Chapter 8 Information Systems Controls For System Reliability Part 1: Information Security

Accounting Information Systems, 12e (Romney/Steinbart)
Chapter 8 Information Systems Controls for System ReliabilityPart 1: Information Security
1) The Trust Services Framework reliability principle that states that users must be able to enter, update,
and retrieve data during agreed-upon times is known as
A) availability.
B) security.
C) maintainability.
D) integrity.
Answer: A
Page Ref: 221
Objective: Learning Objective 1
Difficulty : Easy
AACSB: Analytic
2) Which of the following is not a useful control procedure to control access to system outputs?
A) Allowing visitors to move through the building without supervision
B) Coding reports to reflect their importance
C) Requiring employees to log out of applications when leaving their desk
D) Restricting access to rooms with printers
Answer: A
Page Ref: 229
Difficulty : Easy
AACSB: Analytic
3) According to the Trust Services Framework, the reliability principle of integrity is achieved when the
system produces data that
A) is available for operation and use at times set forth by agreement.
B) is protected against unauthorized physical and logical access.
C) can be maintained as required without affecting system availability, security, and integrity.
D) is complete, accurate, and valid.
Answer: D
Page Ref: 221
Difficulty : Easy
AACSB: Analytic
4) Which of the following is not one of the three fundamental information security concepts?
A) Information security is a technology issue based on prevention.
B) Security is a management issue, not a technology issue.
C) The idea of defense-in-depth employs multiple layers of controls.
D) The time-based model of security focuses on the relationship between preventive, detective and
corrective controls.
Answer: A
Page Ref: 222-224
Difficulty : Easy
AACSB: Analytic
1
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
5) Which of the following is not one of the essential criteria for successfully implementing each of the
principles that contribute to systems reliability, as discussed in the Trust Services Framework?
A) Developing and documenting policies
B) Effectively communicating policies to all outsiders
C) Designing and employing appropriate control procedures to implement policies
D) Monitoring the system and taking corrective action to maintain compliance with policies
Answer: B
Page Ref: 223
Difficulty : Easy
AACSB: Analytic
6) If the time an attacker takes to break through the organization's preventive controls is greater than the
sum of the time required to detect the attack and the time required to respond to the attack, then security
is
A) effective.
B) ineffective.
C) overdone.
D) undermanaged.
Answer: A
Page Ref: 224
Difficulty : Moderate
AACSB: Analytic
7) Verifying the identity of the person or device attempting to access the system is
A) authentication.
B) authorization.
C) identification.
D) threat monitoring.
Answer: A
Page Ref: 226
Difficulty : Easy
AACSB: Analytic
8) Restricting access of users to specific portions of the system as well as specific tasks, is
A) authentication.
B) authorization.
C) identification.
D) threat monitoring.
Answer: B
Page Ref: 228
Difficulty : Easy
AACSB: Analytic
2
9) Which of the following is an example of a preventive control?
A) Encryption
B) Log analysis
C) Intrusion detection
D) Emergency response teams
Answer: A
Page Ref: 228
Difficulty : Easy
AACSB: Analytic
10) Which of the following is an example of a detective control?

A) Physical access controls
B) Encryption
C) Log analysis
D) Emergency response teams
Answer: C
Page Ref: 237
Difficulty : Easy
AACSB: Analytic
11) Which of the following is an example of a corrective control?

A) Physical access controls
B) Encryption
C) Intrusion detection
D) Incident response teams
Answer: D
Page Ref: 239
Difficulty : Easy
AACSB: Analytic
12) Which of the following is not a requirement of effective passwords?

