Accounting Information Systems 11th Edition Bodnar Test Bank

<< The World of the Cell 7th Edition by Wayne M. Becker Lewis J. Kleinsmith Jeff Hardin Test Bank Accounting Information Systems 10th Edition Gelinas, Dull, Wheeler Test Bank >>
Product Code: 222
Availability: In Stock
Price: $24.99
Qty:     - OR -   Add to Wish List
Add to Compare

Accounting Information Systems 11th Edition Bodnar Test Bank

Description

Accounting Information Systems, 11e (Bodnar/Hopwood)
Chapter 6 Information Systems Security

1) An information security system has the basic elements of any information system: hardware, software, databases, procedures, and reports.
Answer: TRUE
Diff: 1
Learning Obj.: 1

2) The objective of the first phase of the security system life cycle is to design risk control measures such as various security measures and contingency plans.
Answer: FALSE
Diff: 2
Learning Obj.: 1

3) One of the duties of the CSO is to present reports to the board of directors for approval.
Answer: TRUE
Diff: 1
Learning Obj.: 1

4) The CSO should report directly to the president of the organization.
Answer: FALSE
Diff: 1
Learning Obj.: 1

5) Using the qualitative approach to risk assessment, each loss exposure is computed as the product of the cost of an individual loss times the likelihood of its occurrence.
Answer: FALSE
Diff: 2
Learning Obj.: 1

6) An information security threat is a potential exploitation of a vulnerability.
Answer: TRUE
Diff: 2
Learning Obj.: 1

7) Computer security and information security mean the same thing.
Answer: FALSE
Diff: 2
Learning Obj.: 1

8) Information security is broader in concept than computer security and deals with all information, not just computerized information.
Answer: TRUE
Diff: 2
Learning Obj.: 1

9) Information security management system is an internal control process and manages risk.
Answer: TRUE
Diff: 2
Learning Obj.: 1
10) The ERM process is part of the information security management system.
Answer: FALSE
Diff: 2
Learning Obj.: 1

11) ISO 27000 family of standards defines standards for building, operating, and maintaining ISMSs.
Answer: TRUE
Diff: 2
Learning Obj.: 1

12) ISO27001 includes 132 general security controls, organized under 11 topics and further broken down into over 5000 detailed controls.
Answer: FALSE
Diff: 2
Learning Obj.: 1

13) Passive threats include information systems fraud and computer sabotage.
Answer: FALSE
Diff: 2
Learning Obj.: 2

14) System faults represent component equipment failures such as disk failures and power outages.
Answer: TRUE
Diff: 2
Learning Obj.: 2

15) All hackers are malicious.
Answer: FALSE
Diff: 2
Learning Obj.: 2

16) White hat hackers legitimately probe systems for weaknesses in order to help with security control procedures.
Answer: TRUE
Diff: 2
Learning Obj.: 2

17) Black hat hackers formally probe systems for legitimate purposes in order to help with security control procedures.
Answer: FALSE
Diff: 2
Learning Obj.: 2

18) Social engineering is a form of manipulation of people in order to trick them into divulging privileged information.
Answer: TRUE
Diff: 2
Learning Obj.: 2
19) Pretexting and phishing are forms of social engineering.
Answer: TRUE
Diff: 2
Learning Obj.: 2

20) Malware is short for malicious hardware that compromises the security of the victims computer.
Answer: FALSE
Diff: 2
Learning Obj.: 2

21) Malware can be hidden in email, downloaded software, disk or Web browser.
Answer: TRUE
Diff: 2
Learning Obj.: 2

22) Hacker methods include social engineering, direct observation, electronic interception, and exploits.
Answer: TRUE
Diff: 2
Learning Obj.: 2

23) Direct observation includes shoulder surfing and piggybacking.
Answer: FALSE
Diff: 2
Learning Obj.: 2

24) Direct observation includes shoulder surfing and dumpster diving.
Answer: TRUE
Diff: 2
Learning Obj.: 2

25) In general, vulnerabilities arise from improperly installed or configured software and from unforeseen defects or deficiencies in the software.
Answer: TRUE
Diff: 2
Learning Obj.: 2

26) Three major groups of individuals that may attack information systems include information personnel, users, and employees.
Answer: FALSE
Diff: 2
Learning Obj.: 2

27) Three major groups of individuals that may attack information systems include information personnel, users, and hackers.
Answer: TRUE
Diff: 2
Learning Obj.: 2
28) Virtualization involves running multiple operating systems, or multiple copies of the same operating system, all on the same machine.
Answer: TRUE
Diff: 2
Learning Obj.: 3

29) Using cloud-based services and data storage is referred to as cloud computing.
Answer: TRUE
Diff: 2
Learning Obj.: 4

30) Business continuity planning and disaster recovery, in general, mean the same thing.
Answer: TRUE
Diff: 2
Learning Obj.: 4

31) In the health insurance sector, the Gramm-Leach-Bliley Act, requires federal agencies that oversee the health insurance sector to implement regulatory standards aimed at protecting the security of critical information resources.
Answer: FALSE
Diff: 2
Learning Obj.: 4

32) GASB statement #34 requires utility companies to maintain business continuity plans.
Answer: TRUE
Diff: 2
Learning Obj.: 4

33) Criminal Code 301.2(1) makes it a federal crime in the United States to knowingly and with intent fraudulently gain unauthorized access to data stored in financial institution computers.
Answer: FALSE
Diff: 3
Learning Obj.: 1

34) Intruders who attack information systems for fun and challenge are known as hackers.
Answer: TRUE
Diff: 2
Learning Obj.: 2

