Chapter 8Controlling Information Systems: IT Processes TRUE/FALSE 1.

The Computer Crime and Security Survey works each year with Computer Intrusion Squad of the FBI. ANS: 2. T

17.

Combining the functions of authorizing and executing events related to that asset is a violation of the organizational control plan known as segregation of duties. ANS: T

18.

Segregation of duties consists of separating the four functions of authorizing events, executing events, recording events, and safeguarding the resources resulting from consummating the events. ANS: T

Data are objects in their widest sense. ANS: T 19.

3.

IT resources that are the sum of only programmed procedures reflecting business processes are called application systems. ANS: F 20.

Embezzlement is a fraud committed by two or more individuals or departments. ANS: F

4.

The system of controls used in this text consists of the control environment pervasive control plans, and business process control plans. ANS: T 21.

A small organization that does not have enough personnel to adequately segregate duties must rely on alternative controls, commonly called resource controls. ANS: F

5.

As used in the text, the information systems function is synonymous with the accounting function. ANS: F 22.

The functions of the security officer commonly include assigning passwords and implementing and monitoring many of the pervasive resource security control plans. ANS: T

6.

The function composed of people, procedures, and equipment that is typically called the information services department, IT department, or data processing department is the information systems function or ISF. ANS: T

Individual departments coordinate the organizational and IT strategic planning processes and reviews and approves the strategic IT plan. ANS: F

23.

The policy of requiring an employee to alternate jobs periodically is known as mandatory vacations. ANS: F

7.

The type of structure that places the information systems function under the line authority of the vice president of information systems is called a decentralized information systems structure. ANS: F

24.

Forced vacations is a policy of requiring an employee to take leave from the job and substituting another employee in his or her place. ANS: T

8.

A functional organization assigns personnel to skills-based units, such as programming and systems analysis, and is used only centralized. ANS: F

25.

A fidelity bond indemnifies a company in case it suffers losses from defalcations committed by its employees. ANS: T

26.

9.

A matrix organization assembles work groups or teams, comprised of members from different functional areas, under the authority of a team leader. ANS: T 27.

The product life cycle is a formal set of activities, or a process, used to develop and implement a new or modified information system. ANS: F

Actual computer software that is used to facilitate the execution of a given business process is called database management software. ANS: F

10.

The functional title with the principal responsibilities of guiding and advising the information systems function is the steering committee. ANS: T

28.

The systems documentation provides an overall description of the application, including the system's purpose; an overview of system procedures; and sample source documents, outputs, and reports. ANS: T

11.

The functional title with the principal responsibilities of insuring the security of all information systems function resources is the systems analysis. ANS: F

29.

Program documentation provides a description of an application computer program and usually includes the program's purpose, program flowcharts, and source code listings. ANS: T

12.

The functional title with the principal responsibilities of studying information related problems and proposing solutions is security officer. ANS: F 30.

The user run manual gives detailed instructions to computer operators and to data control about a particular application. ANS: F

13.

The information systems function of quality assurance conducts reviews to determine adherence to ISF standards and procedures and achievement of ISF objectives. ANS: T

31.

The operations run manual describes user procedures for an application and assists the user in preparing inputs and using outputs. ANS: F

14.

Within the data center, the data control group is responsible for logging input and output batches, checking batches for authorization and completeness, and distributing output. ANS: T

32.

Training materials are documentation that helps users learn their jobs and perform consistently in those jobs. ANS: T

15.

The information systems function of systems analysis provides efficient and effective operation of the computer equipment by performing tasks such as mounting tapes and disks, loading printer paper, and responding to computer messages. ANS: F

33.

Program change controls provide assurance that all program modifications are authorized and that the changes are completed, tested, and properly implemented. ANS: T

34.

16.

Within the data center, the data librarian function grants access to programs, data, and documentation to authorized personnel only. ANS: T 35.

The terms contingency planning, disaster recovery planning, business interruption planning, and business continuity planning have all been used to describe the backup and recovery control plans designed to ensure that an organization can recover from a major calamity. ANS: T

Continuity is the process of using the backup measures to either reconstruct the lost data, programs, or documentation, or to continue operations in alternative facilities.

