Professional Documents
Culture Documents
Chapter 16
Chapter 16
TRUE/FALSE
1. In a computerized environment, the audit trail log must be printed onto paper
documents.
ANS: F
2. Disguising message packets to look as if they came from another user and to
gain access to the hosts
network is called spooling.
ANS: F
3. Access controls take on increased importance in a computerized environment
because all of the
records may be found in one place.
ANS: T
4. Computer viruses usually spread throughout the system before being detected.
ANS: T
5. A worm is software program that replicates itself in areas of idle memory until the
system fails.
ANS: T
6. Viruses rarely attach themselves to executable files.
ANS: F
7. Subschemas are used to authorize user access privileges to specific data
elements.
ANS: F
8. A recovery module suspends all data processing while the system reconciles its
journal files against
the database.
ANS: F
9. The Database Management System controls program files.
ANS: F
10. Operating system controls are of interest to system professionals but should not
concern accountants
and auditors.
ANS: F
11. The most frequent victims of program viruses are microcomputers.
ANS: T12. Access controls protect databases against destruction, loss or misuse
through unauthorized access.
ANS: T
13. Operating system integrity is not of concern to accountants because only
hardware risks are involved.
ANS: F
14. Audit trails in computerized systems are comprised of two types of audit logs:
detailed logs of
individual keystrokes and event-oriented logs.
ANS: T
15. In a telecommunications environment, line errors can be detected by using an
echo check.
ANS: T
16. Firewalls are special materials used to insulate computer facilities
ANS: F
17. The message authentication code is calculated by the sender and the receiver
of a data transmission.
ANS: T
18. The request-response technique should detect if a data communication
transmission has been diverted.
ANS: T
19. Electronic data interchange translation software interfaces with the sending firm
and the value added
network.
ANS: F
20. A value added network can detect and reject transactions by unauthorized
trading partners.
ANS: T
21. Electronic data interchange customers may be given access to the vendor's
data files.
ANS: T
22. The audit trail for electronic data interchange transactions is stored on magnetic
media.
ANS: T
23. A firewall is a hardware partition designed to protect networks from power
surges.
ANS: F
24. To preserve audit trails in a CBIS environment, transaction logs are permanent
records of transactions.
ANS: T25. Examining programmer authority tables for information about who has
access to Data Definition
Language commands will provide evidence about who is responsible for creating
subschemas.
ANS: T
MULTIPLE CHOICE
1. The operating system performs all of the following tasks except
a. translates third-generation languages into machine language
b. assigns memory to applications
c. authorizes user access
d. schedules job processing
ANS: C
2. Which of the following is considered an unintentional threat to the integrity of the
operating system?
a. grandfather-father-son approach
b. staggered backup approach
c. direct backup
d. remote site, intermittent backupANS: A
7. When creating and controlling backups for a sequential batch system,
a. the number of backup versions retained depends on the amount of data in the file
b. off-site backups are not required
c. backup files can never be used for scratch files
d. the more significant the data, the greater the number of backup versions
ANS: D
8. Hackers can disguise their message packets to look as if they came from an
authorized user and gain
access to the hosts network using a technique called
a. spoofing.
b. spooling.
c. dual-homed.
d. screening.
ANS: A
9. In a direct access file system
a. backups are created using the grandfather-father-son approach
b. processing a transaction file against a maser file creates a backup file
c. files are backed up immediately before an update run
d. if the master file is destroyed, it cannot be reconstructed
ANS: C
10. Which of the following is not an access control in a database system?
a. antivirus software
b. database authorization table
c. passwords
d. voice prints
ANS: A
11. Which is not a biometric device?
a. password
b. retina prints
c. voice prints
d. signature characteristics
ANS: A
12. Which of the following is not a basic database backup and recovery feature?
a. checkpoint
b. backup database
c. transaction log
d. database authority table
ANS: D
13. All of the following are objectives of operating system control except
a. protecting the OS from users
b. protesting users from each other
c. protecting users from themselves
d. protecting the environment from usersANS: D
14. Passwords are secret codes that users enter to gain access to systems. Security
can be compromised by
all of the following except
a. failure to change passwords on a regular basis
b. using obscure passwords unknown to others
c. recording passwords in obvious places
d. selecting passwords that can be easily detected by computer criminals
ANS: B
15. Audit trails cannot be used to
a. detect unauthorized access to systems
b. facilitate reconstruction of events
c. reduce the need for other forms of security
d. promote personal accountability
ANS: C
16. Which control will not reduce the likelihood of data loss due to a line error?
a. echo check
b. encryption
c. vertical parity bit
d. horizontal parity bit
ANS: B
17. Which method will render useless data captured by unauthorized receivers?
a. echo check
b. parity bit
c. public key encryption
d. message sequencing
ANS: C
18. Which method is most likely to detect unauthorized access to the system?
a. message transaction log
b. data encryption standard
c. vertical parity check
d. request-response technique
ANS: A
19. All of the following techniques are used to validate electronic data interchange
transactions except
a. value added networks can compare passwords to a valid customer file before
message
transmission
b. prior to converting the message, the translation software of the receiving
company can
compare the password against a validation file in the firm's database
c. the recipient's application software can validate the password prior to processing
d. the recipient's application software can validate the password after the
transaction has been
processed
ANS: D
20. In an electronic data interchange environment, customers routinely accessa. the
vendor's price list file
b. the vendor's accounts payable file
c. the vendor's open purchase order file
d. none of the above
ANS: A
21. All of the following tests of controls will provide evidence that adequate
computer virus control
techniques are in place and functioning except
a. verifying that only authorized software is used on company computers
b. reviewing system maintenance records
c. confirming that antivirus software is in use
d. examining the password policy including a review of the authority table
ANS: B
22. Audit objectives for the database management include all of the following
except
a. verifying that the security group monitors and reports on fault tolerance
violations
trading partner agreement against the access privileges stated in the database
authority table, the
auditor is testing which audit objective?
