Chapter 4 -- IT Security Part II: Auditing Database Systems

TRUE/FALSE

1. The database approach to data management is sometimes called the flat file approach.

ANS: F PTS: 1

2. The database management system provides a controlled environment for accessing the database.

ANS: T PTS: 1

3. To the user, data processing procedures for routine transactions, such as entering sales orders, appear to be identical in the database environment and in the traditional environment.

ANS: T PTS: 1

4. An important feature associated with the traditional approach to data management is the ability to produce ad hoc reports.

ANS: F PTS: 1

5. The data definition language is used to insert special database commands into application programs.

ANS: F PTS: 1

6. There is more than one conceptual view of the database.

ANS: F PTS: 1

7. In the database method of data management, access authority is maintained by systems programming.

ANS: F PTS: 1

8. The physical database is an abstract representation of the database.

ANS: F PTS: 1

9. A customer name and an unpaid balance is an example of a one-to-many relationship.

ANS: F PTS: 1

10. In the relational model, a data element is called a relation.

ANS: F PTS: 1

11. Subschemas are used to authorize user access privileges to specific data elements.

ANS: F PTS: 1

12. A recovery module suspends all data processing while the system reconciles its journal files against the database.

ANS: F PTS: 1

13. The database management system controls access to program files.

ANS: F PTS: 1

14. Examining programmer authority tables for information about who has access to Data Definition Language commands will provide evidence about who is responsible for creating sub-schemas.

ANS: T PTS: 1

15. Data normalization groups data attributes into tables in accordance with specific design objectives.

ANS: T PTS: 1

16. Under the database approach, data is viewed as proprietary or owned by users.

ANS: F PTS: 1

17. The data dictionary describes all of the data elements in the database.

ANS: T PTS: 1

18. A join builds a new table by creating links.

ANS: F PTS: 1

19. A deadlock is a phenomenon that prevents the processing of transactions.

ANS: T PTS: 1

20. Timestamping is a control that is used to ensure database partitioning.

ANS: F PTS: 1

21. A lockout is a software control that prevents multiple users from simultaneous access to data.

ANS: T PTS: 1

22. An entity is any physical thing about which the organization wishes to capture data.

ANS: F PTS: 1

23. An ER diagram is a graphical representation of a data model.

ANS: T PTS: 1

24. The term occurrence is used to describe the number of attributes or fields pertaining to a specific entity.

ANS: F PTS: 1

25. Cardinality describes the number of possible occurrences in one table that are associated with a single occurrence in a related table.

ANS: T PTS: 1

MULTIPLE CHOICE

1. All of the following are basic data management tasks excepta. data deletionb. data storagec. data attributiond. data retrieval

ANS: C PTS: 1

2. The task of searching the database to locate a stored record for processing is calleda. data deletionb. data storagec. data attributiond. data retrieval

ANS: D PTS: 1

3. Which of the following is not a problem usually associated with the flat-file approach to data management?

a. data redundancyb. restricting access to data to the primary userc. data storaged. currency of information

ANS: B PTS: 1

4. Which characteristic is associated with the database approach to data management?a. data sharingb. multiple storage proceduresc. data redundancyd. excessive storage costs

ANS: A PTS: 1

5. Which characteristic is not associated with the database approach to data management?

a. the ability to process data without the help of a programmerb. the ability to control access to the datac. constant production of backupsd. the inability to determine what data is available

ANS: D PTS: 1

6. The textbook refers to four interrelated components of the database concept. Which of the following is not one of the components?

a. the database management systemb. the database sdministratorc. the physical databased. the conceptual database

ANS: D PTS: 1

7. Which of the following is not a responsibility of the database management system?a. provide an interface between the users and the physical databaseb. provide security against a natural disasterc. ensure that the internal schema and external schema are consistentd. authorize access to portions of the database

ANS: C PTS: 1

8. A description of the physical arrangement of records in the database isa. the internal viewb. the conceptual viewc. the subschemad. the external view

ANS: A PTS: 1

9. Which of the following may provide many distinct views of the database?a. the schemab. the internal viewc. the user viewd. the conceptual view