A) Passwords should be changed at regular intervals.
B) Passwords should be no more than 8 characters in length.
C) Passwords should contain a mixture of upper and lowercase letters, numbers and characters.
D) Passwords should not be words found in dictionaries.
Answer: B
Page Ref: 227
Difficulty : Easy
AACSB: Analytic
3
13) Multi-factor authentication
A) involves the use of two or more basic authentication methods.
B) is a table specifying which portions of the systems users are permitted to access.
C) provides weaker authentication than the use of effective passwords.
D) requires the use of more than one effective password.
Answer: A
Page Ref: 228
AACSB: Analytic
14) An access control matrix

A) does not have to be updated.
B) is a table specifying which portions of the system users are permitted to access.
C) is used to implement authentication controls.
D) matches the user's authentication credentials to his authorization.
Answer: B
Page Ref: 228
Difficulty : Easy
AACSB: Analytic
15) Perimeter defense is an example of which of the following preventive controls that are necessary to
provide adequate security?
A) Training
B) Controlling physical access
C) Controlling remote access
D) Host and application hardening
Answer: C
Page Ref: 230
Difficulty : Easy
AACSB: Analytic
16) Which of the following preventive controls are necessary to provide adequate security for social
engineering threats?
A) Controlling remote access
B) Encryption
C) Host and application hardening
D) Awareness training
Answer: D
Page Ref: 226
Difficulty : Easy
AACSB: Analytic
4
17) A special purpose hardware device or software running on a general purpose computer, which filters
information that is allowed to enter and leave the organization's information system, is known as a(n)
A) demilitarized zone.
B) intrusion detection system.
C) intrusion prevention system.
D) firewall.
Answer: D
Page Ref: 230
Difficulty : Easy
AACSB: Analytic
18) This protocol specifies the procedures for dividing files and documents into packets to be sent over
the Internet.
A) Access control list
B) Internet protocol
C) Packet switching protocol
D) Transmission control protocol
Answer: D
Page Ref: 231
Difficulty : Easy
AACSB: Analytic
19) This protocol specifies the structure of packets sent over the internet and the route to get them to the
proper destination.
B) Internet protocol
C) Packet switching protocol
D) Transmission control protocol
Answer: B
Page Ref: 231
Difficulty : Easy
AACSB: Analytic
20) This network access control determines which IP packets are allowed entry to a network and which
are dropped.
B) Deep packet inspection
C) Stateful packet filtering
D) Static packet filtering
Answer: A
Page Ref: 233
AACSB: Analytic
5
21) Compatibility tests utilize a(n) ________, which is a list of authorized users, programs, and data
files the users are authorized to access or manipulate.
A) validity test
B) biometric matrix
C) logical control matrix
D) access control matrix
Answer: D
Page Ref: 228
Difficulty : Easy
AACSB: Analytic
22) The process that screens individual IP packets based solely on the contents of the source and/or
destination fields in the packet header is known as
A) access control list.
B) deep packet inspection.
C) stateful packet filtering.
D) static packet filtering.
Answer: D
Page Ref: 233
AACSB: Analytic
23) The process that maintains a table that lists all established connections between the organization's
computers and the Internet, to determine whether an incoming packet is part of an ongoing
communication initiated by an internal computer is known as
A) access control list.
B) deep packet inspection.
C) stateful packet filtering.
D) static packet filtering.
Answer: C
Page Ref: 233
AACSB: Analytic
24) The process that allows a firewall to be more effective by examining the data in the body of an IP
packet, instead of just the header, is known as
A) deep packet inspection.
B) stateful packet filtering.
C) static packet filtering.
D) an intrusion prevention system.
Answer: A
Page Ref: 233
AACSB: Analytic
6
25) The security technology that evaluates IP packet traffic patterns in order to identify attacks against a
system is known as
A) an intrusion prevention system.
B) stateful packet filtering.
C) static packet filtering.
D) deep packet inspection.
Answer: A
Page Ref: 234
AACSB: Analytic
26) This is used to identify rogue modems (or by hackers to identify targets).
A) War chalking
B) War dialing
C) War driving
D) none of the above
Answer: B
Page Ref: 235
Difficulty : Easy
AACSB: Analytic
27) The process of turning off unnecessary features in the system is known as
A) deep packet inspection.
B) hardening.
C) intrusion detection.
D) war dialing.
Answer: B
Page Ref: 236
Difficulty : Easy
AACSB: Analytic
28) The most common input-related vulnerability is