35) Input manipulation is the least-used method in most cases of computer fraud.
Answer: FALSE
Diff: 1
Learning Obj.: 2

36) A serious business problem today is the theft of data.
Answer: TRUE
Diff: 1
Learning Obj.: 2
37) A trapdoor is a portion of a computer program that, upon detecting an intruder, traps the intruder by activating a firewall to prevent unauthorized access to critical data.
Answer: FALSE
Diff: 2
Learning Obj.: 2

38) Logic bombs are dormant pieces of code placed in programs for activation at a later date by a specific event.
Answer: TRUE
Diff: 2
Learning Obj.: 2

39) A worm is any type of Trojan that silently spreads from one computer to another over a network, without the intervention of any individual or server.
Answer: TRUE
Diff: 2
Learning Obj.: 2

40) Implementing security measures and contingency plans help to control computer information threats.
Answer: TRUE
Diff: 1
Learning Obj.: 3

41) In a denial of service attack, an intruder is denied access to an organizations Web site after the intruder attempts to break through its firewalls and proxy server countermeasures.
Answer: FALSE
Diff: 2
Learning Obj.: 2

42) In most organizations, accounting, computing, and data processing are all organized under the controller.
Answer: FALSE
Diff: 2
Learning Obj.: 3

43) Employees should be laid off or terminated with the greatest care because terminated employees account for a significant portion of all sabotage incidents.
Answer: TRUE
Diff: 2
Learning Obj.: 3

44) With todays excellent computer security software, it is no longer necessary to physically separate unauthorized individuals from computer resources.
Answer: FALSE
Diff: 1
Learning Obj.: 3

45) Software should not be installed on any computer without prior approval of security.
Answer: TRUE
Diff: 1
Learning Obj.: 3
46) System-access controls prevent unauthorized individuals from physically accessing computer resources.
Answer: FALSE
Diff: 2
Learning Obj.: 3

47) The ideal password should consist of easy-to-remember names such as banana, kitty, IBM, password, or Friday.
Answer: FALSE
Diff: 1
Learning Obj.: 3

48) No password system is of much value unless the passwords themselves are protected.
Answer: TRUE
Diff: 2
Learning Obj.: 3

49) A program kept in a locked file is one which can be run but not looked at (i.e., code) or altered in anyway.
Answer: TRUE
Diff: 2
Learning Obj.: 3

50) Fault tolerance can be applied at any of three levels: input, processing, or output.
Answer: FALSE
Diff: 2
Learning Obj.: 3

51) An incremental backup backs up all files whose archive bit is set to 0 before termination of the session.
Answer: FALSE
Diff: 2
Learning Obj.: 3

52) The problem with Web server attacks is that the Web server is essentially an extension of the operating system.
Answer: TRUE
Diff: 2
Learning Obj.: 3

53) Studies have shown that 45% of all disasters are due to human error.
Answer: FALSE
Diff: 2
Learning Obj.: 4

54) Escalation procedures state the conditions under which a disaster should be declared, who should declare it, and whom that person should notify when executing the declaration.
Answer: TRUE
Diff: 2
Learning Obj.: 4
55) The information security management system is an organizational ________ ________ ________ that controls special risks associated with computer-based information systems.
Answer: internal control process
Diff: 1
Learning Obj.: 4

56) The method of risk assessment for computer systems where system vulnerabilities and threats are listed and subjectively ranked is known as the ________ approach.
Answer: qualitative
Diff: 2
Learning Obj.: 4

57) The Treadway Commission has linked ________ ________ to computer crime.
Answer: management fraud
Diff: 2
Learning Obj.: 1

58) The most sophisticated type of wire tapping is called ________.
Answer: piggybacking
Diff: 2
Learning Obj.: 2

59) The least common method used to commit computer fraud is ________ ________.
Answer: program alteration
Diff: 2
Learning Obj.: 2

60) A defrauder may use ________ to cover up ________.
Answer: sabotage; fraud
Diff: 3
Learning Obj.: 2

61) In computer environments, ________ control is especially important as there is often a tendency to either overspend or spend on the wrong things.
Answer: budgetary
Diff: 2
Learning Obj.: 3

62) ________ authentication systems identify individuals based on their fingerprints, hand sizes, retina patterns, or voice patterns.
Answer: Biometric
Diff: 2
Learning Obj.: 3

63) The distribution of ________ should be controlled by a formal, secure delivery system.
Answer: output
Diff: 2
Learning Obj.: 3
64) A security system where the user enters an identification number and the system responds with a sign (i.e., code word) is known as a(n) ________ system.
Answer: sign-countersign
Diff: 2
Learning Obj.: 3

65) ________ can be digitally signed in the same way that electronic messages are signed to authenticate the identity of the source of the program.
Answer: Programs
Diff: 2
Learning Obj.: 3

66) Backing up files is not the same thing as ________ them.
Answer: archiving
Diff: 1
Learning Obj.: 3

67) A weakness in the ________ system is also likely to create a related weakness in ________ server security.
Answer: operating; Web
Diff: 2
Learning Obj.: 3

68) The best security ________ will not help if the system ________ do not enforce the policies.
Answer: software; administrators
Diff: 2
Learning Obj.: 3

69) An alternate site that contains the wiring, equipment, and very up-to-date back-up data and software is a(n) ________ site.
Answer: flying-start
Diff: 2
Learning Obj.: 4

70) The three objectives of information security are ________, ________, and ________.
Answer: confidentiality, integrity, availability
Diff: 2
Learning Obj.: 1

71) Information security management system is an internal control process and manages ________.
Answer: risk
Diff: 2
Learning Obj.: 1

72) Information security management system is part of the larger ________ risk management process.
Answer: enterprise
Diff: 2
Learning Obj.: 1

