Chapter 11 Information Security and Computer Fraud
1.
Fraud triangle includes incentive, opportunity and an attitude to rationalize the fraud. True
2.
False
The goal of information security management management is to maintain confidentiality, confidentiality, integrity and availability of a firm's information. True
3.
False
Encryption is a preventive control ensuring data confidentiality and privacy during transmission and for storage. True
False
4. Asymmetric-key encryption is suitable for encrypting large data sets or messages. True 5.
Key distribution and key management are problematic under the symmetric-key encryption. True
6.
False
False
Symmetric-key encryption method is used to authenticate users. True
False
11-1 Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
7.
Certificate Authority (CA) issues digital certificates to bond the subscriber with a public key and a private key. True
8.
A company's audit committee is responsible for fraud risk assessments. assessments. True
9.
False
False
One type of fault tolerance is using redundant units to provide a system the ability to continue functioning when part of the system fails. True
False
10. Disaster recovery planning and business continuity management are preventive controls. True
False
11. Information security is a critical factor in maintaining systems integrity. True
False
12. The goal of information security management management is to enhance the confidence, integrity and authority (CIA) of a firm's management. True
False
13. Virus is a self-replicating, self-propagating, self-contained program that uses networking mechanisms mechanisms to spread itself. True
False
14. Spam is a self-replicating program that runs and spreads by modifying other programs or files. True
False
11-2 Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
15. Encryption and hashing are similar process to maintain data confidentiality. True
False
16. Integrity of information means the information is:
A. Accurate B. Complete C. Accessible D. A and B are correct. 17. Which of the following statements is incorrect about digital signature?
A. A digital signature can ensure data integrity. B. A digital signature also authenticates authenticates the document creator. C. A digital signature is an encrypted message digest. D. A digital signature is a message digest encrypted using the document creator's public key. 18. What is the primary objective of data security controls?
A. To establish a framework for controlling the design, security, and use of computer programs throughout an organization. B. To ensure that data storage media are subject to authorization prior to access, change, or destruction. C. To formalize standard, rules, and procedures to ensure the organization's control are properly executed. D. To monitor the use of system software to prevent unauthorized access to system software and computer programs.
11-3 Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
19. An entity doing business on the internet most likely could use any of the following methods to prevent unauthorized intruders from accessing proprietary information except:
A. Password management. B. Data encryption. C. Digital certificates. D. Batch processing. 20. When client's accounts payable computer system was relocated, the administrator provided support through a dial-up connection to server. Subsequently, the administrator administrator left the company. No changes were made to the accounts payable system at that time. Which of the following situations represents the greatest security risk?
A. User passwords are not required to the in alpha-numeric alpha -numeric format. B. Management procedures for user accounts are not do cumented. C. User accounts are not removed upon termination of employees. D. Security logs are not periodically reviewed for violations. 21. Which of the following statement present an example of a general control for a computerized system?
A. Limiting entry of sales transactions to only valid credit customers. B. Creating hash totals from social security number for the weekly payroll. C. Restricting entry of accounts payable transactions to only authorized users. D. Restricting access to the computer center by use of biometric devices.
11-4 Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
22. Which of the following outcomes is a likely benefit of information technology used for internal control?
A. Processing of unusual or nonrecurring transactions. B. Enhanced timeliness of information. C. Potential loss of data. D. Recording of o f unauthorized transactions. 23. In a large multinational multinational organization, which of the following job responsibilities responsibilities should be assigned to be network administrator?
A. Managing remote access. B. Developing application programs. C. Reviewing security policy. D. Installing operating system upgrades. 24. An information technology director collected the names and locations of key vendors, current hardware configuration, names of team members, and an alternative processing location. What is the director most likely preparing?
A. Data restoration plan. B. Disaster recovery plan. C. System security policy. D. System hardware policy.
11-5 Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
25. Bacchus, Inc. is a larger multinational multinational corporation with various business units around the world. After a fire destroyed the corporation headquarters and largest manufacturing manufacturing site, plans for which of the following would help Bacchus ensure a timely recovery?
A. Daily backup. B. Network security. C. Business continuity. D. Backup power. 26. Which of the following statements regarding authentication in conducting e-business is incorrect?
