing analysts found that it was easier to download the data and manipulate it on their own desktop computers in spreadsheets than to perform all the data manipulation on the server. One analyst became highly skilled at downloading and wrote downloading command sequences for the other employees. When the analyst left the company for a better job, the department had problems making modifications to these command sequences. The department's problems are most likely due to inadequate A. Documentation. B. Data backup. C. Program testing. D. Antivirus software.

A. Documentation. Answer (A) is correct. One risk of end-user computing is that documentation may be poor and that important knowledge may be limited to one person. The command sequences should have been documented so that other analysts could use and modify them readily.

Which of the following is part of the board's role in protecting against privacy threats? A. Establishing a privacy framework. B. Identifying the information gathered by the organization that is deemed personal or private. C. Identifying the methods used to collect information. D. Determining whether the use of the information collected is in accordance with its intended use and the laws.

A. Establishing a privacy framework. Answer (A) is correct. The board is ultimately accountable for identifying the principal risks to the organization and implementing appropriate control processes to mitigate those risks. This includes establishing the necessary privacy framework for the organization and monitoring its implementation (PA 2130.A1-2, para. 3).

Compared with prototyping, life cycle methodologies are appropriate for problems involving A. High user understanding of tasks and large project size. B. Low user understanding of tasks and small project size. C. Low user understanding of tasks and uncertainty of requirements. D. Uncertainty of requirements and large project size.

A. High user understanding of tasks and large project size. Answer (A) is correct. The life cycle approach is best employed when systems are large and highly structured, users understand the tasks to be performed by the information system, and the developers have directly applicable experience in designing similar systems. In the life cycle process, each stage of development is highly structured, and requirements are clearly defined.

Which of the following statements is(are) true regarding the Internet as a commercially viable network? I. Organizations must use firewalls if they wish to maintain security over internal data. II. Companies must apply to the Internet to gain permission to create a home page to engage in electronic commerce. III. Companies that wish to engage in electronic commerce on the Internet must meet required security standards established by the coalition of Internet providers. A. I only. B. II only. C. III only. D. I and III.

A. I only. Companies that wish to maintain adequate security must use firewalls to protect data from being accessed by unauthorized users. A network firewall prevents intrusion to the network by outside parties.

To ensure privacy in a public-key encryption system, knowledge of which of the following keys would be required to decode the received message? I. Private II. Public A. I. B. II. C. Both I and II. D. Neither I nor II.

A. I. Answer (A) is correct. In a public-key system, the public key is used to encrypt the message prior to transmission, and the private key is needed to decrypt (decode) the message.

Both users and management approve the initial proposal, design specifications, conversion plan, and testing plan of an information system. This is an example of A. Implementation controls. B. Hardware controls. C. Computer operations controls. D. Data security controls.

A. Implementation controls. Answer (A) is correct. Implementation controls occur in the systems development process at various points to ensure that implementation is properly controlled and managed.

CASE (computer-aided software engineering) is the use of the computer to aid in the development of computer-based information systems. Which of the following could not be automatically generated with CASE tools and techniques? A. Information requirements determination. B. Program logic design. C. Computer program code. D. Program documentation.

A. Information requirements determination. Answer (A) is correct. CASE applies the computer to software design and development. It maintains on the computer a library of standard program modules and all of the system documentation, e.g., data flow diagrams, data dictionaries, and pseudocode (structured English); permits development of executable input and output screens; and generates program code in at least skeletal form. Thus, CASE facilitates the creation, organization, and maintenance of documentation and permits some automation of the coding process. However, information requirements must be determined prior to using CASE.

Which of the following statements is false with respect to information security? A. Internal auditors should determine that management and the board, audit committee, or other governing body have a clear understanding that information security is the responsibility of the internal audit activity. B. The chief audit executive should determine that the internal audit activity possesses, or has access to, competent auditing resources to evaluate information security and associated risk exposures. C. Internal auditors should periodically assess the organization's information reliability and integrity practices and recommend, as appropriate, enhancements to, or implementation of, new controls and safeguards. D. Internal auditors should assess the effectiveness of preventive, detective, and mitigative measures against past attacks, as deemed appropriate, and future attempts or incidents deemed likely to occur.

A. Internal auditors should determine that management and the board, audit committee, or other governing body have a clear understanding that information security is the responsibility of the internal audit activity. Answer (A) is correct. Internal auditors determine whether senior management and the board have a clear understanding that information reliability and integrity is a management responsibility. This responsibility includes all critical information of the organization, regardless of media in which the information is stored (PA 2130.A1-1, para. 1).

The encryption technique that requires two keys, a public key that is available to anyone for encrypting messages and a private key that is known only to the recipient for decrypting messages, is A. Rivest, Shamir, and Adelman (RSA). B. Data encryption standard (DES). C. Modulator-demodulator. D. A cypher lock.

A. Rivest, Shamir, and Adelman (RSA). Answer (A) is correct. RSA is an encryption standard licensed to hardware and software vendors. Public-key encryption requires management of fewer keys for a given client-server environment than does private-key encryption. However, compared with DES, RSA entails more complex computations and therefore has a higher processing overhead. RSA requires two keys: The public key for encrypting messages is widely known, but the private key for decrypting messages is kept secret by the recipient.

Traditional information systems development and operational procedures typically involve four functional areas. The systems analysis function focuses on identifying and designing systems to satisfy organizational requirements. The programming function is responsible for the design, coding, testing, and debugging of computer programs necessary to implement the systems designed by the analysis function. The computer operations function is responsible for data preparation, program/job execution, and system maintenance. The user function provides the input and receives the output of the system. Which of these four functions is often poorly implemented or improperly omitted in the development of a new end-user computing (EUC) application? A. Systems analysis function. B. Programming function. C. Computer operations function. D. User function.