ANS: C PTS: 1

10. Users access the databasea. by direct queryb. by developing operating softwarec. by constantly interacting with systems programmersd. all of the above

ANS: A PTS: 1

11. The data definition languagea. identifies, for the database management system, the names and relationships of all data

elements, records, and files that comprise the databaseb. inserts database commands into application programs to enable standard programs to

interact with and manipulate the database

c. permits users to process data in the database without the need for conventional programsd. describes every data element in the database

ANS: A PTS: 1

12. The data manipulation languagea. defines the database to the database management systemb. transfers data to the buffer area for manipulationc. enables application programs to interact with and manipulate the databased. describes every data element in the database

ANS: C PTS: 1

13. Which statement is not correct? A query language like SQLa. is written in a fourth-generation languageb. requires user familiarity with COBOLc. allows users to retrieve and modify datad. reduces reliance on programmers

ANS: B PTS: 1

14. Which duty is not the responsibility of the database administrator?a. to develop and maintain the data dictionaryb. to implement security controlsc. to design application programsd. to design the subschema

ANS: C PTS: 1

15. In a hierarchical modela. links between related records are implicitb. the way to access data is by following a predefined data pathc. an owner (parent) record may own just one member (child) recordd. a member (child) record may have more than one owner (parent)

ANS: B PTS: 1

16. Which term is not associated with the relational database model?a. tupleb. attributec. collisiond. relation

ANS: C PTS: 1

17. In the relational database modela. relationships are explicitb. the user perceives that files are linked using pointersc. data is represented on two-dimensional tablesd. data is represented as a tree structure

ANS: C PTS: 1

18. In the relational database model all of the following are true except

a. data is presented to users as tablesb. data can be extracted from specified rows from specified tablesc. a new table can be built by joining two tablesd. only one-to-many relationships can be supported

ANS: D PTS: 1

19. In a relational databasea. the user’s view of the physical database is the same as the physical databaseb. users perceive that they are manipulating a single tablec. a virtual table exists in the form of rows and columns of a table stored on the diskd. a programming language (COBOL) is used to create a user’s view of the database

ANS: B PTS: 1

20. Which of the following is not a common form of conceptual database model?a. hierarchicalb. networkc. sequentiald. relational

ANS: C PTS: 1

21. Which statement is false?a. The DBMS is special software that is programmed to know which data elements each user

is authorized to access.b. User programs send requests for data to the DBMS.c. During processing, the DBMS periodically makes backup copies of the physical database.d. The DBMS does not control access to the database.

ANS: D PTS: 1

22. All of the following are elements of the DBMS which facilitate user access to the database except

a. query languageb. data access languagec. data manipulation languaged. data definition language

ANS: B PTS: 1

23. Which of the following is a level of the database that is defined by the data definition language?

a. user viewb. schemac. internal viewd. all are levels or views of the database

ANS: D PTS: 1

24. An example of a distributed database isa. partitioned databaseb. centralized databasec. networked databased. all are examples of distributed databases

ANS: A PTS: 1

25. Data currency is preserved in a centralized database bya. partitioning the databaseb. using a lockout procedurec. replicating the databased. implementing concurrency controls

ANS: B PTS: 1

26. Which procedure will prevent two end users from accessing the same data element at the same time?

a. data redundancyb. data replicationc. data lockoutd. none of the above

ANS: C PTS: 1

27. The advantages of a partitioned database include all of the following excepta. user control is enhancedb. data transmission volume is increasedc. response time is improvedd. risk of destruction of entire database is reduced

ANS: B PTS: 1

28. A replicated database is appropriate whena. there is minimal data sharing among information processing unitsb. there exists a high degree of data sharing and no primary userc. there is no risk of the deadlock phenomenond. most data sharing consists of read-write transactions

ANS: B PTS: 1

29. What control maintains complete, current, and consistent data at all information processing units?

a. deadlock controlb. replication controlc. concurrency controld. gateway control

ANS: C PTS: 1

30. Data concurrencya. is a security issue in partitioned databasesb. is implemented using timestampingc. may result in data lockoutd. occurs when a deadlock is triggered

ANS: B PTS: 1

31. All of the following are advantages of a partitioned database excepta. increased user control by having the data stored locallyb. deadlocks are eliminatedc. transaction processing response time is improvedd. partitioning can reduce losses in case of disaster

