ACCTG 333 Exam 2 Perols SDSU

Information security management

-Information security is a critical factor in maintaining systems integrity

-The primary focus of information security is the balanced protection of the confidentiality, integrity, and availability of data while maintaining efficient policy implementation and without disrupting organizational productivity

Confidentiality

information is not accessible to unauthorized individuals or processes

Integrity

information is accurate and complete

Availability

information and systems are accessible on demand

Information attacks

-Virus: self replicating program that runs and spreads by modifying other programs/files

-Worm: self replicating. self propagating, self contained program that uses networking mechanisms to spread itself

-Trojan horse: a non self replicating program that seems to have a useful purpose in a appearance but in reality has a malicious purpose

-Spam: sending unsolicited bulk information

-Botnet (Bot): a collection of software robots that overruns computers to act automatically in response to the bot-herder's control through the internet

Information security risks

-Denial of Service (DoS): prevention of unauthorized access to resources or the delaying of time-critical operations

-Spyware: software secretly installed into an information system to gather information on individuals or organizations without their knowledge

-Spoofing: sending a network packet that appears to come from a source other than its actual source

-Social engineering: manipulating someone to take certain action that may not be in their best interest

Encryption

-Encryption is a preventative control providing confidentiality and privacy for data transmission and storage

Two algorithmic schemes that encode plaintact into non readable cyphertext:

-symmetric-key encryption: private key pair

-Asymmetric key encryption: a public and private key pair

Symmetric vs. asymmetric

symmetric-key encryption:

-fast

-suitable for large data set

-key distribution and management are problematic because its difficult to distribute key in a secure way

-managing one key is not cost effective

Asymmetric key encryption:

-slow

-not suitable for large data set

-key distribution and key management are solved

-public key is widely used while private key is kept secret

-transmit confidential information

Main factors of encryption

-key length: 128 but and longer is sufficient

-Key management: strong policy essential

-Encryption algorithm: symmetric or asymmetric key encryption methods

Authentication

process that establishes the origin of information or determines the identity of a user

Asymmetric key encryption key factors

-Certificate authority (CA): a trusted entity that issues and revokes digital certificates

-Digital certificate: digital document issued and digitally signed by the private key of a CA that binds the name of a subscriber to a public key

-Public key infrastructure (KPI): as et of policies, processes, server platforms, software and workstations used for the purpose of administering certificates and public-private key pairs to use, maintain, and revoke public key certificates

Digital signature and data integrity

A digital signature is a message digest (code generated from a hashing algorithm) of a document that is encrypted using the document creator's private key

-Digital signatures can ensure data integrity (accurate and complete)

Cybersecurity Risk management framework

1st criteria: description of the company's cybersecurity risk management system

2nd criteria: evaluation of the company's cybersecurity controls

SAS No. 99

an entity's management has primary responsibility for establishing and monitoring all aspects of the entity's fraud risk assessment

Fraud triangle

Opportunity, incentive, rationalize

Fraud detection program

should include an evaluation by internal auditors on the effectiveness of business processes, along with an analysis of transaction-level data to obtain evidence on the effectiveness of internal controls and to identify indicators of fraud risk or actual fraudulent activities

system availability

-Uninterruptible power supply: a device using battery to enable a system to operate long enough to back up critical data and shut down properly during the loss of power

-Fault tolerance: using redundant units to provide the system the ability to continue functioning when part of the system fails

-Virtualization or cloud computing: good alternatives to backup data and applications

Disaster recovery and business continuity

-Disaster recovery planning (DRP) identifies significant events that may threaten a firm's operations, outlining the procedures that ensure the firm's smooth resuming of operations in the case this event occurs

Business continuity management (BCM) refers to the activities required to keep a firm running during a period of interruption of normal operations

DRP and BCM are the most critical corrective controls, and DRP is a key component of BCM

Operating System (OS)

-the most important system software because it performs the tasks that enable a computer to operate

-Five fundamental control objectives

1. protect itself from users

2. protect users from each other

3. protect users from themselves

4. be protected from itself

5. be protected from its environment

Database Systems

-data is often the core asset of many companies

-a database is a shared collection of logically related data which meets the information needs of the firm

-Accountants increasingly participate in designing internal control systems and improving businesses and IT processes in a database environment

Database systems (part 2)

-Data warehouse: a centralized collection of firm wide data stored for a relatively long period of time

-Operational databases: used for daily operations and often includes data for the current fiscal year only