73) Instead of using the terms systems analysis, design, implementation, operation, evaluation, and control, ISO 27001 uses the terms ________, ________, ________, and ________.
Answer: planning, doing, checking, acting
Diff: 2
Learning Obj.: 1

74) ________ ________ involves manipulating victims in order to trick them into divulging privileged information.
Answer: Social engineering
Diff: 2
Learning Obj.: 2

75) ________ is a form of social engineering in which one impersonates another typically in a phone call or electronic communication.
Answer: Pretexting
Diff: 2
Learning Obj.: 2

76) ________ is a form of social engineering which is aimed directly at tricking victims into giving information, money, or other valuable assets to perpetrators.
Answer: Phishing
Diff: 2
Learning Obj.: 2

77) ________ ________ includes unnoticed intruders, wiretrappers, piggybackers, impersonating intruders, and eavesdroppers.
Answer: Direct observation
Diff: 2
Learning Obj.: 2

78) A(n) ________ cell phone is an exact and illegitimate copy of another cell phone, including a copy of the internal SIM in order to intercept text and voice messages.
Answer: cloned
Diff: 2
Learning Obj.: 2

79) In general, ________ arise from improperly installed or configured software and from unforeseen defects or deficiencies in the software.
Answer: vulnerabilities
Diff: 2
Learning Obj.: 2

80) ________ is the best defense against electronic interception.
Answer: Encryption
Diff: 2
Learning Obj.: 2

81) Most financial institutions use ________ ________ layer encryption to communicate with their clients through Web browsers.
Answer: secure socket
Diff: 2
Learning Obj.: 2
82) ________ involves running multiple operating systems or multiple copies of the same operating system on the same machine.
Answer: Virtualization
Diff: 2
Learning Obj.: 3

83) In virtualization, the individual operating system instances run under the control of a master program called a(n) ________.
Answer: hypervisor
Diff: 2
Learning Obj.: 3

84) Within the health-care sector the ________ ________ Portability and Accountability Act requires that health-care providers, insurance companies, and payment clearinghouses adopt standardized processes for electronic payments and claims.
Answer: Health Insurance
Diff: 2
Learning Obj.: 4

85) GASB statement number ________ requires utility companies to maintain business continuity plans.
Answer: 34
Diff: 2
Learning Obj.: 4

86) A significant benefit of the quantitative approach to risk assessment is that
A) often the most likely threat to occur is not the one with the largest exposure.
B) the relevant cost of the losss occurrence is an estimate.
C) the likelihood of a given failure requires predicting the future.
D) the approach estimates the costs and benefits to the perpetrators of attacks.
Answer: A
Diff: 2
Learning Obj.: 1

87) When the qualitative approach to risk assessment is used, costs might be estimated using
A) replacement costs.
B) service denial costs.
C) business interruption costs.
D) All of these answers are correct.
Answer: D
Diff: 1
Learning Obj.: 1

88) An extremely risk-seeking perpetrator
A) will offer his or her services to the highest bidder.
B) will take very large risks for a small reward.
C) is almost always a terminated employee of the organization he or she attacks.
D) will take small risks for small rewards.
Answer: B
Diff: 1
Learning Obj.: 1
89) A weakness in an information security system is
A) a threat.
B) computer sabotage.
C) a vulnerability.
D) a system fault.
Answer: C
Diff: 2
Learning Obj.: 1

90) Information security is an international problem. Which countries below have set criminal penalties of up to 10 years for fraudulent use of computer services or the intentional changing of a data processing record with the intent of enrichment?
A) Canada and Finland
B) Switzerland and Canada
C) Denmark and Finland
D) France and Germany
Answer: B
Diff: 3
Learning Obj.: 1

91) Which group of people listed below would not pose a high degree of threat to an organizations information system?
A) Systems personnel
B) Users
C) Intruders
D) External auditors
Answer: D
Diff: 2
Learning Obj.: 1
92) Which individual listed below is placed in a position of great trust, normally having access to security secrets, files and programs?
A) Systems supervisor
B) Programmer
C) Computer maintenance person
D) Data control clerk
Answer: A
Diff: 2
Learning Obj.: 1

93) An intruder who intercepts legitimate information and replaces it with fraudulent information is known as a
A) hacker.
B) wiretapper.
C) piggybacker.
D) spy.
Answer: C
Diff: 2
Learning Obj.: 2
94) The method used in most cases of computer fraud is
A) program alteration.
B) input manipulation.
C) data theft.
D) sabotage.
Answer: B
Diff: 2
Learning Obj.: 2

95) A defrauder substitutes his own version of a companys master file for the real one. This method of computer fraud is known as
A) direct file alteration.
B) data theft.
C) misappropriation of information resources.
D) Answers B and C above are both correct.
Answer: A
Diff: 1
Learning Obj.: 2

96) Sometimes computer programs are used to commit acts of sabotage. A destructive program masquerading as a legitimate one is called a
A) logic bomb.
B) worm.
C) virus.
D) Trojan horse.
Answer: D
Diff: 2
Learning Obj.: 2

97) Sometimes computer programs are used to commit acts of sabotage. A computer program that actually grows in size as it infects more and more computers in a network is known as a
A) Trojan horse.
B) logic bomb.
C) virus.
D) worm.
Answer: D
Diff: 2
Learning Obj.: 2

98) In an information security system, security measures focus on
A) correcting the effects of threats.
B) preventing and detecting threats.
C) management philosophy and operating style.
D) the internal audit function.
Answer: B
Diff: 1
Learning Obj.: 2
99) A form of sabotage in which very large numbers of requests flood a Web server within a short time interval is known as a
A) denial of service attack.
B) logic bomb.
C) macro virus.
D) grid overload.
Answer: A
Diff: 2
Learning Obj.: 2