153

154
ANS: 36. F

Chapter 8
c makes it easier to provide internal control risk when IT . resources are interlinked d none of the above . ANS: 2. A

Server clustering is now more cost effective and is used to disperse the processing load among servers so that if one server fails, another can continue process event data. ANS: T

37.

The disaster backup and recovery technique known as electronic vaulting (shadowing or replication) uses a process that automatically transmits event-related data or actual master data changes on a continuous basis to an off-site electronic vault. ANS: T 3.

Most system security breaches arise from a. internal employees b. management c. the Internet d. none of the above ANS: C

38.

The disaster recovery strategy known as a cold site is a fully equipped data center that is made available on a standby basis to client companies for a monthly subscriber's fee. ANS: F

According to the Computer Crime and Security Survey for 2003, when asked if they had detected computer security breaches, approximately _____ reported that they detected computer security breaches in the last 12 months. a. 90% b. 75% c. 50% d. 25% ANS: A

39.

A facility usually comprising air-conditioned space with a raised floor, telephone connections, and computer ports, into which a subscriber can move equipment, is called a hot site. ANS: F In the case of a computer virus, a web site is overwhelmed by an intentional onslaught of thousands of simultaneous messages, making it impossible for the attacked site to engage in its normal activities. ANS: F

4.

40.

Pervasive control plans: a. are unrelated to applications control plans b. are a subset of applications control plans c. influence the effectiveness of applications control plans d. increase the efficiency of applications control plans ANS: C

5.

41.

Biometric security systems identify authorized personnel through some unique physical trait--a fingerprint, voiceprint, retina image, or the like. ANS: T

42.

Antivirus is a technique to protect one network from another "untrusted" network. ANS: F 6.

COBIT was developed to: a. provide guidance to managers, users, and authors on the best practices for t management of information technology b. identify specific control plans that should be implemented to reduce the occu of fraud c. specify the components of an information system that should be installed in a e-commerce environment d. suggest the type of information that should be made available for manageme decision making ANS: A

43.

The most common biometric devices perform retinal eye scans.. ANS: F

44.

In an online environment, the operating system software generally includes a(n) security module designed to restrict access to programs and data. ANS: T 7.

The department within a company that develops and operates the computer information systems is often called the: a. information systems function b. computer operations department c. controller d. computer technology branch ANS: A

45.

In an online computer environment, the accumulation of access activity and its review by the security officer is also called threat monitoring. ANS: T

In a centralized information services (IS) structure, the three functions that might logically report directly to the vice president of information services would be: a. systems development, technical services, and data center operations b. systems development, database administration, and data center operations c. systems development, technical services, and data librarian d. applications programming, technical services, and data center operations ANS: A

46.

Application controls restrict access to data, programs, and documentation. ANS: F

8.

47.

Protection tabs, doors, and rings are used to prevent accidental erasures or overwriting of magnetic disk and tape files. ANS: T 9.

Objects in their widest sense are called a. data b. application systems c. technology d. facilities ANS: A

48.

An internal label is attached to the outside casings of a file to indicate the file's identification number, contents, and other information. ANS: F

The sum of manual and programmed procedures for business operations is (are) a. data b. application systems c. technology d. facilities ANS: B

49.

External labels are read by application programs or systems software to ensure that the correct data source is being used for processing, that the data source is read in its entirety, and that no records are lost or inadvertently added. ANS: F

10.

50.

Periodic cleaning, testing, and adjusting of computer equipment is referred to as preventative maintenance. ANS: T Computer hacking is the intentional penetration of an organization's computer system, accomplished by bypassing the system's access security controls. ANS: T 11.

Which of the following includes hardware, DBM systems, operating systems, networking, multimedia, etc? a. data b. application systems c. technology d. facilities ANS: C

51.

___________ can consist of many computers connected together via a network. a. PCs b. Servers c. An LAN d. A firewall ANS: C

MULTIPLE CHOICE 1. The use of IT resources for enterprise systems and ebusiness a magnifies the importance of protecting the resources both . within and outside of the organization from risks b magnifies the importance of protecting the resources both . within but not outside the of the organization from risks 12.

In a centralized information services (IS) structure, which of the following reporting relationships makes the least sense? a. The data center manager reports to the V.P. of information systems. b. Application programmers report to the data center manager. c. Database administration reports to the technical services manager.