-Data mining: the processes of searching for patterns in the data in a data warehouse and data analyzing these patterns for decision making

-Data governance: the convergence of data quality, data management, data policies, business process management, and risk management surrounding the handling of data in a firm

Local Area Networks (LAN)

A group of computers connected to the same network that covers a limited geographic range

-LAN include hubs and switches

-hubs: broadcast through multiple ports

-Switches: provide a path for each pair of connections

Wide Area Networks (WAN)

Link different sites together, transmit information across geographically dispersed LANs, cover a broad geographic area

-to privide remote access to employees or customers

-to link two or more sites within the firm

-to provide corporate access to the internet

WAN devices include routers and firewalls

-Routers: connect different LAN devices, examine IP address

-Firewalls: a security system comprised of hardware and software that is built using router servers; allows individuals on corporate network to send/receive a data packet from internet

-VPN: securely connects a firms WAN by sending/receiving data via visual connections over public internet; cheaper alternative to leased lines

Wireless network

-Acess point: logically connects stations to a firms network

-Station: a wireless endpoint device equipped with a wireless Network interface card

Benefits of using wireless technology

-Mobility: convenient online access without a physical network or cables for connections

-Rapid deployment: time saving on implementing networks because of reduction in using physical cables/media

-Flexibility and scalability: freely setting up or removing wireless networks at different locations

General security objectives for LAN

-Confidentiality: ensure that communication cannot be read by unauthorized parties

-Integrity: detect any intentional or unintentional changes to the data during transmission

-Availability: ensure that devices and individuals can access a network whenever needed

-Access control: restrict the rights of devices or individuals to access a network or resources within a network

Computer assisted audit techniques (CAATs)

-CAATs are imperative tools for auditors to conduct an audit

CAAT auditing approaches

Auditing around the computer (black-box approach):

-first calculating expected results from the transactions entered into the system

-then comparing these calculations to the processing or output results

-advantage of this approach is that the systems will not be interrupted for auditing purposes

Auditing through the computer (the white-box approach):

-requires auditors to understand the internal logic of the system/application being tested

-test data technique: input valid and invalid data

-parallel simulation: create program with real data

-Integrated test facility: continually using test data

-embedded audit module: collect and monitor data

Generalized audit software (GAS)

-Frequently used to perform substantive tests and is used for testing of controls through transactional data analysis

-Directly read and access from various database platforms

-Provides auditors an independent means to gain access to data for analysis and the ability to use high-level problem solving software

Continuous auditing

-A continuous audit is performing audit-related activities on a continuous basis

-Testing in continuous audits often consist of continuous controls monitoring and continuous data assurance

-technology plays a key role in analyzing trends and patterns of transactions, identifying exceptions and anomalies, and testing controls

SOC for service organizations

-SOC 1: internal controls over financial reporting

-SOC 2: trust services criteria

-SOC 3: trust services criteria for general report use

Structure models

-Describe data and information structures inherent in a process

-Create a blueprint for the development of relational data to support the collection, aggregation, and communication of information

-facilitate the use of databases after they are implemented

Structure models - purposes

-Describe the entities or things in the domain of interest

-Describe the relationships among those things

-Specify how many instances of one entity can be related to another

-Identify the attributes or characteristics of the entities and relationships

UML class diagrams - classes

-Classes are separately identifiable collections of things (entities) which the organization wants to collect and store information

-Classes represent:

R: resources

E: events

A: agents/persons

UML diagrams - Association

Associations depict the business relationship between two classes

UML class diagrams - multiplicities

Multiplicities describe the minimum and maximum number of times instances in one class can be associated with instances in another class

Attributes

-Data elements that describe characteristics of instances in a class

-Include the primary keys that uniquely define instances of the class, and foreign keys that supports the links between classes shown in the associations, and other data elements for each class

Primary keys

an attribute that uniquely identifies each instance in a class or row. Primary key cannot be null (blank) and should be controlled by the organization that assigns it so it will not change over time

Foreign keys

-An attribute that allows tables to be linked together

-attribute in one table that is a primary key in another table

Relational databases

-A relational database is a data model that stores information in the form of related two-dimensional tables. Tables are used to store data which consist of rows (records) and columns (attributes) connected by relationships (links between tables)

-Relational data models are the dominant data model form in use today

Advantages of relational databases

-Flexibility and scalability

-Simplicity

-Reduced information redundancy

Database management system (DBMS)

