AIS CH 14

What are the success factors for vulnerability management?

- A firm should assign roles and responsibility for vulnerability management. - A firm should determine the main objectives of its vulnerability management after considering the firm's resource constraints. - Management's commitment and support

What is the common practice in using symmetric-key encryption and asymmetric-key encryption methods in conducting e-business?

- Both parties use the asymmetric-key encryption method to distribute the symmetric key securely. - Both parties use the asymmetric-key encryption method to authenticate each other.

Which organization created the Reporting on an Entity's Cybersecurity Risk Management Program and Controls: Attestation Guide in 2017?

AICPA

True or false: Cybersecurity is highly technical and not relevant to CPA.

False

Which one of the following vulnerabilities would create the most serious risk to a firm?

Unauthorized access to the firm's network

Encryption is a

preventive control.

Fill in the blanks to complete the sentence. Firms continue to monitor system availability. Fault ___________ uses redundant units to provide a system with the ability to continue functioning when part of the system fails. Many firms implement a redundant array of independent drives (RAID) so that if one disk drive fails, important data can still be accessed from another disk.

tolerance

The symmetric-key encryption method:

uses the same key for both senders and receivers for encryption and decryption.

Encryption algorithms are grouped into two categories: ___________ - ___________ and asymmetric-key encryption methods.

- symmetric - key

What is a digital signature?

- The process of getting a message digest (MD) is called hashing. - It is encrypted using the private key of the creator of document or data file. - It is a message digest (MD) of a document or a data file.

What are the main concerns of cloud user companies on the cloud service providers?

- The security of the cloud computing systems and networks - The cloud service provider's financial viability - Whether the cloud service provider's internal controls are properly designed and effective

Select correct statements regarding "digital signature."

- We use it to authenticate the data/document sender. - We need to use a hashing process and encryption technology to get a digital signature. - We use it to ensure data integrity.

Define vulnerability.

- Weaknesses or exposures in IT processes that may lead to a business risk, compliance risk, or security risk - Characteristics of IT resources that can be exploited by a threat to cause harm to a firm

Why do we need to use digital signatures in conducting e-business?

Obtain data integrity

Which of the following groups/laws was the earliest to encourage auditors to incorporate fraud examination into audit programs?

SAS No. 99

(CPA exam, adapted) An information technology director collected the names and locations of key vendors, current hardware configuration, names of team members, and an alternative processing location. What is the director most likely preparing?

Disaster recovery plan

True or false: Most companies prefer to use the symmetric-key encryption method than the asymmetric-key encryption method in conducting e-business.

False

A message digest is the result of hashing. Which of the following statements about the hashing process is true?

Hashing is the best approach to make sure that two files are identical.

(CISA exam, adapted) To ensure confidentiality in an asymmetric-key encryption system, knowledge of which of the following keys is required to decrypt the receive message? I. Private II. Public

I

Match the processes for vulnerability assessment and vulnerability management.

Identification <---> Vulnerability assessment Remediation <---> Vulnerability management

Regarding GDPR, which of the following statements is/are correct?

It is a regulation enforced by EU and it is to protect EU citizens' personal data.

What is a message digest?

It is a result of a hashing process such as using the SHA-256 algorithm.

What is fraud?

- Frauds are perpetrated by parties to secure personal or business advantage. - Frauds are perpetrated by parties to obtain money, property, or services. - Frauds are perpetrated by organizations to avoid payment or loss of services.

Common computer frauds include the following:

- Misuse of computer hardware - Altering computer-readable records and files - Altering the logic of computer software

Using the two-key encryption method for authentication, we need to be careful about how the keys are used. Select all correct answers regarding key usage in authentication from the list below.

- Public key management is very important because we use public keys to authenticate others in conducting e-business. - Only the pair of one user's two keys is used for encryption and decryption.

Business continuity management is a

corrective control.

A digital certificate:

indicates that the subscriber identified has sole control and access to the private key.

