Exam 11: Computer Crime and Information Technology Security

The CoBIT framework can be used to strengthen internal controls against computer crime in various ways. Indicate whether each statement below is (a) always true, (b) sometimes true or (c) never true. a. As a form of internal control, each step of the systems development life cycle focuses on one of CoBIT's information criteria. b. CoBIT can be used in conjunction with the COSO internal control framework to identify appropriate control activities. c. CoBIT provides standards for evaluating information inputs and outputs that can help strengthen internal control. d. The board of directors, as part of the CoBIT accountability framework, helps create a strong environment that values internal control and risk management. e. The COSO enterprise risk management framework requires the use of CoBIT to identify risks.

At HCK Corporation, only employees in the information systems department can install new software on a computer. Which type of security control best describes that practice?

In each statement that follows, circle the business risk or threat that most clearly applies based on the list provided in the text. A. Disclosure of confidential information or intrusion: Employee data are made available on the Internet. B. DOS attacks or extortion: Prevent computer systems from functioning in accordance with their intended purpose. C. Error or web site defacement: Digital graffiti d. Fraud or error: Losses can vary widely depending on where the problem originated. E. Information theft or information manipulation: An employee creates fake refunds to benefit a family member. F. Intrusion or extortion: Main objective is to gain access to a network. G. Intrusion or service interruption: Classified as accidental, willful neglect or malicious behavior. H. Malicious software or information theft: Logic bombs, replicating worm, Trojan horse. I. Service interruption or disclosure of confidential information: Can lead to missed deadlines for receivables or payables.j. Web site defacement or extortion: Criminal contacts an organization after successfully stealing information.

Consider the following examples of computer crime as you answer the next question: i. Social Security numbers are stolen from a company's database.ii. A fraudster uses a computer to identify people over the age of 80 with annual incomes of $250,000 or more Iii) A supervisor receives threats from a worker via e-mail; the worker demands promotion as a condition of not exposing the supervisor's illegal acts Iv) An unhappy customer launches a denial-of-service attack Which of the following pairs an item from the list with an appropriate description of a business risk?

All of the following are elements of the CIA triad except:

Consider the following examples of computer crime as you answer the next question: i. Social Security numbers are stolen from a company's database.ii. A fraudster uses a computer to identify people over the age of 80 with annual incomes of $250,000 or more Iii) An employee receives threats from a co-worker via e-mail Iv) An unhappy customer launches a denial-of-service attack Carter's taxonomy of computer crime comprises four categories. Which of the following statements is most true?

Information technology controls can be classified as physical, technical or administrative. Consider each independent situation below; suggest one control from the indicated classification that would address (prevent / detect / correct) the risk.a) A bank's customer database is hacked.Administrative: _____________________________________________ b) A careless employee spills coffee on a network server.Physical: _____________________________________________ c) A corporation's sales data are manipulated by a member of the sales staff. Technical: _____________________________________________ d) A former employee introduces a logic bomb to a company's payroll system.Administrative: _____________________________________________ e) A political candidate's web site is defaced.Technical: _____________________________________________ f) A senior citizen sends money to a fake religious organization based on a fraudulent e-mail.Administrative: _____________________________________________ g) A waitress steals a customer's credit card number.Physical: _____________________________________________ h) An employee uses work time to shop online using the company's computer. Administrative: _____________________________________________ i) Corporate spies steal research and development information. Technical: _____________________________________________ j) Fake compromising photos of a corporate CEO are posted to a social networking site. Technical: _____________________________________________ A. regular security auditsb. encase the server in a cabinetc. system access logd. policy to remove employees from the system when they leave the companye. password rotationf. security trainingg. customers pay at the registerh. appropriate use poli

A bank's information system was hacked in an effort to obtain clients' personal financial information. Which category of computer crime best describes that situation?

Organized crime and hackers are most likely to be included in which element of an enterprise risk management plan based on the COSO framework?

___ are ___ driven by financial gain.

Consider the following examples of computer crime as you answer the next question: i. Social Security numbers are stolen from a company's database.ii. A fraudster uses a computer to identify people over the age of 80 with annual incomes of $250,000 or more Iii) An employee receives threats from a co-worker via e-mail Iv) An unhappy customer launches a denial-of-service attack Carter's taxonomy of computer crime comprises four categories. Which of the following pairs includes items from different categories?

Consider the following short case as you respond to the next question: Melissa is an internal auditor for the County of Bufflufia. Her job responsibilities include providing training on information systems security and checking the work of data entry clerks. Melissa is also part of a team that responds to denial-of-service attacks on the county's information system. Her co-worker, Eugene, ensures that all the county's computers have the most up-to-date antivirus software; he also enforces the county's policy of backing up sensitive data, such as employee social security numbers and other payroll information, at least once a day. The back-ups are dated and stored in a locked filing cabinet.Which employee has responsibilities related to technical security controls?

Randall works in the information security department of RDN Corporation; Felix is on the board of directors of RDN. Which of the following statements is most true?

Consider the following list as you respond to the next question: i. An individual broke into a retail store's information system, stealing sensitive employee information Ii) A flaw in a computer's operating system allowed a competitor to steal information about new products Iii) A thief sat outside a bank, capturing clients' information as they used the ATM. The thief later sold that information to a gang.iv. A group of criminals in three different countries sent fraudulent e-mails to individuals in a fourth country in an effort to defraud them.Which of the following statements is most true?

Fill in the blanks below with appropriate terminology from CoBIT. A. ______ auditors exchange information with one another to maintain strong corporate and IT governance. B. ______ is directly responsible for choosing a public accounting firm to do external audits. C. _______ holds IT and information security management accountable for value delivery, an element of IT governance. D. __________ should provide information about risk management, an element of IT governance, to the board of directors. E. Information about internal control flows two ways between the audit committee and ______. F. Internal auditors exchange various kinds of information with corporate employees in ______. G. Stakeholders rely on _____ for assurance about various forms of control. H. The board of directors provides information about _____ to shareholders and employees. I. Through the ___, external auditors interact with the corporate board of directors.j. Ultimately, ____ hold the board of directors accountable with respect to corporate governance. A. internal and externalb. the audit committeec. the board of directorsd. information technology and information security managemente. external auditorsf. information technology and information security managementg. external auditorsh. financial a

Consider the following examples of computer crime as you answer the next question: i. Social Security numbers are stolen from a company's database.ii. A fraudster uses a computer to identify people over the age of 80 with annual incomes of $250,000 or more Iii) A supervisor receives threats from a worker via e-mail; the worker demands promotion as a condition of not exposing the supervisor's illegal acts Iv) An unhappy customer launches a denial-of-service attack Which two items represent the same category of risk from the list discussed in the chapter?

A denial-of-service attack prevents computer systems from functioning in accordance with their intended purpose. Thus, a denial-of-service attack is most closely related to which information criterion from the CoBIT framework?

Consider the following short case as you respond to the next question: Melissa is an internal auditor for the County of Bufflufia. Her job responsibilities include providing training on information systems security and checking the work of data entry clerks. Melissa is also part of a team that responds to denial-of-service attacks on the county's information system. Her co-worker, Eugene, ensures that all the county's computers have the most up-to-date antivirus software; he also enforces the county's policy of backing up sensitive data, such as employee social security numbers and other payroll information, at least once a day. The back-ups are dated and stored in a locked filing cabinet.Melissa's responsibilities relate to which elements of the CIA triad?

CoBIT can be used to strengthen internal controls against computer crime by:

The difference between "error" and "information manipulation" as business risks associated with information technology is: