Chapter 4 -- IT Security Part II: Auditing Database Systems TRUE/FALSE 1. ANS: F 2. database. ANS: T
The database approach to data management is sometimes called the flat file approach. PTS: 1 The database management system provides a controlled environment for accessing the PTS: 1
3. To the user, data processing procedures for routine transactions, such as entering sales orders, appear to be identical in the database environment and in the traditional environment. ANS: T
PTS: 1
4. An important feature associated with the traditional approach to data management is the ability to produce ad hoc reports. ANS: F
PTS: 1
5. The data definition language is used to insert special database commands into application programs. ANS: F 6. ANS: F
PTS: 1 There is more than one conceptual view of the database. PTS: 1
7. In the database method of data management, access authority is maintained by systems programming. ANS: F 8. ANS: F 9. ANS: F 10. ANS: F 11. ANS: F
PTS: 1 The physical database is an abstract representation of the database. PTS: 1 A customer name and an unpaid balance is an example of a one-to-many relationship. PTS: 1 In the relational model, a data element is called a relation. PTS: 1 Subschemas are used to authorize user access privileges to specific data elements. PTS: 1
12. A recovery module suspends all data processing while the system reconciles its journal files against the database. ANS: F 13. ANS: F
PTS: 1 The database management system controls access to program files. PTS: 1
14. Examining programmer authority tables for information about who has access to Data Definition Language commands will provide evidence about who is responsible for creating subschemas. ANS: T
PTS: 1
15. Data normalization groups data attributes into tables in accordance with specific design objectives. ANS: T 16. ANS: F 17. ANS: T 18. ANS: F 19. ANS: T 20. ANS: F to data.
21.
ANS: T 22. ANS: F 23. ANS: T
PTS: 1 Under the database approach, data is viewed as proprietary or owned by users. PTS: 1 The data dictionary describes all of the data elements in the database. PTS: 1 A join builds a new table by creating links. PTS: 1 A deadlock is a phenomenon that prevents the processing of transactions. PTS: 1 Timestamping is a control that is used to ensure database partitioning. PTS: 1 A lockout is a software control that prevents multiple users from simultaneous access PTS: 1 An entity is any physical thing about which the organization wishes to capture data. PTS: 1 An ER diagram is a graphical representation of a data model. PTS: 1
24. The term occurrence is used to describe the number of attributes or fields pertaining to a specific entity.
ANS: F
PTS: 1
25. Cardinality describes the number of possible occurrences in one table that are associated with a single occurrence in a related table. ANS: T
PTS: 1
MULTIPLE CHOICE 1. a. b. c. d.
All of the following are basic data management tasks except data deletion data storage data attribution data retrieval
ANS: C a. b. c. d.
PTS: 1
2. The task of searching the database to locate a stored record for processing is called data deletion data storage data attribution data retrieval
ANS: D
PTS: 1
3. Which of the following is not a problem usually associated with the flat-file approach to data management? a. data redundancy b. restricting access to data to the primary user c. data storage d. currency of information ANS: B a. b. c. d.
PTS: 1
4. Which characteristic is associated with the database approach to data management? data sharing multiple storage procedures data redundancy excessive storage costs
ANS: A
PTS: 1
5. Which characteristic is not associated with the database approach to data management? a. the ability to process data without the help of a programmer b. the ability to control access to the data c. constant production of backups d. the inability to determine what data is available ANS: D
PTS: 1
6. The textbook refers to four interrelated components of the database concept. Which of the following is not one of the components? a. the database management system b. the database sdministrator c. the physical database d. the conceptual database ANS: D a. b. c. d.
7. Which of the following is not a responsibility of the database management system? provide an interface between the users and the physical database provide security against a natural disaster ensure that the internal schema and external schema are consistent authorize access to portions of the database
ANS: C a. b. c. d.
b.
PTS: 1
10. Users access the database by direct query by developing operating software by constantly interacting with systems programmers all of the above
ANS: A
a.
PTS: 1
9. Which of the following may provide many distinct views of the database? the schema the internal view the user view the conceptual view
ANS: C a. b. c. d.
PTS: 1
8. A description of the physical arrangement of records in the database is the internal view the conceptual view the subschema the external view
ANS: A a. b. c. d.
PTS: 1
PTS: 1
11. The data definition language identifies, for the database management system, the names and relationships of all data elements, records, and files that comprise the database inserts database commands into application programs to enable standard programs to interact with and manipulate the database
c. d.
permits users to process data in the database without the need for conventional programs describes every data element in the database
ANS: A a. b. c. d.