-DBMS is a computer program that creates, modifies, and queries the database. DBMS is designed to manage a databases storage and retrieval of information

-Database administrator: the person responsible for the design, implementation, repair, and security of a firms database

-Data dictionary: describes the data fields in each database record such as field description, field length, field type, etc

Enterprise systems

-ERP systems (SAP, Oracle ERP)

-commercialized information systems software

-integrate and automate business processes across a firms value chain

-typically use relational data model

-tables linked by primary and foreign keys

Structured Query Language (SQL)

-computer language designed to query (select and display) data in a relational database

-Also allows a user to insert, update, and delete data in the database

SQL phrases

SELECT

-used to begin a query

-statement tells the query which columns of a table should be included in the query

FROM

-clause added to the select statement

-indicates the name of table from which to retrieve data

WHERE

-clause states the criteria that must be met to be shown in the query result

ORDER BY

-clause identifies which columns are used to sort the resulting data

BETWEEN

-operator can be used to specify the end points of a range

GROUP BY

-operator is used with aggregate functions on the query results based on one or more columns

Sunset graphics

design and sell:

-signs and banners

-lettering and vinyl graphics

-corporate promotional items

-silk screened t-shirts and embroidered gear

Establishing business rules for sunset sales

-Business rules help ensure that information systems operate in a consistent and effective manner to achieve organizational objectives

-Use the BMPN activity diagram to identify important business events

-Define constraints on each event

UML class models support DB planning

-The database will contain one table for each class plus one table to support each many-to-many relationships

-multiplicities indicate location of foreign keys and indicate linking tables

Blockchain

-In a blockchain system the transactions are done without any middleman involved, fast transaction time, lower service fee

Traditional system vs blockchain

Traditional

-system is centralized

-requires middleman to approve and record transactions

-only one copy of the ledger

Blockchain system

-system is decentralized, distributed ledger

-no middleman needed, multiple copies

-when a new transaction occurs, all nodes are in sync

-information cannot be added or deleted without the knowledge of the entire network

-a write-once, read many system

When is blockchain useful

-Enable multiple parties that do not fully trust each other to collaborate with a shared source of truth.

-Accelerate transaction settlement and verification by eliminating intermediaries.

-Help cut costs and resources that would be spent on manual verification (help auditors collecting and evaluating evidence to support transactions).

History of blockchain

-In 2009, Nakamoto used a distributed ledger system through resource intensive mining to eliminate the need for intermediaries in trust less, online, peer-to-peer digital currency transactions

-In 2014, blockchain 2.0 emerged as a more robust and sophisticatedtechnology to pull together logic and business rules into contractsrepresented in code called "smart contracts" through Ethereum

Blockchain components

-distributed and decentralized

-consensus among all parties

-immutability (once transactions are confirmed on the blockchain, they cannot be altered or tampered with)

How does blockchain work?

-Proof of work: all miners compete to create the next block to be committed to the blockchain

-Proof of authority: adminstrator identifies who creating blocks are known and reputable

-Proof of stake: a set of validators who propose the next block lock up an amount of their crypto as a deposit to ensure honest behavior

Types of blockchain

Public

-permission's blockchain

-no access restrictions in viewing or participation

-offers economic reward for the computational proof of work in mining

Private

-permissioned blockchain/enterprise blockchain

-requires permission to join the network

-transaction data and validation are restricted

-not expose internal info to public

Consortium

-permissioned blockchain

-allows several orgs to particiapte

-admin establish access rights for each participant

-executed only on limited set of trusted notes

-permit more enterprise behaviors

Blockchain use cases

-Supply chain

-Loyaly program

-auto industry

Current challenges with adopting blockchain

-protocols are lacking in areas such as speed, confidentiality, and governance requirements

-most enterprises are opting to start with permission or private blockchain networks, which require a method to govern who is allowed to participate in network

-challenges in integrating private blockchain network with existing enterprise solutions

Artificial intelligence

-intelligence exhibited by machines rather than humans

-the ability of computers to perform tasks that are associated with human intelligence

-AI aka cognitive technologies

Cognitive technology

-employ self-learning alorithims that allow computers to examine connections and notice patterns without human intervention

Machine learning

involves the computer's ability to learn from experience rather than specific instructions

Types of learning:

-classification: seeks to assign labels dividing the input into output groups (yes or no; spam or not spam)

-Regression: seeks to predict real numbers (revenue in the next quarter)