New Semester
Started
Get
50% OFF
Study Help!
--h --m --s
Claim Now
Question Answers
Textbooks
Find textbooks, questions and answers
Oops, something went wrong!
Change your search query and then try again
S
Books
FREE
Study Help
Expert Questions
Accounting
General Management
Mathematics
Finance
Organizational Behaviour
Law
Physics
Operating System
Management Leadership
Sociology
Programming
Marketing
Database
Computer Network
Economics
Textbooks Solutions
Accounting
Managerial Accounting
Management Leadership
Cost Accounting
Statistics
Business Law
Corporate Finance
Finance
Economics
Auditing
Tutors
Online Tutors
Find a Tutor
Hire a Tutor
Become a Tutor
AI Tutor
AI Study Planner
NEW
Sell Books
Search
Search
Sign In
Register
study help
business
auditing assurance services
Information Systems Control And Audit 1st Edition Ron Weber - Solutions
Briefly explain the difference between a strong-algorithm cryptosystem and a long-key cryptosystem. Why did the U.S. National Bureau of Standards choose a strong-algorithm cryptosystem for the data encryption standard?
Briefly explain the nature of public-key cryptography.
What functions must be carried out in cryptographic key management? Why is the evaluation of key management probably the most important aspect of evaluating an information system function's use of cryptography?
How does the architecture of a cryptographic facility affect the method used to install cryptographic keys?
What is meant by an access control? Why are access controls needed in most computer systems? Can you think of any computer systems that might purposely decrease the level of access control they exercise?
What functions should an access control mechanism perform? Give two components in a computer system in which auditors are likely to find an access control mechanism. Describe the types of resources the access control mechanism is likely to protect.
Distinguish between identification and authentication. Is there a relationship between the two? In setting up an authentication scheme, what would be the major factor(s) influencing you to choose personal characteristics in preference to possessed objects as a means of authentication?
Explain why authentication should be a two-way process: the access control mechanism authenticating itself and users authenticating themselves.
What are the three classes of authentication information? Give an example of each.
In the context of boundary-subsystem controls, what is a Trojan-horse threat?
Why is it important that object resources be identified uniquely in a computer system and that the identity of each object resource cannot be forged?
Which object resoutce typically has the most complex action privileges applying to its use? Briefly explain why this is the case.
Briefly explain the difference between conditional and unconditional action privileges. Give two examples of fields in an accounts receivable file where conditional action privileges might be required.
What is the difference between a discretionary access control policy and a mandatory access control policy? In commercial information systems environments, which type of access control policy is most likely to be used? Why?
Briefly explain the nature of the simple security property and the confinement property associated with access controls under a mandatory access control policy.
What is the difference between a closed access control environment and an open access control environment?
Briefly explain the difference between a "ticket-oriented approach" and a "list-oriented" approach to access authorization. Outline the relative advantages and disadvantages of each approach.
What is meant by a "protection domain"? Why are small protection domains desirable? What performance requirement does the implementation of small protection domains place on an access control mechanism? How are small protection domains related to the principle of least privilege?
Briefly explain the difference between derived PINs, random PINs, and customer-selected PINs. What are the relative advantages and disadvantages of each type of PIN?
How does the method of PIN issuance and delivery differ depending on the method used to generate PINs?
Briefly explain the nature of each of the following methods for eliciting PINs from customers:a. Mail solicitationb. Telephone solicitationc. PIN entry via a secure terminald. PIN entry at the issuer's facility
Briefly explain the difference between local PIN validation and interchange PIN validation. Why is a PIN checkdigit useful when interchange PIN validation must be used?
Why is it important that a unique cipher be generated each time a PIN is transmitted over a communications line? How might this objective be accomplished?
When an encrypted PIN must be stored for reference purposes, why must it be stored as a function of the account number to which it applies? Briefly discuss the relative advantages of using reversible versus irreversible encryption for storing the PIN.