Select the correct definition of a digital signature.

A digital signature is a message digest (MD) of a document (or data file) that is encrypted using the document creator's private key.

Select the best answer in describing virtualization and cloud computing.

A virtual machine containing system applications and data backups is often resides in the cloud off-site or at various locations.

Which of the following can be considered as a good alternative to back up data and applications?

Cloud computing

True or false: The reason why a digital signature can be used to ensure data integrity is because of the hashing process is not reversible.

True

Both disaster recovery planning (DRP) and business continuity management (BCM) are the most critical ____ controls, and DRP is a key component of BCM.

corrective

Select the correct definition(s) of examples of security risks and attacks.

- Spyware is secretly installed into an information system to gather information on individuals or organizations without their knowledge. - Spoofing is sending a network message that appears to come from a source other than its actual source.

A fraud prevention and detection program starts with a fraud risk assessment across the entire firm. Select correct statements on the role(s) of the audit committee on fraud risk assessment, prevention and detection.

- The audit committee has an oversight role in the fraud risk assessment process. - The audit committee works with the internal audit group to ensure that the fraud prevention/detection program remains an ongoing effort. - The audit committee interacts with external auditor to ensure that fraud assessment results are properly communicated.

Because research indicates that more than half of the malicious incidents in IT security are caused by insider abuse and misuse, firms should implement a sound system of internal controls to prevent and detect frauds perpetrated by insiders. Which of the following conditions often exist for a fraud to be perpetrated?

- The perpetrator is pressured with a reason to commit fraud. - There is an opportunity for fraud to be perpetrated. - The perpetrator has an attitude to rationalize the fraud.

Match individual computer fraud schemes with the oversights. Instructions

195 illegitimate drivers' licenses are created and sold by a police communications officer <---> Lack of authentication and role-based access control requirements An employee entered fake health insurance claims into the system, and profited $20 million. <---> Lack of consideration for security vulnerabilities posed by authorized system access A computer technician uses his unrestricted access to customers' systems to plant a virus on their networks that brings the customers' systems to a halt. <---> Lack of access control to all customers' systems A foreign currency trader covers up losses of millions over a 5-year period by making unauthorized changes to the source code. <---> Lack of code reviews; improper change management

Select a correct statement describing encryption or hashing process.

All of the choices are correct.

To prevent repudiation in conducting e-business, companies must be able to authenticate their trading partners. Which of the following encryption methods can be used for authentication purpose?

Asymmetric-key encryption method

Select a correct statement regarding encryption methods.

Asymmetric-key encryption method is used to create digital signatures.

To authenticate the receiver (B), the sender (A) e-mails a challenge message to B. B will use ___________ (tip: A's or B's) private key to encrypt the challenge message and send it to A. If A is able to use ___________ (tip: A's or B's) public key to decrypt and get the plain text of the challenge message, A has authenticated B successfully.

Blank 1: B's or B Blank 2: B's or B

Management is responsible for fraud risk assessments, while the ___________ ___________ typically has an oversight role in this process.

Blank 1: audit Blank 2: committee

Virtualization and ___________ computing are considered good alternatives to back up data and applications.

Blank 1: cloud

Which of the following statements is correct?

Fault tolerance uses redundant units to provide a system with the ability to continue functioning when part of the system fails.

True or false: Given the popularity of the Internet, mobile devices, and the complexity of computer technologies, important business information and IT assets are exposed to risks and attacks from external parties such as hackers, foreigners, competitors, etc. Today's employees are well trained and always support the firm to prevent the attacks.

False

To authenticate the message sender in an asymmetric-key encryption system, which of the following keys is required to decrypt the received message?

Sender's public key

Encryption algorithms are grouped into two categories: symmetric-key and asymmetric-key encryption methods. Select the correct statement regarding these two methods.

Symmetric-key encryption is fast and suitable for encrypting large data sets or messages.