12. The data manipulation language defines the database to the database management system transfers data to the buffer area for manipulation enables application programs to interact with and manipulate the database describes every data element in the database
ANS: C a. b. c. d.
PTS: 1
16. Which term is not associated with the relational database model? tuple attribute collision relation
ANS: C
a. b. c. d.
PTS: 1
15. In a hierarchical model links between related records are implicit the way to access data is by following a predefined data path an owner (parent) record may own just one member (child) record a member (child) record may have more than one owner (parent)
ANS: B a. b. c. d.
PTS: 1
14. Which duty is not the responsibility of the database administrator? to develop and maintain the data dictionary to implement security controls to design application programs to design the subschema
ANS: C a. b. c. d.
PTS: 1
13. Which statement is not correct? A query language like SQL is written in a fourth-generation language requires user familiarity with COBOL allows users to retrieve and modify data reduces reliance on programmers
ANS: B a. b. c. d.
PTS: 1
PTS: 1
17. In the relational database model relationships are explicit the user perceives that files are linked using pointers data is represented on two-dimensional tables data is represented as a tree structure
ANS: C 18.
PTS: 1 In the relational database model all of the following are true except
a. b. c. d.
data is presented to users as tables data can be extracted from specified rows from specified tables a new table can be built by joining two tables only one-to-many relationships can be supported
ANS: D a. b. c. d.
19. In a relational database the user’s view of the physical database is the same as the physical database users perceive that they are manipulating a single table a virtual table exists in the form of rows and columns of a table stored on the disk a programming language (COBOL) is used to create a user’s view of the database
ANS: B
a. b. c. d.
b. c. d.
PTS: 1
20. Which of the following is not a common form of conceptual database model? hierarchical network sequential relational
ANS: C a.
PTS: 1
PTS: 1
21. Which statement is false? The DBMS is special software that is programmed to know which data elements each user is authorized to access. User programs send requests for data to the DBMS. During processing, the DBMS periodically makes backup copies of the physical database. The DBMS does not control access to the database.
ANS: D
PTS: 1
22. All of the following are elements of the DBMS which facilitate user access to the database except a. query language b. data access language c. data manipulation language d. data definition language ANS: B
PTS: 1
23. Which of the following is a level of the database that is defined by the data definition language? a. user view b. schema c. internal view d. all are levels or views of the database ANS: D a. b. c. d.
PTS: 1
24. An example of a distributed database is partitioned database centralized database networked database all are examples of distributed databases
ANS: A a. b. c. d.
PTS: 1
25. Data currency is preserved in a centralized database by partitioning the database using a lockout procedure replicating the database implementing concurrency controls
ANS: B
PTS: 1
26. Which procedure will prevent two end users from accessing the same data element at the same time? a. data redundancy b. data replication c. data lockout d. none of the above ANS: C a. b. c. d.
27. The advantages of a partitioned database include all of the following except user control is enhanced data transmission volume is increased response time is improved risk of destruction of entire database is reduced
ANS: B a. b. c. d.
PTS: 1
PTS: 1
28. A replicated database is appropriate when there is minimal data sharing among information processing units there exists a high degree of data sharing and no primary user there is no risk of the deadlock phenomenon most data sharing consists of read-write transactions
ANS: B
PTS: 1
29. What control maintains complete, current, and consistent data at all information processing units? a. deadlock control b. replication control c. concurrency control d. gateway control ANS: C
PTS: 1
a. b. c. d.
30. Data concurrency is a security issue in partitioned databases is implemented using timestamping may result in data lockout occurs when a deadlock is triggered
ANS: B
a. b. c. d.
31. All of the following are advantages of a partitioned database except increased user control by having the data stored locally deadlocks are eliminated transaction processing response time is improved partitioning can reduce losses in case of disaster
ANS: B a. b. c. d.
PTS: 1
34. In a direct access file system backups are created using the grandfather-father-son approach processing a transaction file against a maser file creates a backup file files are backed up immediately before an update run if the master file is destroyed, it cannot be reconstructed
ANS: C a. b. c. d.
PTS: 1
33. When creating and controlling backups for a sequential batch system, the number of backup versions retained depends on the amount of data in the file off-site backups are not required backup files can never be used for scratch files the more significant the data, the greater the number of backup versions
ANS: D
a. b. c. d.
PTS: 1
32. Which backup technique is most appropriate for sequential batch systems? grandparent-parent-child approach staggered backup approach direct backup remote site, intermittent backup
ANS: A a. b. c. d.