100) The most important personnel policy and practice regarding information systems security is that
A) there should be adequate supervision of personnel at all times.
B) employees should be required to rotate jobs.
C) the duties of computer users and computer systems personnel should be segregated.
D) employees should be required to take vacations.
Answer: C
Diff: 2
Learning Obj.: 3

101) The primary way to prevent active threats concerning fraud and sabotage is to implement successive layers of access controls. The second step behind the layered approach to access control is to
A) prevent unauthorized access to both data and program files.
B) physically separate unauthorized individuals from computer resources.
C) classify all data and equipment according to their importance and vulnerability.
D) keep unauthorized users from using the system.
Answer: D
Diff: 2
Learning Obj.: 3

102) The primary way to prevent active threats concerning fraud and sabotage is to implement successive layers of access controls. Withholding administrative rights from individual PC users is an example of a
A) file access control.
B) system access control.
C) site access control.
D) None of these answers are correct.
Answer: B
Diff: 2
Learning Obj.: 3
103) The primary way to prevent active threats concerning fraud and sabotage is to implement successive layers of access controls. Such an approach involves erecting multiple layers of controls that separate the would-be perpetrator from his or her potential targets. One file-access control system that will prevent unauthorized access is (are)
A) a password management system.
B) biometric hardware authentication.
C) locked files.
D) a firewall.
Answer: C
Diff: 1
Learning Obj.: 3

104) Controls can be designed to provide a defense from both active and passive threats. An example of a passive threat is
A) a rolling blackout.
B) a Trojan horse.
C) an unhappy employee.
D) a password which has been compromised.
Answer: A
Diff: 1
Learning Obj.: 3

105) What is an example of fault tolerance applied at the transaction level?
A) Consensus-based protocols
B) Read-after-write checks
C) Database shadowing
D) Flagging
Answer: C
Diff: 2
Learning Obj.: 3

106) Disk shadowing is an example of a fault tolerance applied at what level?
A) Network communications
B) DASD
C) Transaction
D) CPU processor
Answer: B
Diff: 2
Learning Obj.: 3

107) An example of a fault tolerance at the network communications level is
A) a watchdog processor.
B) disk mirroring.
C) rollback processing.
D) an uninterruptable power supply.
Answer: A
Diff: 2
Learning Obj.: 3
108) Since many personal computer users do not properly back up their files, a system that centralizes the backup process is essential. A backup of all files on a given disk is known as a(n)
A) full backup.
B) differential backup.
C) incremental backup.
D) emergency backup.
Answer: A
Diff: 2
Learning Obj.: 3

109) The type of backup which avoids the problems which arise from restoring incremental backups is a(n)
A) full backup.
B) partial backup.
C) archive restoration.
D) differential backup.
Answer: D
Diff: 2
Learning Obj.: 3

110) One Internet security problem arises from configuration problems in the area of configuring permissions for directories. This is an example of
A) an operating system vulnerability.
B) a Web server vulnerability.
C) a private network vulnerability.
D) server program vulnerability.
Answer: B
Diff: 2
Learning Obj.: 3

111) A Trojan horse program placed on one computer with the objective of attacking another computer is an example of which Internet security vulnerability?
A) A Web server and its configuration
B) An operating system and its configuration
C) A private network and its configuration
D) A general security procedure
Answer: C
Diff: 2
Learning Obj.: 3

112) The primary way to prevent active threats concerning fraud and sabotage is to implement successive layers of access controls. However, the widespread adoption and use of the Internet has made it impossible to completely implement which layer of the layered-access approach to security?
A) Site-access
B) System-access
C) File-access
D) None of these answers is correct.
Answer: A
Diff: 2
Learning Obj.: 3

113) The best general security procedure is
A) to use advanced information security system software.
B) for system administrators to enforce system security policies that already exist.
C) to isolate computer facilities from the rest of the company.
D) to eliminate access privileges to all remote users.
Answer: B
Diff: 2
Learning Obj.: 3

114) General security procedures are essential in Internet security. One especially important weakness that hackers may attempt to exploit in this area is to
A) guess at passwords.
B) rewrite computer source code.
C) alter log files to cover their tracks.
D) steal the hard drives of personal computers used as Web servers.
Answer: C
Diff: 2
Learning Obj.: 3

115) Which item listed below is a weakness of using a firewall for Internet security?
A) IP addresses can be spoofed.
B) Firewalls can block incoming access on computer networks.
C) Firewalls can block outgoing access on computer networks.
D) Firewalls can be set to only allow limited outgoing access to particular programs or servers.
Answer: A
Diff: 2
Learning Obj.: 3

116) Disaster risk management is concerned with
A) the prevention of disasters.
B) the layered-access approach to security.
C) contingency planning.
D) Answers A and C are both correct.
Answer: D
Diff: 2
Learning Obj.: 4

117) The first step in managing disaster risk is
A) to obtain business interruption insurance.
B) disaster prevention.
C) contingency planning.
D) to analyze and list recovery priorities.
Answer: B
Diff: 2
Learning Obj.: 4

118) Which of the following causes of disasters occurs less than any other cause?
A) Natural disasters
B) Human errors
C) Deliberate actions
D) Passive threats
Answer: B
Diff: 1
Learning Obj.: 4

119) A disaster recovery plan should include
A) a list of priorities for recovery.
B) an evaluation of a companys needs in the event of a disaster.
C) a set of recovery strategies and procedures.
D) All of these answers are correct.
Answer: D
Diff: 2
Learning Obj.: 4