Controlling Information Systems: IT Process

d. ANS: 13. The data librarian reports to the data center manager. B b. c. d. ANS: 24. data preparation (data entry) data librarian scheduler C

155

In a centralized information services (IS) structure, all of the following functions might logically report to the data center manager except: a. data control b. data preparation c. data librarian d. program maintenance ANS: D

Which of the following is not one of the four broad IT control process domains as discussed in the text? a. planning and organization b. acquisition and implementation c. development of IT solutions d. monitoring ANS: C

14.

Managing functional units such as telecommunications, systems programming, and database administration typically is a major duty of: a. systems analysts b. applications programmers c. the technical services manager d. the database administrator ANS: C

25.

15.

From the standpoint of achieving the operations system control goal of security of resources, which of the following segregation of duties possibilities is least important? a. between user departments and computer operations b. between data control and data preparation personnel c. between computer programmers and computer operators d. between systems analysts and application programmers ANS: B

Which of the following is not an important strategic planning process? a The organizations IT related requirements must comply with . industry, regulatory, legal, and contractual obligations, including privacy, trasborder data flows, e-Business, and insurance contracts. b The organization should have an information architecture . model encompassing the corporate data model and associated information systems c The organization should adopt the systems development life . cycle to ensure that comprehensive documentation is developed for each application. d The organization should have an inventory of current . information systems capabilities ANS: C

26.

16.

The process of analyzing an existing information system and writing specification for a new system is the responsibility of personnel having this functional title. a. profile analysis b. systems analysis c. systems design d. application programming ANS: B

Which one of the following is one of the two organization control plans that the book concentrates on? a. segregation of duties control plan b. the information systems function c. selection and hiring control plans d. both a and b above ANS: D

27.

17.

A key control concern is that certain people within an organization have easy access to applications programs and data files. The people are: a. librarians b. systems programmers c. systems analysts d. data center managers ANS: B

The segregation of duties control plan consists of separating all of the following event-processing functions except: a. planning events b. authorizing events c. executing events d. recording events ANS: A

28.

18.

Which of the following has the major duties of prioritizing and selecting ISF projects and resources a. steering committee b. security officer c. VP of information systems d. systems development manager ANS: A

A warehouse clerk manually completing an order document and forwarding it to purchasing for approval is an example of: a. authorizing events b. executing events c. recording events d. safeguarding resources ANS: B

19.

Which of the following has the responsibility to ensure security of all ISF resources? a. steering committee b. security officer c. VP of information systems d. systems development manager ANS: B

29. The data entry clerk types data from an order form into an online computer through a pre-formatted screen, adding the data into a business event data. This is an example of: a. authorizing events b. executing events c. recording events d. safeguarding resources ANS: 30. C

20.

Which of the following has the responsibility of efficient and effective operation of the information systems functions? a. steering committee b. security officer c. VP of information systems d. systems development manager ANS: C

Approving a customer credit purchase would be an example of which basic events processing function? a. authorizing events b. executing events c. recording events d. safeguarding resources ANS: A

31.

21.

In a centralized information systems organizational structure, the function of ___________ is a central point from which to control data and is a central point of vulnerability. a. data control b. data preparation (data entry) c. data librarian d. database administration ANS: D 32.

An employee of a warehouse is responsible for taking a computergenerated shipping list, pulling the items from the warehouse shelves and placing them in a bin which is transferred to shipping when the list is completely filled. This is an example of: a. authorizing events b. executing events c. recording events d. safeguarding resources ANS: B

22.

The control concern that there will be a high risk of data conversion errors relates primarily to which of the following information systems functions? a. data control b. data preparation (data entry) c. data librarian d. database administration ANS: B

An outside auditing firm annually supervises a physical count of the items in a retail store's shelf inventory. This is an example of: a. authorizing events b. executing events c. recording events d. safeguarding resources ANS: D

33.

23.