A. Systems analysis function. Answer (A) is correct. Systems analysis is one step that is not absolutely required in the development of a system. The desire to produce a system quickly may result in this step being eliminated or poorly implemented. A system is often produced and then analyzed to see if it will satisfy the needs of the organization. In an EUC application, the systems analysis is often incomplete or omitted.

A digital signature is used primarily to determine that a message is A. Unaltered in transmission. B. Not intercepted en route. C. Received by the intended recipient. D. Sent to the correct address.

A. Unaltered in transmission. Answer (A) is correct. A digital signature is a means of authenticating an electronic document, such as a purchase order, acceptance of a contract, or financial information. Because digital signatures use public-key encryption, they are a highly secure means of ensuring security over the Internet.

Because of competitive pressures to be more responsive to their customers, some organizations have connected their internal personal computer networks through a host computer to outside networks. A risk of this practice is that A. Viruses may gain entry to one or more company systems. B. Uploaded files may not be properly edited and validated. C. Data downloaded to the personal computers may not be sufficiently timely. D. Software maintenance on the personal computers may become more costly.

A. Viruses may gain entry to one or more company systems. Answer (A) is correct. Viruses are harmful programs that disrupt memory and processing functions and may destroy data. They spread from network to network, from infected diskettes, or from infected machines. Hence, connecting all networked personal computers through a host computer to outside networks increases the exposure of all of a company's computers to viruses.

Which of the following would be of greatest concern to an auditor reviewing a policy regarding the sale of a company's used personal computers to outside parties? A. Whether deleted files on the hard disk drive have been completely erased. B. Whether the computer has viruses. C. Whether all software on the computer is properly licensed. D. Whether there is terminal emulation software on the computer.

A. Whether deleted files on the hard disk drive have been completely erased. While most delete programs erase file pointers, they do not remove the underlying data. The company must use special utilities that fully erase the data. This is important because of the potential for confidential data on the microcomputers.

As organizations become more computer integrated, management is becoming increasingly concerned with the quality of access controls to the computer system. Which of the following provides the most accountability?

Access should be limited to those whose activities necessitate access to the computer system. Moreover, the degree of access allowed should be consistent with an individual's responsibilities. Restricting access to particular individuals rather than groups or departments clearly establishes specific accountability. Not everyone in a group will need access or the same degree of access. Thus, passwords assigned to individuals should be required for identification of users by the system. Furthermore, data should be restricted at the field level, not the workstation level. It may be possible to limit access to a workstation, but most workstations are connected to larger mainframe or network databases. Thus, the security at the workstation level only would be insufficient.

A company often revises its production processes. The changes may entail revisions to processing programs. Ensuring that changes have a minimal impact on processing and result in minimal risk to the system is a function of A. Security administration. B. Change control. C. Problem tracking. D. Problem-escalation procedures.

B. Change control. Answer (B) is correct. Change control is the process of authorizing, developing, testing, and installing coded changes so as to minimize the impact on processing and the risk to the system.

After using the report writer for several months, the marketing analysts gained confidence in using it, but the marketing department manager became concerned. Whenever analysts revised reports they had written earlier, the coding errors kept reappearing in their command sequences. The manager was sure that all the analysts knew what the errors were and how to avoid them. The most likely cause of the reappearance of the same coding errors is inadequate A. Backups. B. Change control. C. Access control. D. Testing.

B. Change control. Change control manages changes in information system resources and procedures. It includes a formal change request procedure; assessments of change requests on technical and business grounds; scheduling changes; testing, installing, and monitoring changes; and reporting the status of recorded changes. The analysts were reusing erroneous code that should have been but was not corrected.

A controller became aware that a competitor appeared to have access to the company's pricing information. The internal auditor determined that the leak of information was occurring during the electronic transmission of data from branch offices to the head office. Which of the following controls would be most effective in preventing the leak of information? A. Asynchronous transmission. B. Encryption. C. Use of fiber-optic transmission lines. D. Use of passwords.

B. Encryption. Answer (B) is correct. Encryption software uses a fixed algorithm to manipulate plain text and an encryption key (a set of random data bits used as a starting point for application of the algorithm) to introduce variation. Although data may be accessed by tapping into the transmission line, the encryption key is necessary to understand the data being sent.

Which of the following is an electronic device that separates or isolates a network segment from the main network while maintaining the connection between networks? A. Query program. B. Firewall. C. Image browser. D. Keyword.

B. Firewall.

Innovations in IT increase the importance of risk management because A. The objective of complete security is becoming more attainable. B. Information system security is continually subject to new threats. C. Closed private systems have proliferated. D. Privacy is a concern for only a very few users.

B. Information system security is continually subject to new threats. Advances in technology bring new capabilities and, along with them, new vulnerabilities. Because information system security is continually subject to new threats, that is, to new risks and exposures, risk assessment and management must be a continual process.

An organization's computer system should have an intrusion detection system (IDS) if it has external connections. An IDS A. Must monitor every call on the system as it occurs. B. May examine only packets with certain signatures. C. Uses only knowledge-based detection. D. Uses only behavior-based detection.

B. May examine only packets with certain signatures. A network IDS works by using sensors to examine packets traveling on the network. Each sensor monitors only the segment of the network to which it is attached. A packet is examined if it matches a signature. String signatures (certain strings of text) are potential signs of attack. Port signatures alert the IDS that a point subject to frequent intrusion attempts may be under attack. A header signature is a suspicious combination in a packet header.