PTS: 1
PTS: 1
35. Which of the following is not an access control in a database system? antivirus software database authorization table passwords voice prints
ANS: A
36.
PTS: 1
Which of the following is not a basic database backup and recovery feature?
a. b. c. d.
checkpoint backup database transaction log database authority table
ANS: D
except a. b. c. d.
37.
PTS: 1 Audit objectives for the database management system include all of the following
verifying that the security group monitors and reports on fault tolerance violations confirming that backup procedures are adequate ensuring that authorized users access only those files they need to perform their duties verifying that unauthorized users cannot access data files
ANS: A
PTS: 1
38. All of the following tests of controls will provide evidence that access to the data files is limited except a. inspecting biometric controls b. reconciling program version numbers c. comparing job descriptions with access privileges stored in the authority table d. attempting to retrieve unauthorized data via inference queries ANS: B
a. b. c. d.
39. Which of the following is not a test of access controls? biometric controls encryption controls backup controls inference controls
ANS: C
a. b. c. d. e.
PTS: 1
PTS: 1
40. The database attributes that individual users have permission to access are defined in operating system. user manual. database schema. user view. application listing.
ANS: D
PTS: 1
SHORT ANSWER Use the following words to complete the sentences in questions 1 through 5. database administrator data redundancy query language sequential structure
data dictionary index sequential access method schema subschema
1. _________________________ occurs when a specific file is reproduced for each user who needs access to the file. ANS: data redundancy PTS: 1 2.
The conceptual view of the database is often called ____________________.
ANS: schema PTS: 1 3.
The ____________________ allows users to retrieve and modify data easily.
ANS: query language PTS: 1 4.
The __________________________ authorizes access to the database.
ANS: database administrator PTS: 1 5.
The __________________________ describes every data element in the database.
ANS: data dictionary PTS: 1 6.
How does the database approach solve the problem of data redundancy?
ANS: Data redundancy is not a problem with the database approach because individual data elements need to be stored only once yet be available to multiple users. PTS: 1 7. Describe two tests of controls that would provide evidence that the database management system is protected against unauthorized access attempts. ANS: compare job descriptions with authority tables; verify that database administration employees have exclusive responsibility for creating authority tables and designing user subschemas; evaluate biometric and inference controls PTS: 1 8.
What is a database authorization table?
ANS: The database authorization table contains rules that limit the actions a user can take. Each user is granted certain privileges that are coded in the authority table, which is used to verify the user’s action requests. PTS: 1 9.
What are two types of distributed databases?
ANS: Partitioned and replicated databases. PTS: 1 10.
Describe an environment in which a firm should use a partitioned database.
ANS: A partitioned database approach works best in organizations that require minimal data sharing among its information processing units and when a primary user of the data can be identified. PTS: 1 11.
Why are the hierarchical and network models called navigational databases?
ANS: These are called navigational models because traversing or searching them requires following a predefined path which is established through explicit linkages between related records. PTS: 1
12.
What is a database lockout?
ANS: To achieve data currency, simultaneous access to individual data elements by multiple sites needs to be prevented. The solution to this problem is to use a database lockout, which is a software control that prevents multiple simultaneous accesses to data. PTS: 1 13.
What is the partitioned database approach and what are its advantages?
ANS: The partitioned database approach splits the central database into segments or partitions that are distributed to their primary users. The advantages of this approach are: Storing data at local sites increases users’ control. Permitting local access to data and reducing the volume of data that must be transmitted between sites improves transaction processing response time. Partitioned databases can reduce the potential for disaster. By having data located at several sites, the loss of a single site cannot terminate all data processing by the organization. PTS: 1 14.
What is a replicated database and what are the advantages of this approach?
ANS: The entire database is replicated at each distributed site. Replicated databases are effective in companies where there exists a high degree of data sharing but no primary user. Since common data are replicated at each site, the data traffic between sites is reduced considerably. PTS: 1 15.
What is a legacy system?
ANS: Legacy systems are large mainframe systems that were implemented from the late 1960s through the 1980s. Organizations today still make extensive use of these systems. PTS: 1 16.
What is the flat-file model?
ANS: The flat-file model describes an environment in which individual data files are not related to other files. End users in this environment own their data files rather than share them with other users. PTS: 1
17.
What are the four primary elements of the database approach?