What is a digital signature? Why are digital signatures needed in data communication systems? How are digital signatures used to send signed, secret messages?
Why are arbitrated digital signature schemes sometimes needed?
In terms of the access coritrol mechanism used in an electronic funds transfer system, what function does a plastic debit or credit card fulfil? Why should cards be issued only after a formal application has been received and approved?
Why must basic inventory control procedures be used over the stock of plastic cards? If cards are produced by an outside vendor, what can auditors do to obtain some assurance about the reliability of control procedures over cards?
Why should plastic cards and PIN mailers never be mailed at the same time to a customer? What is the purpose of using premailers prior to mailing a PIN or a card? What actions should be taken by the issuing institution when a card is returned because the customer's address is no longer current?
Why is customer education such a critical control in the use of plastic cards in an electronic funds transfer system?
Give four data items that might be recorded in the accounting audit trail and two items that might be recorded in the operations audit trail for the boundary subsystem. Briefly explain why these data items might be recorded.
Why are existence controls in the boundary subsystem often somewhat simpler than existence controls in other subsystems?
Which of the following is not a function of controls in the boundary subsystem?a. To restrict the actions taken by users of computer resources to a set of authorized actionsb. To validate the identification information submitted by would-be users of a computer systemc. To establish the identity of
The person who designs a cryptosystem is called a:a. Cryptographerb. Cryptanalystc. Cryptologistd. Cryptogenist
The type of cipher having the highest work factor is the:a. Substitution cipherb. Transposition cipherc. Product cipherd. Transcription cipher
Which of the following is not a desirable property of a cipher system?a. Simplicityb. Small keyc. Low error propagationd. Low work factor
The DES is an example of a:a. Short-key cipher systemb. Weak-algorithm cipher systemc. Long-key cipher systemd. Non-parity cipher system
A public-key cryptosystem uses:a. Two public keysb. A private key and a public keyc. Two private keys and a public keyd. Two public keys and a private key
The class of authentication information to which a password belongs is:a. Possessed objectsb. Personal informationc. Remembered informationd. Dialog information
Trojan-horse threats arise in the boundary subsystem when:a. Users do not change their passwords frequentlyb. It is difficult to guarantee the authenticity of object resources requested by usersc. A mandatory access control policy is enforcedd. Personal characteristics are used as a means of
The most complex action privileges relate to:a. Hardware resourcesb. Commodity resourcesc. Software resourcesd. Data resources
Which of the following statements about a mandatory access control policy is true?a. It is less likely to be used in a business-systems environment than a discretionary access control policyb. Users can change their clearance levels but not their classification levelsc. Compared with a
If an access control mechanism is implemented in an open environment, it allows users to access a resource:a. Unless authorization information specifies users cannot access the resourceb. Only if authorization information specifies users can access the resourcec. Without having to supply
Which of the following statements applies to a capability-based approach to authorization?a. The mechanism associates with each resource a list of users who can access the resource together with the action privileges that each user has with respect to the resourceb. The mechanism assigns
Relative to the ticket-oriented approach to authorization, the primary advantage of the list-oriented approach to authorization is that:a. It allows efficient administration of capabilitiesb. It is efficient during process executionc. Access control lists can be stored on some type of fast memory
To be able to implement the principle of least privilege effectively, it is necessary to have:a. A ticket-oriented approach to authorizationb. Small protection domainsc. A list-oriented approach to authorizationd. An open environment as the basis of granting access privileges
The primary advantage of a derived PIN is:a. It is easy to rememberb. It does not have to be stored so preserving privacy is easierc. Lost or forgotten PINs can be replaced without having to change the account numberd. Changing the cryptographic key has no implications for existing PINs
Which of the following methods of obtaining customer-selected PINs does not require the cryptographic generation of a reference number to initially associate the PIN with the customer's account number?a. PIN entry via a secure terminalb. Telephone solicitationc. PIN entry at the issuer's facilityd.