A systems development approach used to quickly produce a model of user interfaces, user interactions with the system, and process logic is called A. Neural networking. B. Prototyping. C. Reengineering. D. Application generation.

B. Prototyping. Answer (B) is correct. Prototyping produces the first model(s) of a new system. This technique usually employs a software tool for quick development of a model of the user interface (such as by report or screen), interaction of users with the system (for example, a menu-screen approach or data entry), and processing logic (the executable module). Prototyping stimulates user participation because the model allows quick exploration of concepts and development of solutions with quick results.

Which of the following is the most appropriate activity for an internal auditor to perform during a review of systems development activity? A. Serve on the IT steering committee that determines what new systems are to be developed. B. Review the methodology used to monitor and control the system development function. C. Recommend specific automated procedures to be incorporated into new systems that will provide reasonable assurance that all data submitted to an application are converted to machine-readable form. D. Recommend specific operational procedures that will ensure that all data submitted for processing are converted to machine-readable form.

B. Review the methodology used to monitor and control the system development function. Answer (B) is correct. Auditor objectivity is not impaired when (s)he recommends standards of control for systems or reviews procedures before implementation. However, drafting procedures for systems and designing, installing, and operating systems are not audit functions. Thus, reviewing the methodology used by an organization is an appropriate activity that enables the internal auditor to determine whether (s)he can rely on the systems development activity to design and implement appropriate automated controls within applications.

Change control typically includes procedures for separate libraries for production programs and for test versions of programs. The reason for this practice is to A. Promote efficiency of system development. B. Segregate incompatible duties. C. Facilitate user input on proposed changes. D. Permit unrestricted access to programs.

B. Segregate incompatible duties. Answer (B) is correct. Separating production and test versions of programs facilitates restricting access to production programs to the individuals, such as computer operators, who need access. The effect is to separate the incompatible functions of operators and programmers.

Authentication is the process by which the A. System verifies that the user is entitled to enter the transaction requested. B. System verifies the identity of the user. C. User identifies himself or herself to the system. D. User indicates to the system that the transaction was processed correctly.

B. System verifies the identity of the user. Identification is the process of uniquely distinguishing one user from all others. Authentication is the process of determining that individuals are who they say they are. For example, a password may identify but not authenticate its user if it is known by more than one individual.

Who determines whether the internal audit activity has access to resources sufficient to evaluate the reliability and integrity of information? A. The chief executive officer. B. The chief audit executive. C. The external auditor. D. The chief operating officer.

B. The chief audit executive. Answer (B) is correct. The chief audit executive determines whether the internal audit activity possesses, or has access to, competent audit resources to evaluate information reliability and integrity and associated risk exposures. This includes both internal and external risk exposures and exposures relating to the organization's relationships with outside entities (PA 2130.A1-1, para. 2).

What is the primary objective of data security controls? A. To establish a framework for controlling the design, security, and use of computer programs throughout an organization. B. To ensure that storage media are subject to authorization prior to access, change, or destruction. C. To formalize standards, rules, and procedures to ensure the organization's controls are properly executed. D. To monitor the use of system software to prevent unauthorized access to system software and computer programs.

B. To ensure that storage media are subject to authorization prior to access, change, or destruction. The primary objective of data security is to protect data. This includes ensuring that storage media are subject to authorization prior to access, change, or destruction.

Which of the following would provide the least security for sensitive data stored on a notebook computer? A. Encrypting data files on the notebook computer. B. Using password protection for the screen-saver program on the notebook computer. C. Using a notebook computer with a removable hard disk drive. D. Locking the notebook computer in a case when not in use.

B. Using password protection for the screen-saver program on the notebook computer. Password protection for a screen-saver program can be easily bypassed.

Data access security related to applications may be enforced through all of the following except A. User identification and authentication functions incorporated in the application. B. Utility software functions. C. User identification and authentication functions in access control software. D. Security functions provided by a database management system.

B. Utility software functions. Utility programs perform routine functions (e.g., sorting and copying), are available to all users, and are promptly available for many different applications. Utility programs are one of the more serious weaknesses in data access security because some can bypass normal access controls.

The best preventive measure against a computer virus is to A. Compare software in use with authorized versions of the software. B. Execute virus exterminator programs periodically on the system. C. Allow only authorized software from known sources to be used on the system. D. Prepare and test a plan for recovering from the incidence of a virus.

C. Allow only authorized software from known sources to be used on the system. Preventive controls are designed to prevent errors before they occur. Detective and corrective controls attempt to identify and correct errors. Preventive controls are usually more cost beneficial than detective or corrective controls. Allowing only authorized software from known sources to be used on the system is a preventive measure. The authorized software from known sources is expected to be free of viruses.

Which of the following risks is more likely to be encountered in an end-user computing (EUC) environment as compared with a centralized environment? A. Inability to afford adequate uninterruptible power supply systems. B. User input screens without a graphical user interface (GUI). C. Applications that are difficult to integrate with other information systems. D. Lack of adequate utility programs.

C. Applications that are difficult to integrate with other information systems. Answer (C) is correct. The risks arising from allowing end users to develop their own applications are the risks associated with decentralization of control. These applications may lack appropriate standards, controls, and quality assurance procedures.

Which new issues associated with rapidly advancing computer technology create new risk exposures for organizations? A. Changes in organizational reporting requirements and controls over computer abuse. B. Controls over library tape procedures. C. Complexity of operating systems and controls over privacy of data. D. Changes in organizational behavior.