A. It is a process that establishes the origin of information or determines the identity of a user, process, or device. B. One key is used for encryption and decryption purposes in the authentication process. C. Successful authentication can prevent repudiation in electronic transactions. transactions. D. We need to use asymmetric-key encryption to authenticate the sender of a document or data set. 27. Which of the following is not included in the remediation phrase for vulnerability management?
A. Risk Response Plan B. Policy and procedures for remediation C. Vulnerability Prioritization Prioritization D. Control Implementation 28. Which of the following does not represent a viable data backup method?
A. Disaster recovery plan B. Redundant arrays of independent drives C. Virtualization D. Cloud computing
11-6 Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
29. Which of the following statements about asymmetric-key encryption is correct?
A. When using asymmetric-key encryption method, a total of two keys are necessary in electronic communication between two parties. B. Employees in the same company share the same public key. C. Most companies would like to manage the private keys for their employees. D. Most companies would like to use a Certificate Authority to manage the public keys of their employees. E. Two of the above are correct. 30. Which of the following statements is incorrect?
A. A fraud prevention program starts with a fraud risk assessment across the entire firm. B. The audit committee typically has an oversight role in risk assessment process. C. Communicating a firm's policy file to employees is one of the most important responsibilities of management. D. A fraud prevention program should include an evaluation on the efficiency of business processes. 31. A disaster recovery approach should include which of the following elements:
A. Encryption. B. Firewalls. C. Regular backups. D. Surge protectors. 32. Which of the following passwords would be most difficult to crack?
A. Go2Ca!ifornia4fun B. language C. ennyjenny D. pass56word
11-7 Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
33. Which of the following is a password security weakness?
A. Users are assigned passwords when accounts are created, but do not change them. B. Users have accounts on several systems with different passwords. C. Users write down their passwords on a note paper, and carry it with them. D. Users select passwords that are not part of online password dictionary. 34. To prevent invalid data input, a bank added an extra number at the end of each account number and subjected the new number to an algorithm. This technique is known as:
A. A validation check. B. check digit verification. C. A dependency check. D. A format check. 35. Which of the following security controls would best prevent unauthorized access to a firm's internal network?
A. Use of a screen saver with a password. B. Use of a firewall. C. Encryption of data files. D. Automatic log-off of inactive users. 36. Why do Certificate Authority (CA) play an important role in a company's information security management?
A. Using a CA is required by SOX in managing information security. B. Most companies use CA to manage their employees' public keys. C. CA creates and maintains both the public and private keys for a company's employees. D. None of the above is correct.
11-8 Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
37. When computer programs or files can be accessed from terminals, users should be required to enter a(n)
A. Parity check. B. Password as a personal identification code. C. Check digit. D. Echo check. 38. Which of the following controls would most likely assure that a company can reconstruct its financial records?
A. Security controls such as firewalls B. Backup data are tested and stored safely C. Personnel understand the data very well D. Paper records 39. Why would companies want to use digital signatures when conducting e-business?
A. It is cheap. B. It is always the same so it can be verified easily. C. It is more convenient than requiring a real signature. D. It can authenticate the document sender and maintain data integrity. 40. Select a correct statement regarding encryption methods?
A. To use symmetric-key encryption, each user needs two different keys. B. Most companies prefer using symmetric-key encryption than asymmetric-key encryption method. C. Both symmetric-key and asymmetric-key encryption methods require the involvement of a certificate authority. D. When conducting e-business, most companies use both symmetric-key and asymmetric-key encryption methods.
11-9 Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
41. A magnetic tape used to store data backups was lost while it was being transported to an offsite storage location. The data on the tape includes customers' credit card and personal information. Which preventive control(s) should have been used to minimize the potential loss?
42. List the following steps regarding computer fraud risk assessments in sequence. (a) Assessing the likelihood and business impact of a control failure and/or a fraud incident. (b) Mapping existing controls to potential fraud schemes and identifying gaps. (c) Identifying potential IT fraud schemes and prioritizing them based on likelihood and impact. (d) Identifying relevant IT fraud risk factors. (e) Testing operating effectiveness of fraud prevention and d etection controls.
11-10 Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
43. Describe the process of using asymmetric-key encryption to authenticate the trading partner involved in e-business.
44. What are the two prerequisites for vulnerability management?
45. Describe the framework for vulnerability assessment and vulnerability management.
11-11 Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
46. What are included in disaster recovery planning and business continuity management? Are these concepts related?
47. What is a digital signature? How could a digital signature ensure data integrity when conducting conducting eebusiness?