Using the asymmetric-key encryption method, ___________ can be achieved for electronic transactions.

authentication

When using asymmetric-key encryption method in e-business, a ___________ authority (CA) is a trusted entity that issues and revokes digital certificates. A digital certificate indicates the subscriber identified in the certificate with sole control and access to the private key, and binds the name of a subscriber to a public key.

certificate

Good information security ensures that systems and their contents remain the same for integrity. In general, the goal of information security management is to protect the ___________, integrity, and availability (CIA) of a firm's information.

confidentiality

Disaster recovery plan is a

corrective control.

Incentive to commit fraud usually will include all of the following, except:

inadequate segregation of duties.

Public ___________ infrastructure (PKI) is an arrangement that issues digital certificates to users and servers, manages the key issuance, and verifies and revokes certificates by means of a certificate authority.

key

The fraud triangle indicates which of the following condition(s) exist for a fraud to be perpetrated?

rationalization and pressure.

(CMA exam, adapted) Data processing activities may be classified in terms of three stages or processes: input, processing, and output. An activity that is not normally associated with the input stage is:

reporting.

To authenticate the receiver (B), the sender (A) e-mails a challenge message to B. B will use his or her private key to encrypt the challenge message and send it to A. If A is able to use ___________ (tip: A's or B's) public key to decrypt and get the plaintext of the challenge message, A has authenticated B successfully.

B's

Disaster recovery planning is the process of rebuilding the operations and infrastructure after a disaster has occurred. Business ___________ management (BCM) refers to the activities required to keep a firm running during a period of displacement or interruption of normal operations.

Blank 1: continuity

Fill in the blanks to complete the sentence. It is important that a cloud user company obtains and reviews a service organization control (SOC) report from the cloud provider prior to signing an agreement for the service. Such a report provides stringent audit requirements, with a stronger set of ___________ on the cloud computing service provider.

Blank 1: controls or control

IT vulnerabilities can be categorized depending on whether they exist in the physical IT environment, within an ___________ ___________, or within the processes of IT operations.

Blank 1: information Blank 2: system or systems

Computer frauds also happen during the systems development ___________ cycle (SDLC).

Blank 1: life

Disaster ___________ planning (DRP) is a process that identifies significant events that may threaten a firm's operations and outlines the procedures to ensure that the firm will resume operations when the events occur.

Blank 1: recovery

The main components of vulnerability assessment include vulnerability identification and risk assessment. The main components of vulnerability management include vulnerability ___________ and maintenance.

Blank 1: remediation

Cloud computing refers to a service model where third-party service providers offers computing ___________ including hardware and software applications to cloud users over the Internet, and the service provider charges on a per-user basis.

Blank 1: resources or resource

Disaster recovery planning (DRP) is a process that identifies significant events that may threaten a firm's operations and outlines the procedures to ensure that the firm will resume operations when the events occur. A DRP should be ___________ and ___________ periodically to analyze weaknesses and explore possible improvements.

Blank 1: reviewed Blank 2: tested

Similar to an enterprise risk assessment, a computer fraud risk assessment focuses on fraud ___________ and ___________ to determine whether the controls exist and how the controls can be circumvented.

Blank 1: schemes or scheme Blank 2: scenarios or scenario

The theft, misuse, or misappropriation of computer hardware is a common computer fraud. The illegal copying of computer ___________ is another commonly observed computer fraud.

Blank 1: software or applications

Firms continue to monitor system availability. Backups are used to alleviate problems of file or database corruptions. An ___________ power supply is a device using battery power to enable a system to operate long enough to back up critical data and shut down properly during the loss of power. Both are corrective controls.

Blank 1: uninterruptible or uninterrupted

We often define ___________ as weaknesses or exposures in IT assets or processes that may lead to a business risk, compliance risk, or security risk.

Blank 1: vulnerabilities or vulnerability

Comparing encryption with hashing, which one of the following is correct?

Encryption results are called cyphertext.

The main factors in encryption are key length, encryption algorithm, and key management. Select the correct statement regarding encryption.