C. Complexity of operating systems and controls over privacy of data. Advancing computer technology presents more complex audit environments. With the advent of systems that permit remote access, the risk that unauthorized parties may obtain or tamper with important information is increased.

An electronics company has decided to implement a new system through the use of rapid application development techniques. Which of the following would be included in the development of the new system? A. Deferring the need for system documentation until the final modules are completed. B. Removing project management responsibilities from the development teams. C. Creating the system module by module until completed. D. Using object development techniques to minimize the use of previous code.

C. Creating the system module by module until completed. Answer (C) is correct. The new system would be developed module by module until completed.

Which of the following would not be appropriate to consider in the physical design of a data center? A. Evaluation of potential risks from railroad lines and highways. B. Use of biometric access systems. C. Design of authorization tables for operating system access. D. Inclusion of an uninterruptible power supply system and surge protection.

C. Design of authorization tables for operating system access. Authorization tables for operating system access address logical controls, not physical controls.

The accountant who prepared a spreadsheet model for workload forecasting left the company, and the accountant's successor was unable to understand how to use the spreadsheet. The best control for preventing such situations from occurring is to ensure that A. Use of end-user computing resources is monitored. B. End-user computing efforts are consistent with strategic plans. C. Documentation standards exist and are followed. D. Adequate backups are made for spreadsheet models.

C. Documentation standards exist and are followed. Answer (C) is correct. The accountant's successor could not use the forecasting model because of inadequate documentation. By requiring that documentation standards exist and are followed, the company will enable new employees to understand internally developed programs when the developer leaves the organization.

Which of the following operating procedures increases an organization's exposure to computer viruses? A. Encryption of data files. B. Frequent backup of files. C. Downloading public-domain software from websites. D. Installing original copies of purchased software on hard disk drives.

C. Downloading public-domain software from websites. Viruses are spread through shared data. Downloading public-domain software carries a risk that contaminated data may enter the computer.

Minimizing the likelihood of unauthorized editing of production programs, job control language, and operating system software can best be accomplished by A. Database access reviews. B. Compliance reviews. C. Good change control procedures. D. Effective network security audits.

C. Good change control procedures. Answer (C) is correct. Program change control includes (1) maintaining records of change authorizations, code changes, and test results; (2) adhering to a systems development methodology (including documentation); (3) authorizing changeovers of subsidiary and headquarters' interfaces; and (4) restricting access to authorized source and executable codes.

Which of the following statements is(are) correct regarding electronic mail security? I. Electronic mail can be no more secure than the computer system on which it operates. II. Confidential electronic mail messages should be stored on the mail server as electronic mail for the same length of time as similar paper-based documents. III. In larger organizations, there may be several electronic mail administrators and locations with varying levels of security. A. I only. B. I and II only. C. I and III only. D. II and III only.

C. I and III only. Answer (C) is correct. Electronic mail can be no more secure than the computer system on which it operates. Also, in larger organizations, there may be several electronic mail administrators and locations with varying levels of security.

Effective internal control for application development should provide for which of the following? I. A project steering committee to initiate and oversee the system II. A technical systems programmer to evaluate systems software III. Feasibility studies to evaluate existing systems IV. The establishment of standards for systems design and programming A. I and III only. B. I, II, and IV only. C. I, III, and IV only. D. II, III, and IV only.

C. I, III, and IV only. Answer (C) is correct. Effective systems development requires participation by top management. This can be achieved through a steering committee composed of higher-level representatives of system users. The committee approves or recommends projects and reviews their progress. Studies of the economic, operational, and technical feasibility of new applications necessarily entail evaluations of existing systems. Another necessary control is the establishment of standards for system design and programming. Standards represent user and system requirements determined during systems analysis.

Rejection of unauthorized modifications to application systems could be accomplished through the use of A. Programmed checks. B. Batch controls. C. Implementation controls. D. One-for-one checking.

C. Implementation controls. Answer (C) is correct. General controls include organizational controls, such as a policy (an implementation control) that requires new programs and changes in programs (after adequate testing) to be formally approved before being put into operation (implemented). This policy is reflected in the maintenance of approval and change sheets with appropriate authorizations.

The use of message encryption software A. Guarantees the secrecy of data. B. Requires manual distribution of keys. C. Increases system overhead. D. Reduces the need for periodic password changes.

C. Increases system overhead. Answer (C) is correct. Encryption software uses a fixed algorithm to manipulate plain text and an encryption key (a set of random data bits used as a starting point for application of the algorithm) to introduce variation. The machine instructions necessary to encrypt and decrypt data constitute system overhead. As a result, processing speed may be slowed.

The process of monitoring, evaluating, and modifying a system as needed is referred to as systems A. Analysis. B. Feasibility study. C. Maintenance. D. Implementation.

C. Maintenance. Answer (C) is correct. Systems maintenance must be undertaken by systems analysts and applications programmers continually throughout the life of a system. Maintenance is the redesign of the system and programs to meet new needs or to correct design flaws. These changes should be part of a regular program of preventive maintenance.

Traditional information systems development procedures that ensure proper consideration of controls may not be followed by users developing end-user computing (EUC) applications. Which of the following is a prevalent risk in the development of EUC applications? A. Management decision making may be impaired due to diminished responsiveness to management's requests for computerized information. B. Management may be less capable of reacting quickly to competitive pressures due to increased application development time. C. Management may place the same degree of reliance on reports produced by EUC applications as it does on reports produced under traditional systems development procedures. D. Management may incur increased application development and maintenance costs for EUC systems, compared with traditional (mainframe) systems.