11-12 Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Chapter 11 Information Security and Computer Fraud Answer Key
1.
Fraud triangle includes incentive, opportunity and an attitude to rationalize the fraud.
AACSB: Reflective Thinking AICPA BB: Industr AICPA FN: Decision Making Blooms: Remembe Difficulty: 1 Eas Learning Objective: 11-03 Describe computer fraud and misuse of AIS and corresponding risk-mitigation techniques. Source: Origina Topic: Computer fraud and abuse
2.
The goal of information security management management is to maintain confidentiality, integrity and availability of a firm's information.
AACSB: Reflective Thinking AICPA BB: Industr AICPA FN: Decision Making Blooms: Remembe Difficulty: 1 Eas Learning Objective: 11-01 Describe the risks related to information security and systems integrity. Source: Origina Topic: Information security and systems integrit
3.
Encryption is a preventive control ensuring data confidentiality and privacy during transmission and for storage.
AACSB: Reflective Thinking AICPA BB: Industr AICPA FN: Decision Making 11-13 Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Blooms: Understan Difficulty: 2 Medium Learning Objective: 11-02 Understand the concepts of encryption and authentication. Source: Origina Topic: Information security and systems integrit
4.
Asymmetric-key encryption is suitable for encrypting large data sets or messages.
AACSB: Reflective Thinking AICPA BB: Industr AICPA FN: Decision Making Blooms: Understan Difficulty: 2 Medium Learning Objective: 11-02 Understand the concepts of encryption and authentication. Source: Origina Topic: Information security and systems integrit
5.
Key distribution and key management are problematic under the symmetric-key encryption.
AACSB: Reflective Thinking AICPA BB: Industr AICPA FN: Decision Making Blooms: Understan Difficulty: 2 Medium Learning Objective: 11-02 Understand the concepts of encryption and authentication. Source: Origina Topic: Information security and systems integrit
6.
Symmetric-key encryption method is used to authenticate users.
AACSB: Reflective Thinking AICPA BB: Industr AICPA FN: Decision Making Blooms: Understan Difficulty: 2 Medium Learning Objective: 11-02 Understand the concepts of encryption and authentication. Source: Origina
11-14 Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Topic: Information security and systems integrit
7.
Certificate Authority (CA) issues digital certificates to bond the subscriber with a public key and a private key.
AACSB: Reflective Thinking AICPA BB: Industr AICPA FN: Decision Making Blooms: Remembe Difficulty: 1 Eas Learning Objective: 11-02 Understand the concepts of encryption and authentication. Source: Origina Topic: Information security and systems integrit
8.
A company's audit committee is responsible for fraud f raud risk assessments. assessments.
AACSB: Reflective Thinking AICPA BB: Industr AICPA FN: Decision Making Blooms: Remembe Difficulty: 1 Eas Learning Objective: 11-03 Describe computer fraud and misuse of AIS and corresponding risk-mitigation techniques. Source: Origina Topic: Computer fraud and abuse
9.
One type of fault tolerance is using redundant units to provide a system the ability to continue functioning when part of the system fails.
AACSB: Reflective Thinking AICPA BB: Industr AICPA FN: Decision Making Blooms: Remembe Difficulty: 1 Eas Learning Objective: 11-05 Explain issues in system availability; disaster recovery; and business continuity. Source: Origina Topic: System availability, disaster recovery and business continuit
11-15 Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
10.
Disaster recovery planning and business continuity management are preventive controls.
AACSB: Reflective Thinking AICPA BB: Industr AICPA FN: Decision Making Blooms: Remembe Difficulty: 1 Eas Learning Objective: 11-05 Explain issues in system availability; disaster recovery; and business continuity. Source: Origina Topic: System availability, disaster recovery and business continuit
11.
Information security is a critical factor in maintaining systems integrity.
AACSB: Reflective Thinking AICPA BB: Industr AICPA FN: Decision Making Blooms: Remembe Difficulty: 1 Eas Learning Objective: 11-01 Describe the risks related to information security and systems integrity. Source: Origina Topic: Information security and systems integrit
12.