a. all EDI transactions are authorized
b. unauthorized trading partners cannot gain access to database records
c. authorized trading partners have access only to approved data
d. a complete audit trail is maintainedANS: C
27. Audit objectives in the Electronic Data Interchange (EDI) environment include all
of the following
except
a. all EDI transactions are authorized
b. unauthorized trading partners cannot gain access to database records
c. a complete audit trail of EDI transactions is maintained
d. backup procedures are in place and functioning properly
ANS: D
28. In determining whether a system is adequately protected from attacks by
computer viruses, all of the
following policies are relevant except
a. the policy on the purchase of software only from reputable vendors
b. the policy that all software upgrades are checked for viruses before they are
implemented
c. the policy that current versions of antivirus software should be available to all
users
d. the policy that permits users to take files home to work on them
ANS: D
29. Which of the following is not a test of access controls?
a. biometric controls
b. encryption controls
c. backup controls
d. inference controls
ANS: C
30. In an electronic data interchange environment, customers routinely
a. access the vendor's accounts receivable file with read/write authority
b. access the vendor's price list file with read/write authority
c. access the vendor's inventory file with read-only authority
d. access the vendor's open purchase order file with read-only authority
ANS: C
31. In an electronic data interchange environment, the audit trail
a. is a printout of all incoming and outgoing transactions
b. is an electronic log of all transactions received, translated, and processed by the
system
c. is a computer resource authority table
d. consists of pointers and indexes within the database
ANS: B
32. All of the following are designed to control exposures from subversive threats
except
a. firewalls
b. one-time passwords
c. field interrogation
d. data encryption
ANS: C
33. Many techniques exist to reduce the likelihood and effects of data
communication hardware failure.
One of these is
a. hardware access procedures
encode and decode the message. In the Public Key Encryption approach all senders
receive a copy of
the key used to send messages; the receiver is the only one with access to the key
to decode the
message.
5. List three methods of controlling unauthorized access to telecommunication
messages.
ANS:
call-back devices, data encryption, message sequence numbering, message
authentication codes,
message transaction logs, and request-response technique
6. Describe two ways that passwords are used to authorize and validate messages
in the electronic data
interchange environment.
ANS:
value-added networks use passwords to detect unauthorized transactions before
they are transmitted to
recipients; the recipient of the message can validate the password prior to
translating the message; the
recipient of the message can validate the password prior to processing the
transaction
7. Explain how transactions are audited in an electronic data interchange
environment.
ANS:
Firms using electronic data interchange maintain an electronic log of each
transaction as it moves from
receipt to translation to communication of the message. This transaction log
restores the audit trail that
was lost because no source documents exist. Verification of the entries in the log is
part of the audit
process.
security procedure asks a series of personal questions (such as the users mothers
maiden name),
which only the legitimate user is likely to know.
15. What are biometric devices?
ANS:
Biometric devices measure various personal characteristics such as fingerprints,
voiceprints, retina
prints, or signature characteristics. These user characteristics are digitized and
stored permanently in a
database security file or on an identification card that the user carries. When an
individual attempts to
access the database, a special scanning device captures his or her biometric
characteristics, which it
compares with the profile data stored internally or on the ID card. If the data do not
match, access is
denied.ESSAY
1. What are the three security objectives of audit trails? Explain.
ANS:
Audit trails support system security objectives in three ways. By detecting
unauthorized access to the
system, the audit trail protects the system from outsiders trying to breach system
controls. By
monitoring system performance, changes in the system may be detected. The audit
trail can also
contribute to reconstructing events such as system failures, security breaches, and
processing errors. In
addition, the ability to monitor user activity can support increased personal
accountability.
2. What is an operating system? What does it do? What are operating system
control objectives?
ANS:
4. There are many techniques for breaching operating system controls. Discuss
three.
ANS:
Browsing involves searching through areas of main memory for password
information.
Masquerading is a technique where a user is made to believe that he/she has
accessed the operating
system and therefore enters passwords, etc., that can later be used for
unauthorized access.
A virus is a program that attaches itself to legitimate software to penetrate the
operating system. Most
are destructive.
A worm is software that replicates itself in memory.
A logic bomb is a destructive program triggered by some "logical" conditiona
matching date, e.g.,
Michelangelo's birthday.
5. A formal log-on procedure is the operating systems first line of defense. Explain
this works.ANS:
When the user logs on, he or she is presented with a dialog box requesting the
users ID and password.
The system compares the ID and password to a database of valid users. If the
system finds a match,
then the log-on attempt is authenticated. If, however, the password or ID is entered
incorrectly, the
log-on attempt fails and a message is returned to the user. The message should not
reveal whether the
password or the ID caused the failure. The system should allow the user to reenter
the log-on
information. After a specified number of attempts (usually no more than five), the
system should lock
out the user from the system.