C. Management may place the same degree of reliance on reports produced by EUC applications as it does on reports produced under traditional systems development procedures. Answer (C) is correct. End-user developed applications may not be subject to an independent outside review by systems analysts and are not created in the context of a formal development methodology. These applications may lack appropriate standards, controls, quality assurance procedures, and documentation. A risk of end-user applications is that management may rely on them as much as traditional applications.

A bank was considering its first use of computer-aided software engineering (CASE) to develop an inquiry system for account representatives to access consolidated profiles of customers' accounts. A benefit of using CASE in this situation is that A. No new software development tools would be needed. B. No training of programmers would be required. C. Management of the development process would be improved. D. The need for testing would be reduced.

C. Management of the development process would be improved. Answer (C) is correct. CASE applies computers to software design and development. It permits creation and maintenance of systems documentation on the computer and the automation of a part of the programming effort. Using CASE would improve management of the development process because the CASE software maintains the links between the different components, provides built-in project management tools, and supplies automated testing aids.

The reliability and integrity of all critical information of an organization, regardless of the media in which the information is stored, is the responsibility of A. Shareholders. B. IT department. C. Management. D. All employees.

C. Management. Answer (C) is correct. Internal auditors determine whether senior management and the board have a clear understanding that information reliability and integrity is a management responsibility. This responsibility includes all critical information of the organization regardless of how the information is stored (PA 2130.A1-1, para. 1).

Most large-scale computer systems maintain at least three program libraries: production library (for running programs); source code library (maintains original source coding); and test library (for programs which are being changed). Which of the following statements is correct regarding the implementation of sound controls over computer program libraries? A. Only programmers should have access to the production library. B. Users should have access to the test library to determine whether all changes are properly made. C. Only the program librarian should be allowed to make changes to the production library. D. The computer operator should have access to both the production library and the source code library to assist in diagnosing computer crashes.

C. Only the program librarian should be allowed to make changes to the production library. Answer (C) is correct. The program librarian is accountable for, and has custody of, the programs in the production library.

A client installed the most sophisticated controls using biometric attributes of employees to gain access to their computer system. This technology most likely replaced which of the following controls? A. Use of security specialists. B. Reasonableness tests. C. Passwords. D. Virus protection software.

C. Passwords. The purpose of passwords is to prevent access by unauthorized users just as the more sophisticated control of employee biometric attributes. The use of passwords is an effective control in an online system to prevent unauthorized access to computer systems. However, biometric technologies are more sophisticated and difficult to compromise.

Freedom from monitoring best defines A. Personal privacy. B. Privacy of space. C. Privacy of communication. D. Privacy of information.

C. Privacy of communication. Answer (C) is correct. Privacy may encompass (1) personal privacy (physical and psychological); (2) privacy of space (freedom from surveillance); (3) privacy of communication (freedom from monitoring); and (4) privacy of information (collection, use, and disclosure of personal information by others) (PA 2130.A1-2, para. 2).

Computer program libraries should be kept secure by A. Installing a logging system for program access. B. Monitoring physical access to program library media. C. Restricting physical and logical access. D. Denying remote access via terminals.

C. Restricting physical and logical access. An important operating control is to establish a library to preclude misplacement, misuse, or theft of data files, programs, and documentation. A librarian should perform this custodianship function and be appropriately accountable. Restricting physical and logical access secures programs from unauthorized use, whether in person or remotely via terminals.

Application control objectives do not normally include assurance that A. Authorized transactions are completely processed once and only once. B. Transaction data are complete and accurate. C. Review and approval procedures for new systems are set by policy and adhered to. D. Processing results are received by the intended user.

C. Review and approval procedures for new systems are set by policy and adhered to. Application controls provide reasonable assurance that the recording, processing, and reporting of data are properly performed. Review and approval procedures for new systems are among the general controls known as system software acquisition and maintenance controls.

Which of the following represents the procedure managers use to identify whether the company has information that unauthorized individuals want, how these individuals could obtain the information, the value of the information, and the probability of unauthorized access occurring? A. Disaster recovery plan assessment. B. Systems assessment. C. Risk assessment. D. Test of controls.

C. Risk assessment. Answer (C) is correct. The risk assessment forms the core of an organization's contingency planning. A risk assessment involves assessing (1) the types of vulnerabilities to which each of the organization's critical systems is subject, (2) the likelihood of each of the vulnerabilities being exploited, and (3) countermeasures to be taken, both preventive measures to stop the occurrence of breaches and corrective measures to compensate in the event of breaches.

What is the best course of action to take if a program takes longer than usual to load or execute? A. Test the system by running a different application program. B. Reboot the system. C. Run antivirus software. D. Back up the hard disk files to floppies.

C. Run antivirus software. The described condition is a symptom of a virus. Many viruses will spread and cause additional damage. Use of an appropriate antivirus program may identify and even eliminate a viral infection. Ways to minimize computer virus risk in a networked system include restricted access, regularly updated passwords, periodic testing of systems with virus detection software, and the use of antivirus software on all shareware prior to introducing it into the network.

Which of the following statements best characterizes the function of a physical access control? A. Protects systems from the transmission of Trojan horses. B. Provides authentication of users attempting to log into the system. C. Separates unauthorized individuals from computer resources. D. Minimizes the risk of incurring a power or hardware failure.

C. Separates unauthorized individuals from computer resources. Physical security controls limit physical access and protect against environmental risks and natural catastrophes, such as fire and flood. For example, keypad devices and magnetic card readers can be used to deny unauthorized persons access to the computer center.