A) buffer overflow attack.
B) hardening.
C) war dialing.
D) encryption.
Answer: A
Page Ref: 237
Difficulty : Easy
AACSB: Analytic
7
29) This creates logs of network traffic that was permitted to pass the firewall.
A) Intrusion detection system
B) Log analysis
C) Penetration test
D) Vulnerability scan
Answer: A
Page Ref: 238
AACSB: Analytic
30) The process that uses automated tools to identify whether a system possesses any well-known
security problems is known as a(n)
A) intrusion detection system.
B) log analysis.
C) penetration test.
D) vulnerability scan.
Answer: D
Page Ref: 236
AACSB: Analytic
31) This is an authorized attempt by an internal audit team or an external security consultant to attempt
to break into the organization's information system.
A) Intrusion detection system
B) Log analysis
C) Penetration test
D) Vulnerability scan
Answer: C
Page Ref: 238
AACSB: Analytic
32) A well-known hacker started his own computer security consulting business shortly after being
released from prison. Many companies pay him to attempt to gain unauthorized access to their network.
If he is successful, he offers advice as to how to design and implement better controls. What is the name
of the testing for which the hacker is being paid?
A) Penetration test
B) Vulnerability scan
C) Deep packet inspection
D) Buffer overflow test
Answer: A
Page Ref: 238
AACSB: Analytic
8
33) The ________ disseminates information about fraud, errors, breaches and other improper system
uses and their consequences.
A) chief information officer
B) chief operations officer
C) chief security officer
D) computer emergency response team
Answer: C
Page Ref: 240
AACSB: Analytic
34) In 2007, a major U.S. financial institution hired a security firm to attempt to compromise its
computer network. A week later, the firm reported that it had successfully entered the system without
apparent detection and presented an analysis of the vulnerabilities that had been found. This is an
example of a
A) preventive control.
B) detective control.
C) corrective control.
D) standard control.
Answer: B
Page Ref: 238
Difficulty : Easy
AACSB: Analytic
35) It was 9:08 A.M. when Jiao Jan, the Network Administrator for Folding Squid Technologies, was
informed that the intrusion detection system had identified an ongoing attempt to breach network
security. By the time that Jiao had identified and blocked the attack, the hacker had accessed and
downloaded several files from the company's server. Using the notation for the time-based model of
security, in this case
A) P > D
B) D > P
C) C > P
D) P > C
Answer: B
Page Ref: 224
Difficulty : Difficult
AACSB: Analytic
9
36) Which of the following is commonly true of the default settings for most commercially available
wireless access points?
A) The security level is set at the factory and cannot be changed.
B) Wireless access points present little danger of vulnerability so security is not a concern.
C) Security is set to the lowest level that the device is capable of.
D) Security is set to the highest level that the device is capable of.
Answer: C
Page Ref: 235
AACSB: Analytic
37) In recent years, many of the attacks carried out by hackers have relied on this type of vulnerability in
computer software.
A) Code mastication
B) Boot sector corruption
C) Weak authentication
D) Buffer overflow
Answer: D
Page Ref: 236
Difficulty : Easy
AACSB: Analytic
38) Meaningful Discussions is a social networking site that boasts over a million registered users and a
quarterly membership growth rate in the double digits. As a consequence, the size of the information
technology department has been growing very rapidly, with many new hires. Each employee is provided
with a name badge with a photo and embedded computer chip that is used to gain entry to the facility.
This is an example of a(an)
A) authentication control.
B) biometric device.
C) remote access control.
D) authorization control.
Answer: A
Page Ref: 226
Difficulty : Easy
AACSB: Analytic
10
39) When new employees are hired by Folding Squid Technologies, they are assigned user names and
appropriate permissions are entered into the information system's access control matrix. This is an
