Chapter 8 Controlling Information Systems Introduction to Pervasive and General Controls TRUE FALSE 1 IT governance leads to better organizational performance such as profitability 2 As an IT resource information includes data in all their forms that are input processed and output by information systems ANS T ANS T information ANS T ANS T accounting function ANS F ANS T ANS T ANS F ANS T ANS F 3 As an IT resource applications are automated systems and manual procedures that process 4 The system of controls used in this text consists of the control environment pervasive and general controls and IT general controls control plans and business process and application control plans 5 As used in the text the information systems organization function is synonymous with the 6 The function composed of people procedures and equipment that is typically called the information systems department IS department or the IT department is the information systems organization 7 The IS function with the principal responsibilities of guiding and advising the information systems organization is the IT steering committee 8 The IS function with the principal responsibilities of insuring the security of all information systems function resources is data control 9 The IS function of quality assurance conducts reviews to determine adherence to IT standards and procedures and achievement of IT objectives 10 The chief information officer CIO prioritizes and selects IT projects and resources 11 Within the data center the data control group is responsible for routing all work into and out of the data center correcting errors and monitoring error correction 12 The IS function of systems development provides efficient and effective operation of the computer equipment by performing tasks such as mounting tapes and disks loading printer paper and responding to computer messages 13 Within the data center the data librarian function grants access to programs data and documentation to authorized personnel only 14 Combining the functions of authorizing and executing events is a violation of the organizational control plan known as segregation of duties 15 Segregation of duties consists of separating the four functions of authorizing events executing events recording events and safeguarding the resources resulting from consummating the events 16 Embezzlement is a fraud committed by two or more individuals or departments 17 A small organization that does not have enough personnel to adequately segregate duties must rely on alternative controls commonly called resource controls 18 The functions of the security officer commonly include assigning passwords and implementing and monitoring many of the pervasive resource security control plans 19 Individual departments coordinate the organizational and IT strategic planning processes and reviews and approves the strategic IT plan 20 The policy of requiring an employee to alternate jobs periodically is known as mandatory vacations 21 Forced vacations is a policy of requiring an employee to take leave from the job and substituting another employee in his or her place ANS T ANS F ANS T ANS T ANS T ANS F ANS F ANS T ANS F ANS F 22 A fidelity bond indemnifies a company in case it suffers losses from defalcations committed by its ANS T employees ANS T ANS F ANS F ANS T ANS T ANS F ANS F jobs ANS T ANS T ANS T 23 The product life cycle is a formal set of activities or a process used to develop and implement a new or modified information system 24 Computer software that is used to facilitate the execution of a given business process is called database management software 25 The systems documentation provides an overall description of the application including the system s purpose an overview of system procedures and sample source documents outputs and reports 26 Program documentation provides a description of an application computer program and usually includes the program s purpose program flowcharts and source code listings 27 The user run manual gives detailed instructions to computer operators and to data control about a particular application 28 The operations run manual describes user procedures for an application and assists the user in preparing inputs and using outputs 29 Training materials are documentation that helps users learn their jobs and perform consistently in those 30 Program change controls provide assurance that all program modifications are authorized and that the changes are completed tested and properly implemented 31 The terms contingency planning disaster recovery planning business interruption planning and business continuity planning have all been used to describe the process that identifies events that may threaten an organization and provide a framework whereby the organization will continue to operate or resume operations with a minimum of disruption 32 Continuity is the process of using backup measures to either reconstruct lost data programs or documentation or to continue operations in alternative facilities 33 With continuous data protection CDP all data changes are saved to secondary computer systems as changes are made on the primary system 34 The disaster backup and recovery technique known as electronic vaulting is a service whereby changes being made on a computer are automatically transmitted over the Internet on a continuous basis to an off site server maintained by a third party 35 The disaster recovery strategy known as a cold site is a fully equipped data center that is made available on a standby basis to client companies for a monthly subscriber fee 36 A facility usually comprising air conditioned space with a raised floor telephone connections and computer ports into which a subscriber can move equipment is called a hot site 37 In the case of a computer virus a Web site is overwhelmed by an intentional onslaught of thousands of simultaneous messages making it impossible for the attacked site to engage in its normal activities 38 Biometric identification systems identify authorized personnel through some unique physical trait such as fingers hands voice eyes face or writing dynamics 39 Antivirus is a technique to protect one network from another untrusted network 40 The most common biometric devices perform retinal eye scans 41 In an online computing environment the operating system software generally includes a n security module designed to restrict access to programs and data 42 In an online computing environment the accumulation of