The goal of information security management management is to enhance the confidence, integrity and authority (CIA) of a firm's management.
AACSB: Reflective Thinking AICPA BB: Industr AICPA FN: Decision Making Blooms: Remembe Difficulty: 1 Eas Learning Objective: 11-01 Describe the risks related to information security and systems integrity. Source: Origina Topic: Information security and systems integrit
11-16 Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
13.
Virus is a self-replicating, self-propagating, self-contained program that uses networking mechanisms to spread itself.
AACSB: Reflective Thinking AICPA BB: Industr AICPA FN: Decision Making Blooms: Remembe Difficulty: 1 Eas Learning Objective: 11-01 Describe the risks related to information security and systems integrity. Source: Origina Topic: Information security and systems integrit
14.
Spam is a self-replicating program that runs and spreads by modifying other programs or files.
AACSB: Reflective Thinking AICPA BB: Industr AICPA FN: Decision Making Blooms: Remembe Difficulty: 1 Eas Learning Objective: 11-01 Describe the risks related to information security and systems integrity. Source: Origina Topic: Information security and systems integrit
15.
Encryption and hashing are similar process to maintain data confidentiality.
AACSB: Reflective Thinking AICPA BB: Industr AICPA FN: Decision Making Blooms: Understan Difficulty: 2 Medium Learning Objective: 11-02 Understand the concepts of encryption and authentication. Source: Origina Topic: Information security and systems integrit
11-17 Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
16.
Integrity of information means the information is:
A. Accurate A. B. Complete B. C. Accessible C. A and B are correct. AACSB: Reflective Thinking AICPA BB: Industr AICPA FN: Decision Making Blooms: Remembe Difficulty: 1 Eas Learning Objective: 11-02 Understand the concepts of encryption and authentication. Source: Origina Topic: Information security and systems integrit
17.
Which of the following statements is incorrect about digital signature?
A. A digital signature signature can ensure data integrity. B. A digital signature signature also also authenticates authenticates the document document creator. C. A digital signature signature is an encrypted message digest. digest. A digital signature is a message digest encrypted using the document creator's public key. AACSB: Reflective Thinking AICPA BB: Industr AICPA FN: Decision Making Blooms: Understan Difficulty: 2 Medium Learning Objective: 11-02 Understand the concepts of encryption and authentication. Source: Origina Topic: Information security and systems integrit
11-18 Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
18.
What is the primary objective of data security controls?
A. To establish a framework for for controlling the design, security, security, and use of computer programs programs throughout an organization. To ensure that data storage media are subject to authorization prior to access, change, or destruction. C. To formalize standard, rules, rules, and procedures to ensure ensure the organization's control are properly executed. D. To monitor the use of system system software to prevent unauthorized unauthorized access to system software and computer programs. AACSB: Reflective Thinking AICPA BB: Industr AICPA FN: Decision Making Blooms: Understan Difficulty: 2 Medium Learning Objective: 11-04 Define vulnerabilities; and explain how to manage and assess vulnerabilities. Source: CPA 2011 Examination, adapte Topic: Vulnerability management and assessment
19.
An entity doing business on the internet most likely could use any of the following methods to prevent unauthorized intruders from accessing proprietary information except:
A. Password management. B. Data encryption. C. Digital certificates. Batch processing. AACSB: Reflective Thinking AICPA BB: Industr AICPA FN: Decision Making Blooms: Understan Difficulty: 2 Medium Learning Objective: 11-02 Understand the concepts of encryption and authentication. Source: CPA 2010 Examination, adapte Topic: Information security and systems integrit
11-19 Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
20.
When client's accounts payable computer system was relocated, the administrator provided support through a dial-up connection to server. Subsequently, the administrator left the company. No changes were made to the accounts payable system at that time. Which of the following situations represents the greatest security risk?
A. User passwords passwords are not required to the in alpha-numeric alpha-numeric format. B. Management procedures procedures for user accounts are not documented. documented. User accounts are not removed upon termination of employees. D. Security logs are not periodically reviewed reviewed for violations. violations. AACSB: Reflective Thinking AICPA BB: Industr AICPA FN: Decision Making Blooms: Understan Difficulty: 2 Medium Learning Objective: 11-03 Describe computer fraud and misuse of AIS and corresponding risk-mitigation techniques. Source: CPA 2010 Examination, adapte Topic: Vulnerability management and assessment
21.