Establishing a policy on key management is essential for information security.

True or false: Information security is a critical concern to the chief information officer (CIO) and maybe also to the internal auditors. In general, practicing certified public accountants (CPAs) do not need to know much about information security management.

False

True or false: Vulnerability assessment and management are often required by laws. Hence, management's commitment and support are not as critical as in enterprise risk assessment and management.

False

Select the correct concepts regarding encryption.

- Encryption is a preventive control. - Encryption provides confidentiality and privacy for data transmission and storage.

What are the main purposes of AICPA cybersecurity risk management framework?

- Evaluate a company's cybersecurity controls. - Describe a company's cybersecurity risk management system.

What is cloud computing? Select correct statements in describing cloud computing.

- Most cloud computing service providers charge on a per-user basis. - A cloud user company often shares the computing resources with other user companies, and a cloud provider is responsible for managing the resources. - A third-party service provider offers computing resources including hardware and software applications to users over the Internet cloud.

According to AICPA, "the primary focus of information security is the balanced protection of the __________ ___________ and availability of data while maintaining efficient policy implementation.

- confidentiality - integrity

Given the popularity of the Internet, mobile devices, and the complexity of computer technologies, business information and IT assets are exposed to risks and attacks from ___________ parties such as hackers and ___________ parties such as disgruntled employees.

- external - internal

Authentication is a process that establishes the origin of information or determines the ___________ of a user, process, or device. It is critical in e-business because it can prevent ___________ while conducting transactions online.

- identity - repudiation

Good information security ensures that systems and their contents remain the same for integrity. In general, the goal of information security management is to protect the confidentiality,___________ , and ___________ (CIA) of a firm's information.

- integrity - availability

To authenticate the receiver (B), the sender (A) e-mails a challenge message to B. B will use her ___________ key to encrypt the challenge message and send it to A. If A is able to use B's ___________ key to decrypt and get the plaintext of the challenge message, A has authenticated B successfully.

- private - public

A type of information security attack, called ___________ ___________ , is to manipulate someone to take certain action that is not in that person's best interest, such as revealing confidential information or granting access to an office building.

- social - engineering

Similar to an enterprise risk assessment, a computer fraud risk assessment focuses on fraud schemes and scenarios to determine whether the controls exist and how the controls can be circumvented. List computer fraud risk assessments in sequence. Instructions

1. Identifying relevant IT fraud risk factors. 2. Identifying and prioritizing potential IT fraud schemes. 3. Mapping existing controls to potential fraud schemes and identifying gaps. 4. Testing operating effectiveness of fraud prevention and detection controls. 5. Assessing the likelihood and impact of a control failure and/or fraud incident.

Who is responsible to prevent and catch fraud?

The management

What is fault tolerance?

Using redundant units to continue functioning when a system is failing

Match each situation below with the correct type of vulnerability.

No regular review of a policy that identifies how IT equipments are protected against environmental threats <---> Vulnerabilities within a physical IT environment Poor user access management allows some users to retrieve sensitive information not pertaining to their roles and responsibilities <---> Vulnerabilities within the processes of IT operations Failure to terminate unused accounts in a timely manner <---> Vulnerabilities within an information system

To ensure the data sent over the Internet are protected, which of the following keys is required to encrypt the data (before transmission) using an asymmetric-key encryption method?

Receiver's public key

Vulnerability management and risk management have the same objective: to reduce the probability of the occurrence of detrimental events. What are the differences between them?

Risk management is often a more complex and strategic process that should be a long-term process.

According to the fraud triangle, three conditions exist for a fraud to be perpetrated: incentive or pressure, ___________ , and rationalization.

opportunity

Match the correct descriptions with regard to risk management and vulnerability management.

risk management <---> a complex and strategic process vulnerability management <---> using an IT asset-based approach

(CISA exam, adapted) Authentication is the process by which the:

system verifies the identity of the user.