Which of the following is an objective of logical security controls for information systems? A. To ensure complete and accurate recording of data. B. To ensure complete and accurate processing of data. C. To restrict access to specific data and resources. D. To provide an audit trail of the results of processing.

C. To restrict access to specific data and resources. The primary objective of security controls for information systems is to restrict access to data and resources (both hardware and software) to only authorized individuals.

When a client's accounts payable computer system was relocated, the administrator provided support through a dial-up connection to a server. Subsequently, the administrator left the company. No changes were made to the accounts payable system at that time. Which of the following situations represents the greatest security risk? A. User passwords are not required to be in alpha-numeric format. B. Management procedures for user accounts are not documented. C. User accounts are not removed upon termination of employees. D. Security logs are not periodically reviewed for violations.

C. User accounts are not removed upon termination of employees. Access to an entity's data by unauthorized individuals presents a major security risk. The single most important policy is that which governs the information resources to which individuals have access and how the level of access will be tied to their job duties. One provision of the policy must be for the immediate removal of terminated employees' access to the system.

Which of the following is a malicious program, the purpose of which is to reproduce itself throughout the network and produce a denial of service attack by excessively utilizing system resources? A. Logic bomb. B. Virus. C. Worm. D. Trojan horse.

C. Worm. Answer (C) is correct. A worm is an independent program that reproduces by copying itself from one system to another over a network and consumes computer and network resources.

Dora Jones, an auditor for Farmington Co., noted that the Acme employees were using computers connected to Acme's network by wireless technology. On her next visit to Acme, Jones brought one of Farmington's laptop computers with a wireless network card. When she started the laptop to begin work, Jones noticed that the laptop could view several computers on Acme's network and that she had access to Acme's network files. Which of the following statements is the most likely explanation? A. Acme's router was improperly configured. B. Farmington's computer had the same administrator password as the server. C. Jones had been given root account access on Acme's computer. D. Acme was not using security on the network.

D. Acme was not using security on the network. A secure network prevents a user from having unauthorized access. Given wireless technology, anyone with wireless capacity can access the network in the absence of security. Thus, Acme's network was not protected by passwords or other security features to prevent unauthorized access.

When evaluating management of the organization's privacy framework, the internal auditor considers A. The applicable laws relating to privacy. B. Conferring with in-house legal counsel. C. Conferring with information technology specialists. D. All of the answers are correct.

D. All of the answers are correct. Answer (D) is correct. In an evaluation of the privacy framework, the internal auditor considers the following: The various laws, regulations, and policies relating to privacy in the jurisdictions where the organization operates. Conferring with in-house legal counsel to determine the exact nature of laws, regulations, and other standards and practices applicable to the organization and the countries where it operates. Conferring with information technology specialists to determine that information security and data protection controls are in place and regularly reviewed and assessed for appropriateness. The level or maturity of privacy practices (PA 2130.A1-2, para. 7).

Which of the following security controls would best prevent unauthorized access to sensitive data through an unattended data terminal directly connected to a mainframe? A. Use of a screen saver with a password. B. Use of workstation scripts. C. Encryption of data files. D. Automatic log-off of inactive users.

D. Automatic log-off of inactive users. Automatic log-off of inactive users is a utility that disconnects a data terminal from the mainframe or server after a certain amount of time. Once the workstation has been disconnected, the user must log back into the system.

A benefit of using computer-aided software engineering (CASE) technology is that it can ensure that A. No obsolete data fields occur in files. B. Users become committed to new systems. C. All programs are optimized for efficiency. D. Data integrity rules are applied consistently.

D. Data integrity rules are applied consistently. Answer (D) is correct. CASE is an automated technology (at least in part) for developing and maintaining software and managing projects. A benefit of using CASE technology is that it can ensure that data integrity rules, including those for validation and access, are applied consistently across all files.

An information system (IS) project manager is currently in the process of adding a systems analyst to the IS staff. The new systems analyst will be involved with testing the new computerized system. At which stage of the systems development life cycle will the analyst be primarily used? A. Cost-benefit analysis. B. Requirements definition. C. Flowcharting. D. Development.

D. Development. Answer (D) is correct. The systems development life-cycle approach is the oldest methodology applied to the development of medium or large information systems. The cycle is analytically divisible into stages: definition, design, development, implementation, and maintenance. Testing is the most crucial step in the development stage of the life cycle.

Which of the following is an encryption feature that can be used to authenticate the originator of a document and ensure that the message is intact and has not been tampered with? A. Heuristic terminal. B. Perimeter switch. C. Default settings. D. Digital signatures.

D. Digital signatures. Answer (D) is correct. A digital signature is a means of authenticating an electronic document, such as a purchase order, acceptance of a contract, or financial information. Because digital signatures use public-key encryption, they are a highly secure means of ensuring security over the Internet.

Which of the following is an encryption feature that can be used to authenticate the originator of a document and ensure that the message is intact and has not been tampered with? A. Heuristic terminal. B. Perimeter switch. C. Default settings. D. Digital signatures.

D. Digital signatures. Answer (D) is correct. Businesses and others require that documents sent over the Internet be authentic. To authenticate a document, a company or other user may transmit a complete plaintext document along with an encrypted portion of the same document or another standard text that serves as a digital signature. If the plaintext document is tampered with, the two will not match.

Which of the following is the most effective user account management control in preventing the unauthorized use of a computer system? A. Management enforces an aggressive password policy that requires passwords to be 10 characters long, nonreusable, and changed weekly. B. An account manager is responsible for authorizing and issuing new accounts. C. The passwords and usernames of failed log-in attempts are logged and documented in order to cite attempted infiltration of the system. D. Employees are required to renew their accounts semiannually.