Which of the following methods of validating PINs seems to result in the fewest control problems?a. Allow only a small number of PIN entry attempts, close the account after the limit has been reached, and retain the cardb. Allow a reasonable number of PIN entry attempts, close the account after the
If interchange PIN validation is used in an EFTS, a fundamental principle is:a. The PIN should always be validated by the card acquiring institutionb. The acquiring institution should encrypt the entered PIN under the issuer's key and not its own keyc. The PIN should always be validated by the card
Which of the following controls applies to PIN transmission?a. The cipher generated must be unique for each transmission of the PINb. The PIN must always be encrypted under the issuer's keyc. Different PINs must never generate the same ciphertext for transmissiond. The PIN checkdigit should not be
When a PIN must be stored for reference purposes, it must be stored in:a. Cleartext form in case the PIN has to be reissued at some stage because the customer has forgotten their PINb. Ciphertext form produced only from a reversible encryption algorithmc. Ciphertext form produced only from an
To send a signed message to a receiver when a public-key cryptosystem is used, the sender encrypts the message under the:a. Sender's private keyb. Receiver's public keyc. Sender's public keyd. Receiver's private key
An arbitrator is used in a digital signature system to prevent:a. The receiver disavowing that they received the messageb. The sender disavowing the message by making their private key public and claiming that the message was forgedc. Collusion between the sender and the receiverd. The receiver
Which of the following situations is likely to lead to the most serious exposures in a digital signature system?a. Compromise of a receiver's private keyb. Compromise of a sender's private keyc. Compromise of a key server's private keyd. Use of a fake public key
Which of the following actions should not be undertaken when plastic debit/credit cards are issued?a. Mail the cards in an envelope that does not identify the name of the issuing institutionb. Make two different groups responsible for the mailing of cards and the investigation of returned cardsc.
The "best" control that can be exercised over card use by the customer is:a. High customer penalties if careless use leads to a fraud using the cardb. Education of the customer as to the importance of card securityc. Limiting the amount of money that can be withdrawn or charged to an account using
Which of the following events is not recorded on a public audit trail in a digital signature system?a. Registration of public keysb. Registration of signaturesc. Notification of key compromisesd. Modifications to private keys
You are the manager of the internal audit of a savings and loan association that has decided to install a bill payment by telephone system for its customers. The system will allow customers to telephone a number to enter the system, record bill payment transactions they wish to make within the next
Global Airways is a major airline company based in Los Angeles. It has a computer system dedicated to reservations and ticketing operations. More than 1,000 terminals scattered throughout the United States are connected to the mainframe computer in the company's head office.You are a member of the
First International Bankco of Illinois is a large Chicago-based bank. As the manager of internal audit, you are called one day to a meeting with the controller. He is concerned about the operation of the bank's ATMs. Several major problems have arisen with customers' use of the ATMs. In particular,
The following situation happened to a friend of mine.One weekend she was leaving to go to a beach resort with her husband. Because she was short of money, she asked her husband to stop at an ATMbelonging to a building society so she could withdraw money from her account. When she arrived at the
Monash Manufacturing Limited (MML) is a large, Melbourne-based manufacturer and retailer of pipes and pipe fittings. For some time it has had electronic-data-interchange (EDI) links with all its major suppliers and a good number of its smaller suppliers. The EDI system has been used in a fairly
From an audit perspective, why are controls over the input subsystem critical?
Briefly distinguish between direct entry of input data and medium-based entry of input data. Why must auditors understand the different types of methods used to input data into an application system?
What impact can the following source document design decisions have on the level of data integrity achieved in an application system?a. Choice of the medium to be usedb. Choice of the layout to be used
From a control perspective, briefly explain the importance of each of the following source document design guidelines for layout and style:a. Arrange fields for ease of use during data captureb. Where possible, use tick marks to identify field-size errorsc. Prenumber source documentsd. Combine
What is the primary factor affecting the design of data-entry screens? Explain why this factor is important. How, for example, does it affect the organization of a screen?