120) One recovery strategy in the event of a disaster is an alternative processing arrangement. An arrangement between two companies in which each company agrees to help the other if the need arises is a(n)
A) commercial vendor arrangement.
B) computer service bureau agreement.
C) shared contingency arrangement.
D) alternate site center.
Answer: C
Diff: 2
Learning Obj.: 4

121) A company which specializes in processing the data of other companies, but not its own, is a(n)
A) computer service bureau.
B) commercial vendor of disaster services.
C) emergency response center.
D) flying-start site.
Answer: A
Diff: 2
Learning Obj.: 4

122) The possibility of losing employees to a disaster should be addressed in
A) a salvage plan.
B) an alternative processing arrangement.
C) the personnel replacement plan.
D) the personnel relocation plan.
Answer: C
Diff: 1
Learning Obj.: 4
123) One recovery strategy in the event of a disaster is an alternative processing arrangement using a backup site. A site which contains the wiring for computers and also having the equipment is a
A) cold site.
B) hot site.
C) flying-start site.
D) service bureau.
Answer: B
Diff: 1
Learning Obj.: 4

124) Which of the following is an ideal password?
A) ABC123
B) DOG&bone
C) sky&CAT
D) 2s&Ytc8x
Answer: D
Diff: 3
Learning Obj.: 1

125) If users are permitted to choose their own passwords, the best procedure is to
A) forbid users from choosing certain easy-to-guess passwords.
B) forbid users to change their passwords later.
C) allow users to choose passwords they can easily remember.
D) allow users to choose the appropriate expiration date for their passwords.
Answer: A
Diff: 2
Learning Obj.: 1

126) A flying-start site
A) is the most commonly adopted option for companies with disaster recovery plans.
B) usually cannot be made operational within 24 hours.
C) involves mirroring of transactions at the primary site, followed by transmission of data to the backup site.
D) is arranged through a service bureau.
Answer: C
Diff: 3
Learning Obj.: 4

127) After a planning committee has been appointed and the support of senior management has been obtained, the first step in designing a disaster recovery plan is
A) determining what computer-related resources are critical.
B) naming an emergency response team.
C) finding a suitable alternative processing site to use in an emergency.
D) listing the companys recovery priorities.
Answer: A
Diff: 2
Learning Obj.: 4
128) Sandra Johnson is her companys chief security officer. She is interested in obtaining fault tolerance at the direct-access storage device level. Which of the following methods would be of most interest to her?
A) Rollback processing
B) Disk mirroring
C) Consensus-based protocols
D) Database shadowing
Answer: B
Diff: 3
Learning Obj.: 3

129) The best way to test the integrity of a computer system is to
A) review all system output thoroughly.
B) review all system input thoroughly.
C) sample the systems actual transactions.
D) process hypothetical transactions through the system.
Answer: D
Diff: 2
Learning Obj.: 2

130) To detect unauthorized direct changes to master files, the auditor traces these changes back to the underlying
A) transaction files.
B) source documents.
C) hypothetical transactions.
D) control account balances.
Answer: B
Diff: 2
Learning Obj.: 2

131) A type of processing that writes a transaction to disk only if it has been completed successfully is
A) rollback processing.
B) disk mirroring.
C) fault-tolerant processing.
D) read-after-write checking.
Answer: A
Diff: 1
Learning Obj.: 3

132) The most basic security procedure in system-access controls is the
A) sign-countersign system.
B) identification of the users ID, time, and date of each entry.
C) users responsibility to protect his or her password.
D) systems assignment of the user ID and password.
Answer: C
Diff: 3
Learning Obj.: 3
133) Jennifer Nguyen is interested in archiving several data files. She should
A) use a full backup for each file.
B) use an incremental backup for each file.
C) store the data files on media suitable for long-term storage.
D) use a differential backup for each file and restore each file.
Answer: C
Diff: 3
Learning Obj.: 4

134) The ________ makes it a federal felony for anyone other than law enforcement or intelligence officers to pretext phone records.
A) Computer Fraud and Abuse Act of 1986
B) Telephone Records and Privacy Protection Act of 2006
C) Gramm-Leach-Bliley Act
D) Health Insurance Portability and Accountability Act
Answer: B
Diff: 3
Learning Obj.: 2

135) The three objectives of information security include
A) confidentiality, integrity, and availability.
B) protection, responsibility, and continuity.
C) confidentiality, protection, and continuity.
D) responsibility, integrity, and availability.
Answer: A
Diff: 3
Learning Obj.: 1

136) The information security management system life cycle includes analysis, design, implementation, and
A) operation, evaluation, and management.
B) operation, evaluation, and control.
C) operation, management, and continuity.
D) operation, control, and continuity.
Answer: B
Diff: 3
Learning Obj.: 1

137) Guidelines and standards that are important to Information Security Management Systems include all the following except
A) COSO.
B) COBIT.
C) ERM.
D) ISO 27000 series.
Answer: C
Diff: 2
Learning Obj.: 1
138) The ISO series number that defines a code of best practices for ISMSs is
A) 27000.
B) 27001.
C) 27002.
D) 27003.
Answer: C
Diff: 2
Learning Obj.: 1

139) The ISO series numbers that define implementation, measuring performance, and risk management for ISMSs include
A) 27000-27002.
B) 27003-27005.
C) 27006-27008.
D) 27001-27008.
Answer: B
Diff: 2
Learning Obj.: 1

140) Hackers can be categorized as white, black, or ________ hat hackers.
A) gray
B) green
C) top
D) None of these answers is correct.
Answer: A
Diff: 2
Learning Obj.: 2
141) Hacker methods include all of the following except
A) social engineering.
B) direct observation.
C) electronic interception.
D) continuity prevention.
Answer: D
Diff: 1
Learning Obj.: 2

142) Examples of social engineering include
A) pretexting and phishing.
B) pretexting and direct observation.
C) phishing and direct observation.
D) pretexting, phishing, and direct observation.
Answer: A
Diff: 2
Learning Obj.: 2
143) Viruses and denial of service attacks are examples of
A) electronic interception.
B) spyware.
C) malware.
D) exploits.
Answer: C
Diff: 2
Learning Obj.: 2

144) The ________ makes it a federal crime, with a mandatory prison sentence, to pretext any kind of information that relates to a relationship between a consumer and a financial institution.
A) Computer Fraud and Abuse Act of 1986
B) Telephone Records and Privacy Protection Act of 2006
C) Gramm-Leach-Bliley Act
D) Health Insurance Portability and Accountability Act
Answer: C
Diff: 2
Learning Obj.: 2

145) When a hacker takes advantage of a vulnerability to access the software, hardware, or data in an unauthorized manner a(n) ________ has occurred.
A) exploit
B) vector
C) exposure
D) virtualization
Answer: A
Diff: 2
Learning Obj.: 2

146) In general, ________ arise from improperly installed or configured software and from unforeseen defects or deficiencies in the software.
A) exploits
B) virtualizations
C) vulnerabilities
D) exposures
Answer: C
Diff: 2
Learning Obj.: 2

147) Sabotage is a(n) ________ threat.
A) active
B) passive
C) direct
D) second layer
Answer: A
Diff: 2
Learning Obj.: 2
148) Input ________ is an example of a system attack method.
A) vector
B) manipulation
C) hacking
D) buffer
Answer: B
Diff: 2
Learning Obj.: 2

149) ________ involves running multiple operating systems, or multiple copies of the same operating system, all on the same machine.
A) Hypervisor
B) Business continuity planning
C) Virtualization
D) Subscriber Identity Module (SIM)
Answer: C
Diff: 2
Learning Obj.: 3

150) All software and data is stored by the SaaS provider in the
A) hypervisor.
B) cloud.
C) stars.
D) grid.
Answer: B
Diff: 2
Learning Obj.: 3

151) ________ computing involves clusters of interlinked computers that share common workloads.
A) Grid
B) Cloud
C) Networked
D) Malware
Answer: A
Diff: 2
Learning Obj.: 3

152) Which of the following forms of social engineering involves impersonation?
A) Contexting
B) Phishing
C) Hypervising
D) Pretexting
Answer: D
Diff: 2
Learning Obj.: 2
153) Botnets are normally used for which of the following?
A) Grid computing
B) Denial of service attacks
C) Continuity planning
D) Cloud computing
Answer: B
Diff: 2
Learning Obj.: 2

154) Adware is a type of
A) virus.
B) logic bomb.
C) spyware.
D) Trojan horse.
Answer: C
Diff: 2
Learning Obj.: 2

155) On the local workstation, cloud computing
A) complicates security considerations.
B) simplifies security considerations.
C) is not involved with security considerations.
D) affects security minimally but still must be considered under ISO 27000.
Answer: B
Diff: 2
Learning Obj.: 3

156) In the following, which source of information security frameworks or standards targets managers rather than IP professionals?
A) COSO
B) ISMS
C) COBIT
D) ISO
Answer: A
Diff: 2
Learning Obj.: 3
157) Presented below is a list of terms relating to accounting information systems, followed by definitions of those terms.

Required: Match the letter next to each definition with the appropriate term. Each answer will be used only once.

________ 1. Biometric hardware authentication
________ 2. Archive bit
________ 3. Trapdoor
________ 4. Consensus-based protocol
________ 5. Hacker
________ 6. Fault tolerance
________ 7. Locked files
________ 8. Service bureau
________ 9. System fault

A. The concept that if one part of the computer fails, a redundant part is available to take over
B. This generally cannot be prevented by appropriate wall shielding
C. Systems that automatically identify individuals based on their fingerprints, hand sizes, retina patterns, voice patterns, and other personal features
D. This type of system requires an odd number of processors
E. A program can be run but not looked at or altered
F. A company that provides data processing services to other companies for a fee
G. A type of intruder or attacker
H. A portion of the computer program that allows someone to access a system while bypassing normal security procedures
I. This would include hard disk crashes, power failures, or printer jams
J. Commonly used in backup systems to indicate whether a file has been altered
Answer: 1. C, 2. J, 3. H, 4. D, 5. G, 6. A, 7. E, 8. F, 9. I
Diff: 2
Learning Obj.: 1, 2, 3

158) Presented below is a list of terms relating to accounting information systems, followed by definitions of those terms.

Required: Match the letter next to each definition with the appropriate term. Each answer will be used only once.

________ 1. Database shadowing
________ 2. Logic bomb
________ 3. Information security system
________ 4. Risk management
________ 5. File-access controls
________ 6. Site-access controls
________ 7. Piracy
________ 8. Incremental backup
________ 9. Piggybacking
________ 10. Risk-seeking perpetrator

A. Prevents unauthorized access to both data and program controls
B. A duplicate of all transactions is automatically recorded
C. All files whose archive bit is set to 1 are backed up
D. One who will take risks just because, without significant monetary gain
E. A dormant piece of code placed in a computer program for later activation by a later event
F. The copying and distributing of copyrighted software or files without permission
G. The process of assessing and controlling computer system risks
H. The interception of legitimate information and substitution of fraudulent information in its place
I. The subsystem of the organization that controls these risks
J. These separate unauthorized individuals from computer resources
Answer: 1. B, 2. E, 3. I, 4. G, 5. A, 6. J, 7. F, 8. C, 9. H, 10. D
Diff: 2
Learning Obj.: 1, 2, 3

159) Your company has been rapidly growing and increasing in profitability for the past five years. Suddenly, a new, smaller company has appeared, and it seems to have an uncanny ability to win away your previously loyal customers. You know that the owner of the new company is your companys former employee. You suspect the former employee has continued to access your databases.