D. Employees are required to renew their accounts semiannually. Management's network security policy should include measures to ensure that old and unused accounts are removed promptly. If employees' accounts expire semiannually, reasonable assurance is provided that accounts in use by unauthorized employees do not exist.

A client communicates sensitive data across the Internet. Which of the following controls would be most effective to prevent the use of the information if it were intercepted by an unauthorized party? A. A firewall. B. An access log. C. Passwords. D. Encryption.

D. Encryption. Answer (D) is correct. Encryption technology converts data into a code. Encoding data before transmission over communications lines makes it more difficult for someone with access to the transmission to understand or modify its contents.

Advantages of life cycle methodologies are A. Lower overall development costs when requirements change frequently. B. Ability to give users a functioning system quickly. C. Reduced application development time to achieve a functioning system. D. Enhanced management and control of the development process.

D. Enhanced management and control of the development process. Answer (D) is correct. The systems development life cycle approach is the most common methodology applied to the development of large, highly structured application systems. The life cycle approach is based on the idea that an information system has a finite life span that is limited by the changing needs of the organization. This cycle is analytically divisible into stages. A new system life cycle begins when the inadequacy of the current system leads to a decision to develop a new or improved system. This method is a structured process for controlling the creative activity required to devise, develop, and implement an information system. The process is described in varying terms by different writers, but the nature and sequence of the steps are essentially the same. Life cycle methodologies provide enhanced management and control of the development process because they provide structure for a creative process by dividing it into manageable steps and specifying what must be produced in each phase.

An IT manager has only enough resources to install either a new payroll system or a new data security system, but not both. Which of the following actions is most appropriate? A. Giving priority to the security system. B. Leaving the decision to the IT manager. C. Increasing IT staff output in order for both systems to be installed. D. Having the information systems steering committee set the priority.

D. Having the information systems steering committee set the priority. Answer (D) is correct. The needs assessment and cost-benefit analysis should be conducted by those responsible for making the decision. In this case, the information systems steering committee is the appropriate decision maker.

Management's enthusiasm for computer security seems to vary with changes in the environment, particularly the occurrence of other computer disasters. Which of the following concepts should be addressed when making a comprehensive recommendation regarding the costs and benefits of computer security? I. Potential loss if security is not implemented II. Probability of occurrences III. Cost and effectiveness of the implementation and operation of computer security A. I only. B. I and II only. C. III only. D. I, II, and III.

D. I, II, and III. Potential loss is the amount of dollar damages associated with a security problem or loss of assets. Potential loss times the probability of occurrence is an estimate (expected value) of the exposure associated with lack of security. It represents a potential benefit associated with the implementation of security measures. To perform a cost-benefit analysis, the costs should be considered. Thus, all three items need to be addressed.

Spoofing is one type of online activity used to launch malicious attacks. Spoofing is A. Trying large numbers of letter and number combinations to access a network. B. Eavesdropping on information sent by a user to the host computer of a website. C. Accessing packets flowing through a network. D. Identity misrepresentation in cyberspace.

D. Identity misrepresentation in cyberspace. Answer (D) is correct. Passwords, user account numbers, and other information may be stolen using techniques such as Trojan horses, IP spoofing, and packet sniffers. Spoofing is identity misrepresentation in cyberspace, for example, by using a false website to obtain information about visitors.

Six months after a disgruntled systems programmer was fired and passwords disabled, the company's mainframe computer was brought to a halt when it suddenly erased all of its own files and software. The most likely way the programmer accomplished this was by A. Returning to the computer center after 6 months. B. Planting a computer virus through the use of telephone access. C. Having an accomplice in the computer center. D. Implanting a virus in the operating system and executing it via a back door.

D. Implanting a virus in the operating system and executing it via a back door. Viruses are a form of computer sabotage. They are programs hidden within other programs that have the capacity to duplicate themselves and infect other systems. Sharing of storage media or participation in computer networks creates exposure to viruses. Viruses may result in actions ranging from harmless pranks to erasure of files and programs. A back door is a shortcut created in an operating system that permits a programmer simple access to the system.

Errors are most costly to correct during A. Programming. B. Conceptual design. C. Analysis. D. Implementation.

D. Implementation. Answer (D) is correct. Errors can be corrected most easily and clearly when they are found at an early stage of systems development. Their correction becomes more costly as the life cycle progresses. Because implementation is the last stage of the process listed, errors are most costly to correct when discovered at the implementation stage.

User acceptance testing is more important in an object-oriented development process than in a traditional environment because of the implications of the A. Absence of traditional design documents. B. Lack of a tracking system for changes. C. Potential for continuous monitoring. D. Inheritance of properties in hierarchies.

D. Inheritance of properties in hierarchies. Answer (D) is correct. In object-oriented development, all objects in a class inherit the properties of higher classes in the hierarchy. Thus, changes in one object may affect many other objects, and the extent and effects of errors significantly increase. Testing one object provides no assurance that the objects are properly coordinated. Accordingly, user acceptance testing to verify correct functioning of the whole system becomes more important.

An auditor has just completed a physical security audit of a data center. Because the center engages in top-secret defense contract work, the auditor has chosen to recommend biometric authentication for workers entering the building. The recommendation might include devices that verify all of the following except A. Fingerprints. B. Retina patterns. C. Speech patterns. D. Password patterns.

D. Password patterns. Biometric technologies are automated methods of establishing an individual's identity using physiological or behavioral traits. These characteristics include fingerprints, retina patterns, hand geometry, signature dynamics, speech, and keystroke dynamics.