Which of the following statement present an example of a general control for a computerized system?
A. Limiting entry of sales transactions transactions to only valid credit credit customers. customers. B. Creating hash totals from social social security number number for the weekly payroll. C. Restricting entry entry of accounts payable transactions to to only authorized users. users. Restricting access to the computer center by use of biometric devices. AACSB: Reflective Thinking AICPA BB: Industr AICPA FN: Decision Making Blooms: Understan Difficulty: 2 Medium Learning Objective: 11-03 Describe computer fraud and misuse of AIS and corresponding risk-mitigation techniques. Source: CPA 2012 Examination, adapte Topic: Computer fraud and abuse
11-20 Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
22.
Which of the following outcomes is a likely benefit of information technology used for internal control?
A. Processing of unusual or nonrecurring nonrecurring transactions. transactions. Enhanced timeliness of information. C. Potential loss of data. D. Recording of unauthorized unauthorized transactions. transactions. AACSB: Reflective Thinking AICPA BB: Industr AICPA FN: Decision Making Blooms: Understan Difficulty: 2 Medium Learning Objective: 11-03 Describe computer fraud and misuse of AIS and corresponding risk-mitigation techniques. Source: CPA 2010 Examination, adapte Topic: Computer fraud and abuse
23.
In a large multinational multinational organization, which of the following job responsibilities responsibilities should be assigned to be network administrator?
Managing remote access. B. Developing application programs. C. Reviewing security policy. D. Installing operating system system upgrades. upgrades. AACSB: Reflective Thinking AICPA BB: Industr AICPA FN: Decision Making Blooms: Understan Difficulty: 2 Medium Learning Objective: 11-03 Describe computer fraud and misuse of AIS and corresponding risk-mitigation techniques. Source: CPA 2009 Examination, adapted Topic: Computer fraud and abuse
11-21 Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
24.
An information technology director collected the names and locations of key vendors, current hardware configuration, names of team members, and an alternative processing location. What is the director most likely preparing?
A. Data restoration plan. Disaster recovery plan. C. System security policy. D. System hardware policy. AACSB: Reflective Thinking AICPA BB: Industr AICPA FN: Decision Making Blooms: Remembe Difficulty: 1 Eas Learning Objective: 11-05 Explain issues in system availability; disaster recovery; and business continuity. Source: CPA 2009 Examination, adapted Topic: System availability, disaster recovery and business continuit
25.
Bacchus, Inc. is a larger multinational multinational corporation with various business units around the world. After a fire destroyed d estroyed the corporation headquarters and largest manufacturing manufacturing site, plans for which of the following would help Bacchus ensure a timely recovery?
A. Daily backup. B. Network security. Business continuity. D. Backup power. AACSB: Reflective Thinking AICPA BB: Industr AICPA FN: Decision Making Blooms: Remembe Difficulty: 1 Eas Learning Objective: 11-05 Explain issues in system availability; disaster recovery; and business continuity. Source: CPA 2009 Examination, adapted Topic: System availability, disaster recovery and business continuit
11-22 Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
26.
Which of the following statements regarding authentication in conducting e-business is incorrect?
A. It is a process that establishes establishes the origin of information or determines determines the identity of a user, user, process, or device. One key is used for encryption and decryption purposes in the authentication process. C. Successful authentication authentication can prevent repudiation repudiation in electronic electronic transactions. transactions. D. We need to use asymmetric-key asymmetric-key encryption to authenticate the the sender of a document or data set. AACSB: Reflective Thinking AICPA BB: Industr AICPA FN: Decision Making Blooms: Understan Difficulty: 2 Medium Learning Objective: 11-01 Describe the risks related to information security and systems integrity. Source: Origina Topic: Information security and systems integrit
27.
Which of the following is not included in the remediation phrase for vulnerability management?
A. Risk Response Plan B. Policy and procedures procedures for remediation remediation Vulnerability Prioritization D. Control Implementation AACSB: Reflective Thinking AICPA BB: Industr AICPA FN: Decision Making Blooms: Understan Difficulty: 2 Medium Learning Objective: 11-04 Define vulnerabilities; and explain how to manage and assess vulnerabilities. Source: Origina Topic: Vulnerability management and assessment
11-23 Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
28.