Required:

a. Identify and briefly discuss the method that the former employee is likely using to access the system.
b. Recommend three controls your company could employ to address this problem.
Answer:
a. This situation indicates that the former employee is probably engaging in data theft. The new company probably has your companys customer information. If the theft is being perpetrated through the computer, the former employee may be using his or her old user identification and password. Alternatively, the former employee may be using a different current employees ID and password (perhaps without their knowledge), or simply guessing a password. The former employee may also be using direct file alteration to delete information from customer records. Direct file alteration occurs when an attacker bypasses normal data entry procedures to access a file. It is also possible that the former employee has had physical access to the companys facilities and its customer information. The former employee may be entering the company and using a computer already logged onto the system to steal the information.

b. Some suggested corrective and preventive controls are:
Reprogram locks on buildings and rooms containing computer devices or storage media.
Verify that the former employees user account has been (and still is) terminated and disabled.
Use a password management system to assign new passwords to all current employees. The system should reassign passwords periodically.
Implement and enforce a strict policy regarding passwords: each employee should keep passwords secret; do not give out passwords over the phone; do not allow easily guessed passwords to be used; do not post passwords near computers; do not throw paper containing passwords in the trash.
Review operating system records to find the time, date, and user ID numbers associated with access to customer files.
Diff: 2
Learning Obj.: 3

160) Youve been hired as the chief security officer of your company. Before long, you learn that one of the operators has been making changes to the accounts receivable database. Upon this discovery, the employee is immediately terminated.

Required:
List three procedures that you should implement to prevent this problem from happening in the future.
Answer: Some preventive measures are:
Management should provide education in security to computer operators and other employees with the objective of creating a security-conscious environment.
Rotate operator shifts so the same operator is not always processing the accounts receivable database.
Require mandatory vacations for operators and all other systems-related personnel having access to sensitive files. Many frauds are disrupted when the perpetrator is away from his or her duties.
Monitor operations via closed-circuit television and videotaping employees at random intervals.
Provide personal supervision when appropriate.
Review master file entries for the user ID and time of all transactions to determine when the operator has accessed the accounts receivable database.
Diff: 2
Learning Obj.: 2

161) You are the chief security officer for the Astra Corporation. You have decided that the risk of viruses is too great to allow employees to install and run games on the companys computer system.

Required:
a. What types of controls are required, and what is the objective of the required controls?
b. List three procedures that you can implement to guard against the unauthorized installation of software (and the inadvertent installation of viruses) on company computers.
Answer:
a. Site-access controls are appropriate. The objective of site-access controls is to physically separate unauthorized individuals and programs from computer viruses.

b. Some procedures that will help prevent the installation of unauthorized software are:
Require security authorization for software installed on any computer.
Require all software purchases come through central purchasing and receiving.
Inspect or destroy programs that come to the company from unsolicited sources.
Randomly audit computers to check for any software programs that have not been approved for installation.
Diff: 2
Learning Obj.: 2

162) New Millennium Company is concerned about the security of its information system. It hosts a company Web site that is accessible through the Internet. Certain employees can access New Millenniums private network through the Internet as well. Employees can also access the Internet through the private network. The chief security officer for the company is worried about hackers and intruder attacks on both its Web site as well as the private network.

Required:
a. What Internet-related vulnerabilities may be present in New Millenniums information system?
b. What procedures or steps might be implemented to strengthen system security?
Answer:
a. Since New Millenniums system is accessible via the Internet, vulnerabilities may arise from weaknesses in any of five major areas:
The operating system or its configuration
The Web server or its configuration
The private network or its configuration
Various server programs
Lack of adherence to established general security procedures

b. The following procedures may help to strengthen system security:
The chief security officer needs to be aware of advisory bulletins for security updates and new information on configuration issues, and take appropriate action when necessary to secure the operating system.
The company should have in operation a firewall that restricts incoming traffic on network computers. The firewall can also be configured to limit outgoing traffic or block access to certain IP addresses on the Internet.
The company should use a proxy server to monitor and route traffic to and from its private network and restrict access only to authorized users.
All servers should have the latest anti-virus software installed to continually monitor for the possibility of viruses entering into or migrating within the system.
The FTP server should be equipped with the encryption-based software that prevents clear transmission of passwords and computer files of a highly sensitive nature.
Web usage and all network traffic should be monitored to ensure that unauthorized activity is not occurring. The chief security officer should hold employee-training sessions on software/hardware security policies and enforce those policies.
Passwords should be routinely changed and employees should not be allowed to choose easy-to-remember passwords.
The chief security officer should routinely review log files for unusual network traffic and file transfers.
Diff: 2
Learning Obj.: 2

163) Describe the similarities and differences between a quantitative and a qualitative approach to computer risk assessment.
Answer: Suggested answer:

Both the quantitative and qualitative approaches require the company to identify vulnerabilities and threats, consider the monetary losses the company could suffer and the probability that the loss will be realized, and rank the exposures.