The controlled access to files, programs, and documentation is a principal responsibility of which of the following functions? a. data control

A warehouse supervisor prepares a sales order listing items to be shipped to a customer and then signs it authorizing the removal of the items from the warehouse. The supervisor is performing which functions? a. authorizing events and safeguarding of resources b. executing and recording events c. authorizing and executing events d. authorizing and recording events

156
ANS: 34. C

Chapter 8
c. d. ANS: 45. establish a policy of forced vacations collect the employee's keys, badges, etc. C

A clerk receives checks and customer receipts in the mail. He endorses the checks, fills out the deposit slip, and posts the checks to the cash receipts events data. The clerk is exercising which functions? a. recording and executing events b. authorizing and executing events c. recording and authorizing events d. safeguarding of resources and authorizing events ANS: A

35.

When segregation of duties cannot be effectively implemented because the organization is too small, we may rely on a more intensive implementation of other control plans such as personnel control plans. This is called: a. collusion controls b. compensatory controls c. authorizing controls d. inventory controls ANS: B

The term systems development life cycle can mean any of the following except: a a formal set of activities or process used to develop and implement . a new or modified information system b the documentation that specifies the systems analysis process . c the documentation that specifies the systems development process . d the programming of information systems through the systems . development process, from birth through ongoing use of the system ANS: B

46.

Instructions for computer setup, required data, restart procedures, and error messages are typically contained in a(n): a. systems development standards manual b. program documentation manual c. operations run manual d. application documentation manual ANS: C

36.

A method of separating systems development and operations is to prevent programmers from a. performing technical services b. performing database administration c. handling accounting operations d. operating the computer ANS: D

47.

Application documentation that describes the application and contains instructions for preparing inputs and using outputs is a(n): a. operations run manual b. user manual c. program documentation d. systems documentation ANS: B

37.

Which of the following control plans is not a retention control plan? a. creative and challenging work opportunities b. occasional performance evaluations c. competitive reward structure d. viable career paths ANS: B

48.

38.

Personnel development control plans consist of each of the following except: a. checking employment references b. providing sufficient and timely training c. supporting employee educational interests and pursuits d. performing scheduled evaluations ANS: A

39.

The primary reasons for performing regular employee performance reviews include all of the following except: a determine whether an employee is satisfying the requirements . indicated by a job description 49. b assess an employee's strengths and weaknesses . c assist management in determining salary adjustments, . promotions, or terminations d develop a strategy for filling necessary positions . ANS: D
50.

The six stages reflected in a business continuity management life cycle are (in sequential order): a. understand your business, create business continuity strategies, develop and implement a business continuity management response, build and embed a business continuity management culture, maintain and audit the plan, establish a formal business continuity management program b. understand your business, develop and implement a business continuity management response, create business continuity strategies, build and embed a business continuity management culture, maintain and audit the plan, establish a formal business continuity management program c. understand your business, build and embed a business continuity management cul create business continuity strategies, develop and implement a business continuity management response, maintain and audit the plan, establish a formal business continuity management program d. understand your business, establish a formal business continuity management pro create business continuity strategies, develop and implement a business continuity management response, build and embed a business continuity management cultur maintain and audit the plan, ANS: A

Alternative names for contingency planning include all of the following except: a. disaster recovery planning b. business interruption planning c. business disaster planning d. business continuity planning ANS: C

40.

A policy that requires employees to alternate jobs periodically is called: a. segregation of duties b. forced vacations c. rotation of duties d. personnel planning ANS: C
51.

Which backup approach is the one that involves running two processing sites that contain the application programs and updated master data throughout normal processing activities? a. mirror site b. electronic vaulting c. server clustering d. dumping ANS: A

41.

A control plan that is designed to detect a fraud by having a second person do the job of the perpetrator of the fraud is called: a. segregation of duties b. forced vacations c. periodic audits d. management control ANS: B

All of the following are components of a backup and recovery strategy except: a. echo checking b. mirror site c. electronic vaulting d. shadowing ANS: A

52.

42.

A mechanism by which a company is reimbursed for any loss that occurs when an employee commits fraud is called a: a. segregation of duties b. fidelity bond c. personnel planning control d. termination control plan ANS: B 53.

The accounts receivable master data was inadvertently destroyed when it was mistakenly substituted for the accounts payable master data in a processing run. For this situation, which of the following control plans is a corrective rather than a preventive control? a. backup recovery achieved through shadowing b. adequate documentation in the form of an operations run manual c. segregation of duties achieved through a librarian function d. use of file protection rings ANS: A

43.