example of a(an)
D) authorization control.
Answer: D
Page Ref: 228
Difficulty : Easy
AACSB: Analytic
40) When new employees are hired by Folding Squid Technologies, they are assigned user names and
passwords and provided with laptop computers that have an integrated fingerprint reader. In order to log
in, the user's fingerprint must be recognized by the reader. This is an example of a(an)
A) authorization control.
D) defense in depth.
Answer: B
Page Ref: 227
Difficulty : Easy
AACSB: Analytic
41) Information technology managers are often in a bind when a new exploit is discovered in the wild.
They can respond by updating the affected software or hardware with new code provided by the
manufacturer, which runs the risk that a flaw in the update will break the system. Or they can wait until
the new code has been extensively tested, but that runs the risk that they will be compromised by the
exploit during the testing period. Dealing with these issues is referred to as
A) change management.
B) hardening.
C) patch management.
D) defense in depth.
Answer: C
Page Ref: 240
AACSB: Analytic
11
42) Murray Snitzel called a meeting of the top management at Snitzel Capital Management. Number one
on the agenda was computer system security. "The risk of security breach incidents has become
unacceptable," he said, and turned to the Chief Information Officer. "This is your responsibility! What
do you intend to do?" Which of the following is the best answer?
A) Evaluate and modify the system using the Trust Services framework
B) Evaluate and modify the system using the COSO Internal Control Framework.
C) Evaluate and modify the system using the CTC checklist.
D) Evaluate and modify the system using COBOL.
Answer: A
Page Ref: 221
AACSB: Analytic
43) Which of the following is the most effective method of protecting against social engineering attacks
on a computer system?
A) stateful packet filtering
B) employee awareness training
C) a firewall
D) a demilitarized zone
Answer: B
Page Ref: 226
AACSB: Analytic
44) The most effective way to protect network resources, like email servers, that are outside of the
network and are exposed to the Internet is
A) stateful packet filtering.
B) employee training.
C) a firewall.
D) a demilitarized zone.
Answer: D
Page Ref: 230
AACSB: Analytic
45) All employees of E.C. Hoxy are required to pass through a gate and present their photo
identification cards to the guard before they are admitted. Entry to secure areas, such as the Information
Technology Department offices, requires further procedures. This is an example of a(an)
B) authorization control.
C) physical access control.
D) hardening procedure.
Answer: C
Page Ref: 229
Difficulty : Easy
AACSB: Analytic
12
46) On February 14, 2008, students enrolled in an economics course at Swingline College received an
email stating that class would be cancelled. The email claimed to be from the professor, but it wasn't.
Computer forensic experts determined that the email was sent from a computer in one of the campus
labs at 9:14 A.M. They were then able to uniquely identify the computer that was used by means of its
network interface card's ________ address. Security cameras revealed the identity of the student
responsible for spoofing the class.
A) TCP/IP
B) MAC
C) DMZ
D) IDS
Answer: B
Page Ref: 228
AACSB: Analytic
47) There are "white hat" hackers and "black hat" hackers. Cowboy451 was one of the "black hat"
hackers. He had researched an exploit and determined that he could penetrate the target system,
download a file containing valuable data, and cover his tracks in eight minutes. Six minutes into the
attack he was locked out of the system. Using the notation of the time-based model of security, which of
the following must be true?
A) P < 6
B) D = 6
C) P = 6
D) P > 6
Answer: D
Page Ref: 224
AACSB: Analytic
48) Identify three ways users can be authenticated and give an example of each.
Answer: Users can be authenticated by verifying: 1. something they know (password). 2. something
they have (smart card or ID badge). 3. Something they are (biometric identification of fingerprint).
Page Ref: 226
AACSB: Analytic
49) Describe four requirements of effective passwords .

