Exam 8: Controlling Information Systems: Introduction to Pervasive Controls

Combining the functions of authorizing and executing events is a violation of the organizational control plan known as segregation of duties.

Which of the following is not one of COBIT's four broad IT control process domains?

Forced vacations is a policy of requiring an employee to take leave from the job and substituting another employee in his or her place.

As an IT resource, applications are automated systems and manual procedures that process information.

The operations run manual describes user procedures for an application and assists the user in preparing inputs and using outputs.

The information systems function ______________________________ provides efficient and effective operation of the computer equipment by performing tasks such as mounting tapes, disks, and other media and monitoring equipment operation.

The functions of the security officer commonly include assigning passwords and working with human resources to ensure proper interview practices are conducted during the hiring process.

All of the following are components of a backup and recovery strategy except:

In an information systems organization structure, the three functions that might logically report directly to the CIO would be:

A small organization that does not have enough personnel to adequately segregate duties must rely on alternative controls, commonly called resource controls.

Which of the following controls restrict access to programs, data, and documentation?

The disaster recovery strategy known as a(n) ____________________ is a fully equipped data center that is made available on a standby basis to client companies for a monthly subscriber's fee.

An intrusion-detection systems (IDS) logs and monitors who is on or trying to access the network.

Protecting resources against environmental hazards might include all of the following control plans except:

The department or function that develops and operates an organization's information systems is often called the:

The ____________________ documentation provides an overall description of the application, including the system's purpose; an overview of system procedures; and sample source documents, outputs, and reports.

Threat monitoring is a technique to protect one network from another "untrusted" network.

In a ___________________________________ a web site is overwhelmed by an intentional onslaught of thousands of simultaneous messages, making it impossible for the attacked site to engage in its normal activities.

Which of the following personnel security control plans is corrective in nature as opposed to being a preventive or detective control plan?

________________ in an internal control system means assessment by management to determine whether the control plans in place are continuing to function appropriately over time.