Which of the following does not represent a viable data backup method?
Disaster recovery plan B. Redundant arrays of independent independent drives C. Virtualization C. D. Cloud computing AACSB: Reflective Thinking AICPA BB: Industr AICPA FN: Decision Making Blooms: Remembe Difficulty: 1 Eas Learning Objective: 11-05 Explain issues in system availability; disaster recovery; and business continuity. Source: Origina Topic: System availability, disaster recovery and business continuit
29.
Which of the following statements about asymmetric-key encryption is correct?
A. When using asymmetric-key asymmetric-key encryption method, a total total of two keys are necessary in electronic communication between two parties. B. Employees in the same company share the same public key. C. Most companies would like to manage the private keys for their employees. employees. Most companies would like to use a Certificate Authority to manage the public keys of their employees. E. Two of the above are correct. AACSB: Reflective Thinking AICPA BB: Industr AICPA FN: Decision Making Blooms: Appl Difficulty: 3 Har Learning Objective: 11-02 Understand the concepts of encryption and authentication. Source: Origina Topic: Information security and systems integrit
11-24 Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
30.
Which of the following statements is incorrect?
A. A fraud prevention program starts with a fraud risk assessment assessment across the entire entire firm. B. The audit committee committee typically has an oversight role in risk assessment assessment process. process. C. Communicating a firm's policy policy file to employees is is one of the most most important responsibilities responsibilities of management. A fraud prevention program should include an evaluation on the efficiency of business processes. AACSB: Reflective Thinking AICPA BB: Industr AICPA FN: Decision Making Blooms: Understan Difficulty: 2 Medium Learning Objective: 11-03 Describe computer fraud and misuse of AIS and corresponding risk-mitigation techniques. Source: Origina Topic: Computer fraud and abuse
31.
A disaster recovery approach should include which of the following elements:
A. Encryption. A. B. Firewalls. B. Regular backups. D. Surge protectors. AACSB: Reflective Thinking AICPA BB: Industr AICPA FN: Decision Making Blooms: Remembe Difficulty: 1 Eas Learning Objective: 11-05 Explain issues in system availability; disaster recovery; and business continuity. Source: Origina Topic: System availability, disaster recovery and business continuit
11-25 Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
32.
Which of the following passwords would be most difficult to crack?
Go2Ca!ifornia4fun B. language B. C. ennyjenny C. D. pass56word D. AACSB: Reflective Thinking AICPA BB: Industr AICPA FN: Decision Making Blooms: Appl Difficulty: 3 Har Learning Objective: 11-01 Describe the risks related to information security and systems integrity. Source: Origina Topic: Information security and systems integrit
33.
Which of the following is a password security weakness?
Users are assigned passwords when accounts are created, but do not change them. B. Users have accounts on several systems with with different passwords. passwords. C. Users write down their passwords passwords on a note paper, and carry it with with them. D. Users select passwords passwords that are not part of online password password dictionary. AACSB: Reflective Thinking AICPA BB: Industr AICPA FN: Decision Making Blooms: Understan Difficulty: 2 Medium Learning Objective: 11-03 Describe computer fraud and misuse of AIS and corresponding risk-mitigation techniques. Source: Origina Topic: Computer fraud and abuse
11-26 Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
34.
To prevent invalid data input, a bank added an extra number at the end of each accoun t number and subjected the new number to an algorithm. This technique is known as:
A. A validation check. check digit verification. C. A dependency check. D. A format check. AACSB: Reflective Thinking AICPA BB: Industr AICPA FN: Decision Making Blooms: Remembe Difficulty: 1 Eas Learning Objective: 11-03 Describe computer fraud and misuse of AIS and corresponding risk-mitigation techniques. Source: Origina Topic: Computer fraud and abuse
35.
Which of the following security controls c ontrols would best prevent unauthorized access to a firm's internal network?
A. Use of a screen saver saver with a password. B. Use of a firewall. C. Encryption of data files. Automatic log-off of inactive users. AACSB: Reflective Thinking AICPA BB: Industr AICPA FN: Decision Making Blooms: Remembe Difficulty: 1 Eas Learning Objective: 11-03 Describe computer fraud and misuse of AIS and corresponding risk-mitigation techniques. Source: Origina Topic: Computer fraud and abuse
11-27 Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
36.