Answer: 1. Strong passwords should be at least 8 characters. 2. Passwords should use a mixture of
upper and lowercase letters, numbers and characters. 3. Passwords should be random and not words
found in dictionaries. 4. Passwords should be changes frequently.
Page Ref: 227
Difficulty : Easy
AACSB: Analytic
13
50) Explain social engineering.
Answer: Social engineering attacks use deception to obtain unauthorized access to information
resources, such as attackers who post as a janitor or as a legitimate system user. Employees must be
trained not to divulge passwords or other information about their accounts to anyone who contacts them
and claims to be part of the organization's security team.
Page Ref: 226
AACSB: Analytic
51) Explain the value of penetration testing.

Answer: Penetration testing involves an authorized attempt by an internal audit team or an external
security consultant to break into the organization's information system. This type of service is provided
by risk management specialists in all the Big Four accounting firms. These specialists spend more than
half of their time on security matters. The team attempts to compromise the system using every means
possible. With a combination of systems technology skills and social engineering, these teams often find
weaknesses in systems that were believed to be secure.
Page Ref: 238
AACSB: Reflective Thinking
52) Describe the function of a computer incident response team (CIRT) and the steps that a CIRT should
perform following a security incident.
Answer: A CIRT is responsible for dealing with major security incidents and breaches. The team should
include technical specialists and senior operations management. In response to a security incident, first
the CIRT must recognize that a problem exists. Log analysis, intrusion detection systems can be used to
detect problems and alert the CIRT. Second, the problem must be contained, perhaps by shutting down a
server or curtailing traffic on the network. Third, the CIRT must focus on recovery. Corrupt programs
may need to be reinstalled and data restored from backups. Finally, the CIRT must follow-up to discover
how the incident occurred and to design corrective controls to prevent similar incidents in the future.
Page Ref: 239
AACSB: Analytic
53) Identify six physical access controls.

Answer: Require visitors to sign in and receive a visitor badge before being escorted by an employee;
require employees to wear photo ID badges that are checked by security guards; physical locks and
keys; storing documents and electronic media in a fire-proof safe or cabinet; restrict or prohibit cell
phones, iPods and other portable devices; set screen savers to start after a few minutes of inactivity; set
computers to lock keyboards after a few minutes of inactivity; utilize screen protection devices; use
biometric devices to authorize access to spaces and equipment; attach and lock laptops to immobile
objects; utilize magnetic or chip cards to authorize access to spaces and equipment; limit or prohibit
windows and glass walls in sensitive areas.
Page Ref: 229-230
AACSB: Analytic
14
Accounting Information Systems, 12e (Romney/Steinbart)
Chapter 9 Information Systems Controls for Systems ReliabilityPart 2: Confidentiality and
Privacy
1) Concerning virtual private networks (VPN), which of the following is not true?
A) VPNs provide the functionality of a privately owned network using the Internet.
B) Using VPN software to encrypt information while it is in transit over the Internet in effect creates
private communication channels, often referred to as tunnels, which are accessible only to those parties
possessing the appropriate encryption and decryption keys.
C) The cost of the VPN software is much less than the cost of leasing or buying the infrastructure
(telephone lines, satellite links, communications equipment, etc.) needed to create a privately owned
secure communications network.
D) It is more expensive to reconfigure VPNs to include new sites than it is to add or remove the
corresponding physical connections in a privately owned network.
Answer: D
Page Ref: 264
AACSB: Analytic
2) Which of the following is not associated with asymmetric encryption?

A) No need for key exchange
B) Public keys
C) Private keys
D) Speed
Answer: D
Page Ref: 260
Difficulty : Easy
AACSB: Analytic
3) The system and processes used to issue and manage asymmetric keys and digital certificates are
known as
A) asymmetric encryption.
B) certificate authority.
C) digital signature.
D) public key infrastructure.
Answer: D
Page Ref: 262
AACSB: Analytic
15
4) Which of the following describes one weakness of encryption?
A) Encrypted packets cannot be examined by a firewall.
B) Encryption protects the confidentiality of information while in storage.
C) Encryption protects the privacy of information during transmission.
D) Encryption provides for both authentication and non-repudiation.
Answer: A
Page Ref: 264
AACSB: Analytic
5) Using a combination of symmetric and asymmetric key encryption, Chris Kai sent a report to her
home office in Syracuse, New York. She received an email acknowledgement that the document had
been received and then, a few minutes later, she received a second email that indicated that the hash
calculated from the report differed from that sent with the report. This most likely explanation for this
result is that
A) the public key had been compromised.
B) the private key had been compromised.
C) the symmetric encryption key had been compromised.
D) the asymmetric encryption key had been compromised.
Answer: C
Page Ref: 261
AACSB: Analytic
6) Encryption has a remarkably long and varied history. The invention of writing was apparently soon
followed by a desire to conceal messages. One of the earliest methods, attributed to an ancient Roman
emperor, was the simple substitution of numbers for letters, for example A = 1, B = 2, etc. This is an
example of
A) a hashing algorithm.
B) symmetric key encryption.
C) asymmetric key encryption.
D) a public key.
Answer: B
Page Ref: 260
AACSB: Analytic
7) An electronic document that certifies the identity of the owner of a particular public key.
A) Asymmetric encryption
B) Digital certificate
C) Digital signature
D) Public key
Answer: B
Page Ref: 262
AACSB: Analytic
16
8) These systems use the same key to encrypt and to decrypt.
B) Hashing encryption
C) Public key encryption
D) Symmetric encryption
Answer: D
Page Ref: 260
Difficulty : Easy
AACSB: Analytic
9) These are used to create digital signatures.