ANS: The users, the database management system, the database administrator, and the physical database structures. PTS: 1 18. ANS:
What types of problems does data redundancy cause? a. increased data storage because the same data is stored in multiple files b. increased data updating because changes must be made to multiple files c. problem of current data in some files, but not all files
PTS: 1 19. ANS:
What flat-file data management problems are solved as a result of using the database concept? a. no data redundancy b. single update of data c. current values for all user applications d. task-data independence.
PTS: 1 20. What are four ways in which database management systems provide a controlled environment to manage user access and the data resources? ANS: Program development, backup and recovery, database usage reporting, and database access. PTS: 1 21. Explain the relationship between the three levels of the data definition language. As a user, which level would you be most interested in? ANS: One level is the schema, which is the conceptual view of the data. The schema describes the entire database and it represents the database logically. The second level is the internal view, which is the physical arrangement of the records. At this level, the data records are described as well as linkages between files. The next level is the subschema, which is the external view of the database that specific users have authorization to use. This is also called the user view and is the level that users find of most interest. PTS: 1
22.
What is the internal view of a database?
ANS: The internal view of a database is the physical arrangement of the records. It describes the data structure, the linkages between files, and the physical arrangement of the records. PTS: 1
23.
What is DML?
ANS: DML is the proprietary database language that a particular DBMS uses to retrieve, process, and store data. PTS: 1 24.
What is a data dictionary, and what purpose does it serve?
ANS: The data dictionary describes every data element in the database. It enables all users (and programmers) to share a common view of the data resource, thus greatly facilitating the analysis of user needs. PTS: 1 25. Discuss and give an example of one-to-one, one-to-many, and many-to-many record associations. ANS:
A one-to-one association means that for every occurrence in record type X, either zero or one occurrence exists of record type Y. An example would be that for every student, only one social security number exists. A one-to-many association means that for every occurrence in record type X, either zero, one, or many occurrences exist of record type Y. An example would be buyers of assigned seating at concerts. Each potential buyer would leave the sales box office with zero, one, or many seats. A many-to-many association is a two-way relationship. For each occurrence of record types X and Y, zero, one, or many occurrences exist of record type Y and X, respectively. An example would be a student-professor relationship. Each student has multiple professors each semester, and each professor has multiple students each semester. PTS: 1
ESSAY 1.
What are the four elements of the database approach? Explain the role of each.
ANS: Users are the individuals in the organization who access the data in the database. This may happen via user programs or by direct query. The database management system is a set of programs that control access to the database and that manage the data resource through program development, backup and recovery functions, usage reporting, and access authorization.
The database administrator is a function (which may involve part of one individual’s duties or an entire department) which manages the database resources through database planning, design, implementation, operation and maintenance, and growth and change. The physical database is the only physical form that the database has. It is comprised of magnetic spots on magnetic media. PTS: 1 2.
Explain the three views of a database.
ANS: The unique internal view of the database is the physical arrangement of records which describes the structure of data records, the linkages between files, and the physical arrangement and sequence of records in the file. The unique conceptual view (or schema) represents the database logically and abstractly. The many user views (or subschema) define the portion of a database that an individual user is authorized to access. PTS: 1 3. Explain a database lockout and the deadlock phenomenon. Contrast that to concurrency control and the timestamping technique. Describe the importance of these items in relation to database integrity. ANS: In a centralized database, a lockout is used to ensure data currency. A lockout prevents simultaneous access to individual data elements by different information processing units (IPU). When one IPU requests access to a data element, a lock is put on the file, record, or element. No other IPU can access the file, record, or element until the lock is released. In a partitioned database, lockouts are also used to ensure data currency. It is possible, however, for multiple sites to place locks on records that results in a deadlock condition which prevents transactions from processing. All transactions are in a wait state until the locks are removed. A deadlock cannot be resolved without outside intervention from the user’s application, the DBMS, or the operating system. In a replicated database, a large volume of data flows between sites, and temporary inconsistencies in the database may occur. Concurrency control ensures that transactions executed at each IPU are accurately reflected in the databases of all other sites. A popular method for concurrency control is to timestamp transactions. Transactions that may be in conflict are assigned a system-wide timestamp. Then, the identified transactions are processed in timestamp order. Both database lockouts and concurrency controls are designed to ensure that the transactions are completely processed and that all transactions are accurately reflected in the firm’s databases. Failure to implement these controls can result in transactions being lost, being partially processed, or with inconsistent databases. PTS: 1 4. One purpose of a database system is the easy sharing of data. But this ease of sharing can also jeopardize security. Discuss at least three forms of access control designed to reduce this risk.