Why do Certificate Authority (CA) play p lay an important role in a company's information security management?
A. Using a CA is required by SOX in managing information information security. security. Most companies use CA to manage their employees' public keys. C. CA creates and maintains maintains both the public and private private keys for a company's company's employees. D. None of the above is correct. correct. AACSB: Reflective Thinking AICPA BB: Industr AICPA FN: Decision Making Blooms: Understan Difficulty: 2 Medium Learning Objective: 11-02 Understand the concepts of encryption and authentication. Source: Origina Topic: Information security and systems integrit
37.
When computer programs or files can be accessed from terminals, users should be required to enter a(n)
A. Parity check. Password as a personal identification code. C. Check digit. D. Echo check. AACSB: Reflective Thinking AICPA BB: Industr AICPA FN: Decision Making Blooms: Understan Difficulty: 2 Medium Learning Objective: 11-03 Describe computer fraud and misuse of AIS and corresponding risk-mitigation techniques. Source: Origina Topic: Computer fraud and abuse
11-28 Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
38.
Which of the following controls would most likely assure that a company can reconstruct its financial records?
A. Security controls such such as firewalls Backup data are tested and stored safely C. Personnel understand the data very well D. Paper records AACSB: Reflective Thinking AICPA BB: Industr AICPA FN: Decision Making Blooms: Understan Difficulty: 2 Medium Learning Objective: 11-03 Describe computer fraud and misuse of AIS and corresponding risk-mitigation techniques. Source: Origina Topic: Computer fraud and abuse
39.
Why would companies want to use digital signatures when conducting e-business?
A. It is cheap. B. It is always always the same same so it can be verified easily. C. It is more convenient convenient than requiring requiring a real signature. It can authenticate the document sender and maintain data integrity. AACSB: Reflective Thinking AICPA BB: Industr AICPA FN: Decision Making Blooms: Understan Difficulty: 2 Medium Learning Objective: 11-03 Describe computer fraud and misuse of AIS and corresponding risk-mitigation techniques. Source: Origina Topic: Computer fraud and abuse
11-29 Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
40.
Select a correct statement regarding encryption methods?
A. To use symmetric-key symmetric-key encryption, each user needs two two different keys. B. Most companies prefer using using symmetric-key encryption than asymmetric-key encryption encryption method. C. Both symmetric-key symmetric-key and asymmetric-key encryption encryption methods require require the involvement involvement of a certificate authority. When conducting e-business, most companies use both symmetric-key and asymmetric-key encryption methods. AACSB: Reflective Thinking AICPA BB: Industr AICPA FN: Decision Making Blooms: Understan Difficulty: 2 Medium Learning Objective: 11-02 Understand the concepts of encryption and authentication. Source: Origina Topic: Information security and systems integrit
41.
A magnetic tape used to store data backups was lost while it was being transported to an offsite storage location. The data on the tape includes customers' credit card and personal information. Which preventive control(s) should have been used to minimize the potential lo ss?
The tape needs to be encrypted and password protected.
AACSB: Reflective Thinking AICPA BB: Industr AICPA FN: Decision Making Blooms: Appl Difficulty: 3 Har Learning Objective: 11-03 Describe computer fraud and misuse of AIS and corresponding risk-mitigation techniques. Source: Origina 11-30 Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Topic: Computer fraud and abuse
42.
List the following steps regarding computer fraud risk assessments in sequence. (a) Assessing the likelihood and business impact impact of a control failure and/or a fraud incident. (b) Mapping existing controls to potential fraud schemes and identifying gaps. (c) Identifying potential IT fraud schemes and prioritizing them based on likelihood and impact. (d) Identifying relevant IT fraud risk factors. (e) Testing operating effectiveness of fraud prevention and detection controls.
d, c, b, e, a
AACSB: Reflective Thinking AICPA BB: Industr AICPA FN: Decision Making Blooms: Appl Difficulty: 3 Har Learning Objective: 11-03 Describe computer fraud and misuse of AIS and corresponding risk-mitigation techniques. Source: Origina Topic: Computer fraud and abuse
43.
Describe the process of using asymmetric-key encryption to authenticate the trading partner involved in e-business.