The primary difference between the two approaches is that the quantitative approach requires that the company quantify both the amount of the loss and the probability of occurrence. The qualitative approach, on the other hand, is based on a subjective, non-quantitative consideration of potential losses and likelihoods, and the resulting ranking of exposures is subjective.
Diff: 2
Learning Obj.: 1
164) Give four factors that are important to a companys control environment in the area of computer security, and illustrate each with an example.
Answer: Suggested answer:

Students might answer as follows (the chapter identifies seven factors, and several examples are given of each; only two examples are listed below):
Management philosophy and operating style
Examples: maintaining an overall atmosphere of security consciousness; maintaining high morale and good communication with employees
Organization structure
Examples: clearly designating who is responsible for decisions relating to accounting software and accounting procedures; designating one individual to be in charge of the computer security system
Board of directors and its committees
Examples: having an audit committee, which appoints or approves the internal auditor(s); having an internal auditor who is knowledgeable about computer security and serves as chief security officer
Management control activities
Examples: establishing controls over the use of computer resources; using budgets
Internal audit function
Examples: constantly monitoring the system; requiring all modifications to the system to be approved in writing
Personnel policies and practices
Examples: separating the duties of users and computer system personnel; separating duties regarding access to key accounting files; job rotation
External influences
Examples: providing security measures to ensure that the company complies with laws regarding customer privacy, government-classified records, privacy of employees; having a company policy regarding software piracy by employees
Diff: 2
Learning Obj.: 3

165) When devising its disaster recovery plan, a company should have a detailed set of recovery strategies and procedures. What are five considerations that should be covered by the companys recovery strategies and procedures?
Answer: Suggested answer:

(Note: The chapter lists seven considerations; the question asks for five.)
An emergency response center (including a director, a response team, and a site)
Escalation procedures
Alternate processing arrangements (sites)
A personnel relocation plan
A personnel replacement plan
A salvage plan
A plan for testing and maintaining the system
Diff: 2
Learning Obj.: 4
166) Discuss how U.S. law has addressed the issue of information systems fraud.
Answer: Suggested answer:

Computer-based crimes such as information systems fraud are part of the general problem of white-collar crime. The United States is now addressing this issue in both federal and state courts. Most states have enacted specific criminal statutes directed against computer crimes. The federal Computer Fraud and Abuse Act of 1986 makes it a federal crime to knowingly and with intent to fraudulently gain unauthorized access to data stored in the computers of financial institutions, computers owned or used by the federal government, or computers operating in interstate commerce. Trafficking in computer access passwords is also illegal under the Act. Violations under the Act are treated as felonies with both monetary damages as well as jail sentences given to anyone convicted under the Act.
Diff: 2
Learning Obj.: 1

167) Discuss the information security system life cycle.
Answer: Suggested answer:

Because the electronic security system is an information system, the life-cycle approach should be used in its development. Such systems are modeled by applying the established methods of system analysis, design, implementation; and operation, evaluation, and control.

The objectives of the phases of the life-cycle approach are:
System analysis: Analyze system vulnerabilities in terms of threats and exposures
System design: Design security measures and contingency plans based on the exposures identified in the analysis
System implementation: Implement the security measures as designed
System operation, evaluation, and control: Test the system under normal conditions to assess its effectiveness and efficiency, making any necessary changes

The chief security officer should also report on information system security to the companys board of directors on a regular basis. Such reports should cover the four phases of the life-cycle, and include a discussion of loss exposures, plans for exposure management, specifics on security system performance, and a summary of activities including actual losses, security breaches, and the associated costs.
Diff: 2
Learning Obj.: 1

168) The main group of international standards for information security is ISO/IEC 27000 series published by the International Organization for Standardization (ISO). ISO/IEC 27002 addresses over 5,000 controls categorized under 12 categories. Discuss 10 of the 12 categories that should be used as a general guide by any company considering information security.
Answer: Suggested answer:

1. Risk assessment threat and vulnerability analysis.
2. Security policies requires organized security policies.
3. Organization and governance of information security requires formal organization structure relating to security policies.
4. Asset management classify information assets as to importance and identify related threats and vulnerabilities.
5. Human resources issues relating to employees joining, leaving, and transferring within an organization; to employee security training; and to hiring practices.
6. Physical and environmental security physical protection and physical access restrictions.
7. Communications and operations management management of technical security controls in systems and networks.
8. Access control layered approach to access.
9. Information systems acquisition, development ,and maintenance controls over software purchases and outsourcing, controls over changes, and controls over IT projects.
10. Information security incident management monitoring, reporting, and responding to security breaches.
11. Business continuity management implement a complete business continuity management system using the PDCS approach, maintain adequate insurance.
12. Compliance ensure compliance with relevant laws, regulations, and standards.
Diff: 2
Learning Obj.: 1

169) COBIT is a framework that defines a set, or code, of best practices. Discuss the 4 domains within the COBIT standard.
Answer: Suggested answer:

1. Plan and organize focuses on IT organization and how IT can effectively be used in the organization.
2. Acquire and implement focuses on developing, acquiring, and maintaining IT process.
3. Deliver and support focuses on delivery, implementation, managing, and configuring IT processes.
4. Monitor and evaluate focuses on assessing IT processes according to their stated goals and objectives.
Diff: 2
Learning Obj.: 3

170) Describe the security advantage of virtualization.
Answer: Suggested answer:

The security advantage of virtualization is that each operating system instance is isolated from all other operating system instances running on the same computer. This means that each virtual machine has access only to data, software, and memory allocated to it by the hypervisor. The result is that if a hacker compromises one virtual machine he will not have access to the data, software, and memory of other virtual machines running on the same computer.
Diff: 2
Learning Obj.: 3

Write a review

Your Name:


Your Review: Note: HTML is not translated!

Rating: Bad           Good

Enter the code in the box below:



 

Once the order is placed, the order will be delivered to your email less than 24 hours, mostly within 4 hours. 

If you have questions, you can contact us here