A) Asymmetric encryption and hashing
B) Hashing and packet filtering
C) Packet filtering and encryption
D) Symmetric encryption and hashing
Answer: A
Page Ref: 261
AACSB: Analytic
10) Information encrypted with the creator's private key that is used to authenticate the sender is
A) asymmetric encryption.
B) digital certificate.
C) digital signature.
D) public key.
Answer: C
Page Ref: 261
AACSB: Analytic
11) Which of the following is not one of the three important factors determining the strength of any
encryption system?
A) Key length
B) Key management policies
C) Encryption algorithm
D) Privacy
Answer: D
Page Ref: 259
Difficulty : Easy
AACSB: Analytic
17
12) A process that takes plaintext of any length and transforms it into a short code.
B) Encryption
C) Hashing
D) Symmetric encryption
Answer: C
Page Ref: 260
AACSB: Analytic
13) Which of the following descriptions is not associated with symmetric encryption?
A) A shared secret key
B) Faster encryption
C) Lack of authentication
D) Separate keys for each communication party
Answer: C
Page Ref: 260
AACSB: Analytic
14) Encryption has a remarkably long and varied history. Spies have been using it to convey secret
messages ever since there were secret messages to convey. One powerful method of encryption uses
random digits. Two documents are prepared with the same random sequence of numbers. The spy is sent
out with one and the spy master retains the other. The digits are used as follows. Suppose that the word
to be encrypted is SPY and the random digits are 352. Then S becomes V (three letters after S), P
becomes U (five letters after P), and Y becomes A (two letters after Y, restarting at A after Z). The spy
would encrypt a message and then destroy the document used to encrypt it. This is an early example of
A) a hashing algorithm.
B) asymmetric key encryption.
C) symmetric key encryption.
D) public key encryption.
Answer: C
Page Ref: 260
AACSB: Analytic
15) One way to circumvent the counterfeiting of public keys is by using