ANS: Many types of access control are possible. A user view is a subset of a database that limits a user’s view or access to the database. The database authorization table contains rules that limit what a user can do, i.e., read, insert, modify, delete. A user-defined procedure adds additional queries to user access to prevent others from accessing in a specific user’s place. To protect the data in a database, many systems use data encryption to make it unreadable by intruders. A newer technique uses biometric devices to authenticate users. PTS: 1
5. In a distributed data processing system, a database can be centralized or distributed. What are the options? Explain. ANS: In a distributed data processing system, a database can be centralized or distributed. When the database is centralized, the entire database is stored at a central site which processes requests from users at remote locations. Certain concerns arise when data processing is distributed. Questions arise with regard to data currency when multiple users have access to the database. Database lockout prevents more than one user from making changes at the same time. Distributed databases can be partitioned with parts stored at different sites, or replicated, with the entire database stored in multiple locations. When the database is partitioned, users have more control over data stored at local sites, transaction processing time is improved, and the potential of data loss is reduced. When the database is replicated, the entire database is stored at multiple locations. This works well when the primary use of the database is for querying. When transactions are processed at many sites, problems of database concurrency arise. PTS: 1
6. Ownership of data in traditional legacy systems often leads to data redundancy. This in turn leads to several data management problems. What are they? How does the database approach solve them? ANS: Data redundancy causes significant data management problems in three areas: data storage, data updating, and currency of information. Data storage is a problem because if multiple users need the data, it must be collected and stored multiple times at multiple costs. When multiple users hold the same information, changes must be updated in all locations or data inconsistency results. Failure to update all occurrence of a data item can affect the currency of the information. With a database system, these problems are solved. There is no data redundancy since a data item is stored only once. Hence changes require only a single update, thus leading to current value. PTS: 1 7.
What services are provided by a database management system?
ANS: Database management systems typically provide the following services: a. program development which permits both programmers and end users to create applications to access the database;
b. c.
backup and recovery is built in therefore reducing likelihood of data loss; database usage reporting captures statistics on what data is being used, by whom, when; and especially d. database access is provided to authorized users. PTS: 1 8. database.
Discuss the key factors to consider in determining how to partition a corporate
ANS: The partitioned approach works best for organizations that require minimal data sharing among users at remote sites. To the extent that remote users share common data, the problems associated with the centralized approach will apply. The primary user must now manage requests for data from other sites. Selecting the optimum host location for the partitions to minimize data access problems requires an indepth analysis of end-user data needs. PTS: 1 9.
Distinguish between a database lockout and a deadlock.
ANS: To achieve data currency, simultaneous access to individual data elements or records by multiple users needs to be prevented. The solution to this problem is a database lockout, which is a software control that prevents multiple simultaneous accesses to data. A deadlock occurs when multiple users seeking access to the same set of records lockout each other. As a result, the transactions of all users assume a wait state until the locks are removed. A deadlock is a permanent condition that must be resolved by special software that analyzes each deadlock condition to determine the best solution. PTS: 1 10. Replicated databases create considerable data redundancy, which is in conflict with the database concept. Explain the justification of this approach. ANS: The primary justification for a replicated database is to support read-only queries in situations involving a high degree of data sharing, but no primary user exists. With data replicated at every site, data access for query purposes is ensured, and lockouts and delays due to network traffic are minimized. A potential problem arises, however, when replicated databases need to be updated by transactions. Since each site processes only local transactions, the common data attributes that are replicated at each site will be updated by different transactions and thus, at any point in time, will have uniquely different values. System designers need to employ currency control techniques to ensure that transactions processed at different locations are accurately reflected in all the databases copies. PTS: 1 11. Contrast the navigational databases with relational databases. What is the primary advantage of the relational model? ANS: The most apparent difference between the relational model and navigational models is the way that data associations are represented to the user. In navigational models, data are represented in tree structures or network structures. The navigational database models have explicit links, called pointers, between records. Data are accessed using defined data paths. The relational model portrays data in the form of two-dimensional tables. Users do not perceive any
pointers linking the tables. At the conceptual level (logical view) and the external level (user’s view), data are represented only as tables. Relations between tables are formed by an attribute (data element) that is common to the tables. This attribute is a primary key in one table and a foreign key in the other. The relational model is more flexible than a navigational model. Users can obtain data from the database by using the primary key and a database query language. Typically users do not require assistance from programmers to obtain answers to ad hoc queries. PTS: 1