Responsibility for the control of end-user computing (EUC) exists at the organizational, departmental, and individual user level. Which of the following should be a direct responsibility of the individual users? A. Acquisition of hardware and software. B. Taking equipment inventories. C. Strategic planning of end-user computing. D. Physical security of equipment.

D. Physical security of equipment. Answer (D) is correct. EUC involves user-created or user-acquired systems that are maintained and operated outside of traditional information systems controls. In this environment, an individual user is ordinarily responsible for the physical security of the equipment (s)he uses.

Workwell Company operates in several regions, with each region performing its data processing in a regional data center. The corporate management information systems (MIS) staff has developed a database management system to handle customer service and billing. The director of MIS recommended that the new system be implemented in the Southwestern Region to ascertain if the system operates in a satisfactory manner. This type of conversion is called a A. Parallel conversion. B. Direct conversion. C. Prototype conversion. D. Pilot conversion.

D. Pilot conversion. Answer (D) is correct. A modular conversion approach entails switching to the new or improved system in organizational (division, region, product line, etc.) segments or system segments (accounts receivable, database, etc.). A pilot conversion is one in which the final testing and switchover are accomplished at one segment or division of the company.

Preventing someone with sufficient technical skill from circumventing security procedures and making changes to production programs is best accomplished by A. Reviewing reports of jobs completed. B. Comparing production programs with independently controlled copies. C. Running test data periodically. D. Providing suitable segregation of duties.

D. Providing suitable segregation of duties. Answer (D) is correct. When duties are separated, users cannot obtain a detailed knowledge of programs and computer operators cannot gain unsupervised access to production programs.

A control for ensuring that the source code and the executable code for a program match is A. Verifying that the program move request is authorized. B. Requiring program, system, and parallel testing of the code. C. Authorizing programmer access to test libraries only. D. Recompiling source code into the production load library.

D. Recompiling source code into the production load library. Answer (D) is correct. Recompiling source code into the production load library ensures that the source and executable codes match because the executable code is created from the source code.

Which of the following statements presents an example of a general control for a computerized system? A. Limiting entry of sales transactions to only valid credit customers. B. Creating hash totals from Social Security numbers for the weekly payroll. C. Restricting entry of accounts payable transactions to only authorized users. D. Restricting access to the computer center by use of biometric devices.

D. Restricting access to the computer center by use of biometric devices. General controls relate to the organization's information systems environment as a whole. Physical controls that limit physical access to computer equipment, data, and important documents (i.e., biometric devices) are an example of general controls.

The process of developing specifications for hardware, software, manpower, data resources, and information products required to develop a system is referred to as A. Systems analysis. B. Systems feasibility study. C. Systems maintenance. D. Systems design.

D. Systems design. Answer (D) is correct. Detailed systems design involves developing specifications regarding input, processing, internal controls and security measures, programs, procedures, output, and databases.

An insurance firm that follows the systems development life cycle concept for all major information system projects is preparing to start a feasibility study for a proposed underwriting system. Some of the primary factors the feasibility study should include are A. Possible vendors for the system and their reputation for quality. B. Exposure to computer viruses and other intrusions. C. Methods of implementation, such as parallel or cut-over. D. Technology and related costs.

D. Technology and related costs. Answer (D) is correct. The feasibility study should consider the activity to be automated, the needs of the user, the type of equipment required, the cost, and the potential benefit to the specific area and the company in general. Thus, technical feasibility and cost are determined during this stage.

Managers at a consumer products company purchased personal computer software from only recognized vendors and prohibited employees from installing nonauthorized software on their personal computers. To minimize the likelihood of computer viruses infecting any of its systems, the company should also A. Restore infected systems with authorized versions. B. Recompile infected programs from source code backups. C. Institute program change control procedures. D. Test all new software on a stand-alone personal computer.

D. Test all new software on a stand-alone personal computer. Software from recognized sources should be tested in quarantine (for example, in a test/development machine or a stand-alone personal computer) because even vendor-supplied software may be infected with viruses. The software should be run with a vaccine program and tested for the existence of logic bombs, etc.

Passwords for personal computer software programs are designed to prevent A. Inaccurate processing of data. B. Unauthorized access to the computer. C. Incomplete updating of data files. D. Unauthorized use of the software.

D. Unauthorized use of the software. The use of passwords is an effective control in an online system to prevent unauthorized access to computer files. Lists of authorized users are maintained in the computer. The entry of passwords or ID numbers; a prearranged act of personal questions; and use of badges, magnetic cards, or optically scanned cards may be combined to avoid unauthorized access.

A major disadvantage of the life cycle approach to system development is that it is not well-suited for projects that are A. Structured. B. Large. C. Complex. D. Unstructured.

D. Unstructured. Answer (D) is correct. The life cycle approach is best employed when systems are large and highly structured, users understand the tasks to be performed by the information system, and the developers have directly applicable experience in designing similar systems. In the life cycle process, each stage of development is highly structured, and requirements are clearly defined. However, when the task is unstructured, prototyping may be the better approach.

Which of the following access setups is appropriate in a computer environment?

User have update access for production data, applications programmers don't. Neither users nor application programmers have update access for production programs


Ensembles d'études connexes

Chapter 37: Disorders of Brain Function-Patho taken from http://thepoint.lww.com/Book/Show Level 3

View Set

chp 39 ati oxygenation and perfusion

View Set

MATH Unit 2 Chapter 03 - Operations & Algebraic Reasoning

View Set

N2532 Exam 3 (renal/reproductive)

View Set