A) a digital certificate.
B) digital authority.
C) encryption.
D) cryptography.
Answer: A
Page Ref: 262
Difficulty : Easy
AACSB: Analytic
18
16) In a private key system the sender and the receiver have ________, and in the public key system
they have ________.
A) different keys; the same key
B) a decrypting algorithm; an encrypting algorithm
C) the same key; two separate keys
D) an encrypting algorithm; a decrypting algorithm
Answer: C
Page Ref: 260
Difficulty : Easy
AACSB: Analytic
17) Asymmetric key encryption combined with the information provided by a certificate authority
allows unique identification of
A) the user of encrypted data.
B) the provider of encrypted data.
C) both the user and the provider of encrypted data.
D) either the user or the provider of encrypted data.
Answer: D
Page Ref: 262
AACSB: Analytic
18) Which of the following is not one of the 10 internationally recognized best practices for protecting
the privacy of customers' personal information?
A) Providing free credit report monitoring for customers
B) Inform customers of the option to opt-out of data collection and use of their personal information
C) Allow customers' browsers to decline to accept cookies
D) Utilize controls to prevent unauthorized access to, and disclosure of, customers' information
Answer: A
Page Ref: 256-257
AACSB: Analytic
19) On March 3, 2008, a laptop computer belonging to Folding Squid Technology was stolen from the
trunk of Jiao Jan's car while he was attending a conference in Cleveland, Ohio. After reporting the theft,
Jiao considered the implications of the theft for the company's network security and concluded there was
nothing to worry about because
A) the computer was protected by a password.
B) the computer was insured against theft.
C) it was unlikely that the thief would know how to access the company data stored on the computer.
D) the data stored on the computer was encrypted.
Answer: D
Page Ref: 258
Difficulty : Easy
AACSB: Analytic
19
20) Jeff Davis took a call from a client. "Jeff, I need to interact online and real time with our affiliate in
India, and I want to make sure that our communications aren't intercepted. What do you suggest?" Jeff
responded "The best solution will be to implement
A) a virtual private network."
B) a private cloud environment."
C) an asymmetric encryption system with digital signatures."
D) multifactor authentication."
Answer: A
Page Ref: 264
AACSB: Analytic
21) In developing policies related to personal information about customers, Folding Squid Technologies
adhered to the Trust Services framework. The standard applicable to these policies is
A) security.
B) confidentiality.
C) privacy.
D) availability.
Answer: C
Page Ref: 254
Difficulty : Easy
AACSB: Analytic
22) Jeff Davis took a call from a client. "Jeff, I need for my customers to make payments online using
credit cards, but I want to make sure that the credit card data isn't intercepted. What do you suggest?"
Jeff responded "The best solution will be to implement
A) a virtual private network."
B) a private cloud environment."
C) an encryption system with digital signatures."
D) a data masking program."
Answer: C
Page Ref: 261
AACSB: Analytic
20
23) Describe some steps you can take to minimize your risk of identify theft.
Answer: Shred documents containing personal information. Never send personally identifying
information in unencrypted email. Beware of email/phone/print requests to verify personal information
that the requesting party should already possess. Do not carry your social security card with you. Print
only your initials and last name on checks. Limit the amount of other information preprinted on checks.
Do not use your mailbox for outgoing mail. Do not carry more than a few blank checks with you. Use
special software to digitally clean any digital media prior to disposal. Monitor your credit cards
regularly. File a police report as soon as you discover a purse or wallet missing. Make photocopies of
driver's license, passports and credit cards and keep in a safe location. Immediately cancel any stolen or
lost credit cards.
Page Ref: 256
AACSB: Analytic
24) Describe symmetric encryption and identify three limitations.

Answer: Symmetric encryption systems use the same key to encrypt and decrypt data. Symmetric
encryption is much faster than asymmetric encryption, but the sender and receiver need to know the
shared secret key, which requires a different secure method of exchanging the key. Also, different secret
keys must be used with each different communication party. Finally, there is no way to prove who
created a specific document.
Page Ref: 260
AACSB: Analytic
21

Chapter 8 Information Systems Controls For System Reliability Part 1: Information Security

Uploaded by

Copyright:

Available Formats

Chapter 8 Information Systems Controls For System Reliability Part 1: Information Security

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter 8 Information Systems Controls For System Reliability Part 1: Information Security

Uploaded by

Copyright:

Available Formats

Accounting Information Systems, 12e (Romney/Steinbart)

Chapter 8 Information Systems Controls for System ReliabilityPart 1: Information Security

10) Which of the following is an example of a detective control?

11) Which of the following is an example of a corrective control?

12) Which of the following is not a requirement of effective passwords?

14) An access control matrix

28) The most common input-related vulnerability is

49) Describe four requirements of effective passwords .

51) Explain the value of penetration testing.

53) Identify six physical access controls.

2) Which of the following is not associated with asymmetric encryption?

9) These are used to create digital signatures.

15) One way to circumvent the counterfeiting of public keys is by using

24) Describe symmetric encryption and identify three limitations.

You might also like