Which of the following personnel security control plans is corrective in nature as opposed to being a preventive or detective control plan? a. rotation of duties b. fidelity bonding c. forced vacations d. performing scheduled evaluations ANS: B

Which of the following statements related to denial of service attacks is false? a. Insurance is available to offset the losses suffered by denial of service attacks. b. A denial of service attack is designed to overwhelm a web site, making it incapable of performing normal functions. c. Web sites can employ filters to detect multiple messages from a single site. d. The most effective attacks originate from a small cluster of computers in a remote geographic region. ANS: D

44.

Personnel termination control plans might include all of the following except: a. require immediate separation b. identify the employee's reasons for leaving

54.

In an on-line computer system, restricting user access to programs and data files includes all of the following except:

Controlling Information Systems: IT Process

a. b. c. d. ANS: 55. user identification user authentication determining user access rights wearing identification badges D 9. 8.

157

A _________________ organization assigns personnel to skills-based units, such as programming and systems analysis, and is used by both centralized and decentralized organizations. ANS: functional

Security modules are examples of: a. department controls b. detective controls c. corrective controls d. management controls ANS: B

A ______________ organization assembles work teams or project teams from different operating departments under the temporary authority of a team leader. ANS: matrix

10.

The functional title with the principal responsibilities of guiding and advising the information systems function is the ____________________. ANS: steering committee

56.

Which of the following controls restrict access to programs, data, and documentation that are stored off-line in a physically controlled area? a. library controls b. password controls c. authentication controls d. program change controls ANS: A

11.

The functional title with the principal responsibilities of insuring the security of all information systems function resources is the ____________________. ANS: security officer

12.

The functional title with the principal responsibilities of studying information related problems and proposing solutions is the ____________________. ANS: systems analyst or systems analysis

57.

A portion of the threat monitoring portion of the security module that profiles the typical behavior of users and can detect exceptional activity is known as: a. biometrics b. electronic vaulting c. intrusion detection software d. cost variance analysis ANS: C

13.

The information systems function ____________________ conducts reviews to determine adherence to ISF standards and procedures and achievement of ISF objectives. ANS: quality assurance

14.

58.

For which of the following controls does a storage medium such as a disk have to be read before the control can be used? a. program change controls b. internal labels c. read-only switches d. external labels ANS: B

Within the data center, the ____________________ group is responsible for logging input and output batches, checking batches for authorization and completeness, and distributing output. ANS: data control The information systems function ____________________ provides efficient and effective operation of the computer equipment by performing tasks such as mounting tapes and disks, loading printer paper, and responding to computer messages. ANS: computer operations

15.

59. Protecting resources against environmental hazards might include all of the following control plans except: a. fire alarms and smoke detectors b. automatic extinguisher systems c. voltage regulators d. security modules ANS: 60. D

16.

Within the data center, the ____________________ function grants access to programs, data, and documentation to authorized personnel only. ANS: (data) librarian

17.

Combining the functions of authorizing and executing events related to that asset is a violation of the organizational control plan known as ____________________. ANS: segregation of duties

Which of the following statements regarding computer hacking is false? a Some hackers use a sniffer programs that travel over telephone 18. . lines collecting passwords. b Accountants can be engaged to test system security by attempting . to hack into a system. c Computer hacking is an intrusion into an information system from a . person outside the organization. d Hackers can obtain user names and passwords by posing as a . legitimate employee and requesting sensitive information from another employee. 19. ANS: C 20.

Segregation of duties consists of separating the four functions of authorizing events, ____________________ events, ____________________ events, and safeguarding the resources resulting from consummating the events. ANS: executing recording ________________ is any fraud committed by two or more individuals or departments. ANS: Collusion

COMPLETION 1. The Computer Crime and Security Survey works with the Computer Intrusion Squad of the ___________. ANS: 2. FBI 21.

A small organization that does not have enough personnel to adequately segregate duties must rely on alternative controls, commonly called _______________________. ANS: compensatory controls

Objects in their widest sense are called __________. ANS: data

The functions of the ____________________ commonly include assigning passwords and implementing and monitoring many of the pervasive resource security control plans. ANS: security officer

3.

IT resources that are the sum of manual and programmed procedures reflecting business processes are called _________________________. ANS: applications systems

22.