Briefly explain the design guidelines that apply to captions in terms of:a. Structure and sizeb. Type font and display intensityc. Formatd. Alignmente. Justificationf. Spacing
What techniques can be used to indicate the size of a field on a data-entry screen?
From a data integrity perspective, why is it desirable to have a data-entry operator always tab to a new field on a data-entry screen rather than having the cursor automatically skip to a new field when the previous field is full?
Briefly explain the advantages of using color in the design of data-entry screens. What design guidelines apply to:a. The number of colors that should be usedb. The spacing of colors on the visual spectrumc. The choice of bright colors versus muted colors
Distinguish between the response time and the display rate for a data-entry screen. How does the use of a dedicated source document in data-entry screen design affect the display rate and response time that must be achieved?
If data-entry screen design is based upon a dedicated source document, how useful is a Help facility likely to be?
What attributes of a data code affect the likelihood of a recording error being made by a user of the code? Briefly outline some strategies to reduce error rates that occur with data codes.
Distinguish between the following types of data coding errors:a. Truncation and transcriptionb. Transposition and double transposition
List the four types of data codes-serial, block sequence, hierarchical, and association-in increasing order of:a. Mnemonic valueb. Compactnessc. Flexibility for expansion
What is a check digit? Calculate the check digit for the number 82942 using the weights \(1-2-1-2-1\) and modulus 10 . Show, also, that the check digit you have calculated is correct.
Briefly describe three solutions to the problem of having a check digit result that is greater than one digit-that is, a check digit that is greater than 9 . Point out any disadvantages to the solutions you suggest.
Briefly discuss the distinction between a physical batch and a logical batch. Are there any differences between the controls that can be exercised over physical and logical batches?
Briefly explain the difference between the following types of batch control totals:a. Document countb. Hash totalc. Financial total
List four types of information typically placed on a batch cover sheet. Briefly explain the purpose of each piece of information you list for the overall control of the batch.
Without giving examples, briefly explain the nature of the following types of data input validation checks:a. Field checksb. Record checksc. Batch checksd. File checks
Distinguish between a range check and a reasonableness check. Why is a reasonableness check not a field-level check?
Why is the check for a valid sign on a numeric field not a field-level check?
Why is correcting errors based on cross-screen validation of input data sometimes difficult?
How might the timing of reporting input errors differ between a direct-entry screen and a screen based on a dedicated source document?
Give three design guidelines for reporting of data input errors.
Are novice users of an application system more likely to make errors entering instructions via a menu-driven language or a question-answer dialog? Briefly explain your answer.
Why does it seem better to use a command language with a small number of commands and a large number of arguments? How can errors in the specification of arguments then be reduced?
What is the major limitation of using a forms-based language as a means of entering instructions to an application system?
Briefly explain the limitations of natural-language interfaces to an application system with respect to:a. Ambiguity of commandsb. Establishing the lexiconc. Ambiguity in responsesd. Changes to the database definition
What is meant by a direct manipulation interface? What is the major advantage of using a direct manipulation interface as a means of providing instruction input to an application system?
Briefly explain the nature of lexical validation of instruction input. How does the lexical analyzer handle:a. Identifiersb. Terminalsc. Literals
Briefly explain the nature of semantic validation during instruction input. What factors govern the quality of semantic validation during instruction input?
Give five items that might be captured on the accounting audit trail in relation to data input in the input subsystem.
Why is the operations audit trail for the input subsystem an important resource in improving the effectiveness and efficiency of an application system?
Existence controls for instruction input are often less critical than existence controls for data input. Briefly explain.
What is the primary role of quality assurance management as it operates within the information systems function?
Give three reasons why the QA function has emerged in organizations.
Showing 900 - 1000
of 2689
First
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Last
Step by Step Answers
Get 50% OFF
Claim Now