To authenticate a trading partner (TP), the contact person (CP) of a company sends a challenge message to TP. TP uses her private key to encrypt the challenge message and send it to CP. If CP is able to use TP's public key to decrypt and get the plaintext of the challenge message, CP has authenticated TP successfully.
AACSB: Reflective Thinking AICPA BB: Industr AICPA FN: Decision Making Blooms: Appl Difficulty: 3 Har Learning Objective: 11-02 Understand the concepts of encryption and authentication. Source: Origina Topic: Information security and systems integrit 11-31 Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
44.
What are the two prerequisites for vulnerability vulnerability management?
First, determine the main objectives of its vulnerability management. In some case, the firm should determine which laws, regulations, and standards it should comply with. Second, a firm should assign roles and responsibilities responsibilities for vulnerability management. management. The management may designate a team to be responsible for developing and implementing the vulnerability management program.
AACSB: Reflective Thinking AICPA BB: Industr AICPA FN: Decision Making Blooms: Remembe Difficulty: 1 Eas Learning Objective: 11-04 Define vulnerabilities; and explain how to manage and assess vulnerabilities. Source: Origina Topic: Vulnerability management and assessment
45.
Describe the framework for vulnerability assessment assessment and vulnerability management.
The components of vulnerability assessment assessment include identification and risk assessment. Identification process: identifying all critical IT assets, threats and vulnerabilities. vulnerabilities. Risk assessment process: assessing a ssessing vulnerabilities and prioritizing vulnerability issues. The components of vulnerability management include remediation remediation and maintenance. Remediation process: making a risk response plan, prepari ng the policy and requirements requirements for remediation, as well as control implementation. Maintenance: monitoring, ongoing assessment and continuous improvement.
AACSB: Reflective Thinking AICPA BB: Industr AICPA FN: Decision Making Blooms: Understan Difficulty: 2 Medium
11-32 Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Learning Objective: 11-04 Define vulnerabilities; and explain how to manage and assess vulnerabilities. Source: Origina Topic: Vulnerability management and assessment
46.
What are included in disaster recovery planning and business continuity managemen management? t? Are these concepts related?
Disaster recovery planning (DRP) must include a clearly defined and documented plan that covers key personnel, p ersonnel, resources including IT infrastructure and applications, and actions required to be carried out in order to continue or resume the systems for critical business functions within planned levels of disruption. Business continuity management (BCM) includes the activities required to keep a firm running during a period of displacement or interruptio interruptio n of normal operations. DRP is a key component of the BCM. BCM is broader than DRP and is concerned about the entire business processes rather than particular assets, such as IT infrastructure and applications.
AACSB: Reflective Thinking AICPA BB: Industr AICPA FN: Decision Making Blooms: Understan Difficulty: 2 Medium Learning Objective: 11-05 Explain issues in system availability; disaster recovery; and business continuity. Source: Origina Topic: System availability, disaster recovery and business continuit
11-33 Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
47.
What is a digital signature? How could a digital signature ensure data integrity when conducting e-business?
Digital signature is a message digest (MD) of a document (or data file) that is encrypted using the document creator's private key. 1) Both the sender (A) and receiver (B) use an asymmetric-key encryption method to authenticate each other. 2) Sender A makes a copy of the document and uses SHA-256 to hash the copy and get an MD. 3) Sender A encrypts the MD using Sender A's private key to get Sender A's digital signature. 4) Sender A uses Receiver B's public key to encrypt the original document and Sender A's digital signature (for confidentiality). 5) Sender A sends the encrypted package to Receiver B. 6) Receiver B receives the package and decrypts it using Receiver B's private key. Receiver B now has the document and Sender A's digital signature. 7) Receiver B decrypts Sender A's digital signature using Sender A's public key to get the sent over MD. Receiver B also authenticates that Sender A is the document creator. 8) Receiver B makes a copy of the received document and uses SHA-256 to hash the copy and get a calculated MD. 9) If the sent-over MD is the same as the calculated MD, Receiver B ensures data integrity.
AACSB: Reflective Thinking AICPA BB: Industr AICPA FN: Decision Making Blooms: Understan Difficulty: 2 Medium Learning Objective: 11-02 Understand the concepts of encryption and authentication. Source: Origina Topic: Information security and systems integrit
11-34 Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.