The ____________________ coordinates the organizational and IT strategic planning processes and reviews and approves the strategic IT plan. ANS: information technology (IT) steering committee

4.

The system of controls used in this text consists of the ____________________, ____________________ control plans, and application control plans. ANS: control environment pervasive

23.

The policy of requiring an employee to alternate jobs periodically is known as ____________________. ANS: rotation of duties

24.

5.

As used in the text, the information systems function is synonymous with the ____________________. ANS: IT function 25.

____________________ is a policy of requiring an employee to take leave from the job and substituting another employee in his or her place. ANS: Forced vacations A(n) ____________________ indemnifies a company in case it suffers losses from defalcations committed by its employees. ANS: fidelity bond

6.

The function composed of people, procedures, and equipment that is typically called the information services department, IT department, or data processing department is the _______________________________. ANS: information systems function (or ISF)

26.

The ____________________ is a formal set of activities, or a process, used to develop and implement a new or modified information system. ANS: system development life cycle (SDLC)

27.

7.

The type of structure that places the information systems function under the line authority of the vice president of information systems is called a(n) ____________________. ANS: centralized information systems structure 28.

Actual computer software that is used to facilitate the execution of a given business process is called _____________________________. ANS: application software

The ____________________ documentation provides an overall description of the application, including the system's purpose; an overview of system procedures; and sample source documents, outputs, and reports.

158
ANS: 29.

Chapter 8
47. systems Periodic cleaning, testing, and adjusting of computer equipment is referred to as ____________________. ANS: 48. preventive maintenance

____________________ documentation provides a description of an application computer program and usually includes the program's purpose, program flowcharts, and source code listings. ANS: Program

____________________ is the intentional penetration of an organization's computer system, accomplished by bypassing the system's access security controls. ANS: Computer hacking (or computer cracking)

30.

The ____________________ gives detailed instructions to computer operators and to data control about a particular application. ANS: operations run manual

31.

The ____________________ describes user procedures for an application and assists the user in preparing inputs and using outputs. ANS: user manual

32.

____________________ are documentation that helps users learn their jobs and perform consistently in those jobs. ANS: Training materials

33.

____________________ provide assurance that all program modifications are authorized and that the changes are completed, tested, and properly implemented. ANS: Program change controls

34.

The terms ____________________ planning, disaster recovery planning, business interruption planning, and business continuity planning have all been used to describe the backup and recovery control plans designed to ensure that an organization can recover from a major calamity. ANS: contingency

35.

_______________________ is now more cost effective and is used to disperse the processing load among servers so that if one server fails, another can continue process event data. ANS: Server clustering

36.

The disaster backup and recovery technique known as ____________________ uses a process automatically transmits event-related data or actual master data changes on a continuous basis to an off-site electronic vault. ANS: electronic vaulting (shadowing or replication)

37.

The disaster recovery strategy known as a(n) ____________________ is a fully equipped data center that is made available on a standby basis to client companies for a monthly subscriber's fee. ANS: hot site

38.

A facility usually comprising air-conditioned space with a raised floor, telephone connections, and computer ports, into which a subscriber can move equipment, is called a(n) ____________________. ANS: cold site

39.

In a ______________________________ a web site is overwhelmed by an intentional onslaught of thousands of simultaneous messages, making it impossible for the attacked site to engage in its normal activities. ANS: denial of service attack

40.

____________________ security systems identify authorized personnel through some unique physical trait--a fingerprint, voiceprint, retina image, or the like. ANS: Biometric

41.

A(n) ____________________ is a technique to protect one network from another "untrusted" network. ANS: firewall

42.

The most common biometric devices read _______________. ANS: fingerprints or thumbprints

43.

In an online environment, the operating system software generally includes a(n) ____________________ designed to restrict access to programs and data. ANS: security module

44.

In an online computer environment, the accumulation of access activity and its review by the security officer is also called ____________________. ANS: threat monitoring

45.

A(n) ____________________ is attached to the outside casings of a file to indicate the file's identification number, contents, and other information. ANS: external label

46.

____________________ are read by application programs or systems software to ensure that the correct data source is being used for processing, that the data source is read in its entirety, and that no records are lost or inadvertently added. ANS: Internal labels