ANS: B PTS: 1

32. Which backup technique is most appropriate for sequential batch systems?a. grandparent-parent-child approachb. staggered backup approachc. direct backupd. remote site, intermittent backup

ANS: A PTS: 1

33. When creating and controlling backups for a sequential batch system,a. the number of backup versions retained depends on the amount of data in the fileb. off-site backups are not requiredc. backup files can never be used for scratch filesd. the more significant the data, the greater the number of backup versions

ANS: D PTS: 1

34. In a direct access file systema. backups are created using the grandfather-father-son approachb. processing a transaction file against a maser file creates a backup filec. files are backed up immediately before an update rund. if the master file is destroyed, it cannot be reconstructed

ANS: C PTS: 1

35. Which of the following is not an access control in a database system?a. antivirus softwareb. database authorization tablec. passwordsd. voice prints

ANS: A PTS: 1

36. Which of the following is not a basic database backup and recovery feature?

a. checkpointb. backup databasec. transaction logd. database authority table

ANS: D PTS: 1

37. Audit objectives for the database management system include all of the following except

a. verifying that the security group monitors and reports on fault tolerance violationsb. confirming that backup procedures are adequatec. ensuring that authorized users access only those files they need to perform their dutiesd. verifying that unauthorized users cannot access data files

ANS: A PTS: 1

38. All of the following tests of controls will provide evidence that access to the data files is limited except

a. inspecting biometric controlsb. reconciling program version numbersc. comparing job descriptions with access privileges stored in the authority tabled. attempting to retrieve unauthorized data via inference queries

ANS: B PTS: 1

39. Which of the following is not a test of access controls?a. biometric controlsb. encryption controlsc. backup controlsd. inference controls

ANS: C PTS: 1

40. The database attributes that individual users have permission to access are defined ina. operating system.b. user manual.c. database schema.d. user view.e. application listing.

ANS: D PTS: 1

SHORT ANSWER

Use the following words to complete the sentences in questions 1 through 5.

database administrator data dictionarydata redundancy index sequential access methodquery language schemasequential structure subschema

1. _________________________ occurs when a specific file is reproduced for each user who needs access to the file.

ANS:data redundancy

PTS: 1

2. The conceptual view of the database is often called ____________________.

ANS:schema

PTS: 1

3. The ____________________ allows users to retrieve and modify data easily.

ANS:query language

PTS: 1

4. The __________________________ authorizes access to the database.

ANS:database administrator

PTS: 1

5. The __________________________ describes every data element in the database.

ANS:data dictionary

PTS: 1

6. How does the database approach solve the problem of data redundancy?

ANS:Data redundancy is not a problem with the database approach because individual data elements need to be stored only once yet be available to multiple users.

PTS: 1

7. Describe two tests of controls that would provide evidence that the database management system is protected against unauthorized access attempts.

ANS:compare job descriptions with authority tables; verify that database administration employees have exclusive responsibility for creating authority tables and designing user subschemas; evaluate biometric and inference controls

PTS: 1

8. What is a database authorization table?

ANS:The database authorization table contains rules that limit the actions a user can take. Each user is granted certain privileges that are coded in the authority table, which is used to verify the user’s action requests.

PTS: 1

9. What are two types of distributed databases?

ANS:Partitioned and replicated databases.

PTS: 1

10. Describe an environment in which a firm should use a partitioned database.

ANS:A partitioned database approach works best in organizations that require minimal data sharing among its information processing units and when a primary user of the data can be identified.

PTS: 1

11. Why are the hierarchical and network models called navigational databases?

ANS:These are called navigational models because traversing or searching them requires following a predefined path which is established through explicit linkages between related records.

PTS: 1

12. What is a database lockout?

ANS:To achieve data currency, simultaneous access to individual data elements by multiple sites needs to be prevented. The solution to this problem is to use a database lockout, which is a software control that prevents multiple simultaneous accesses to data.

PTS: 1

13. What is the partitioned database approach and what are its advantages?

ANS:The partitioned database approach splits the central database into segments or partitions that are distributed to their primary users. The advantages of this approach are:

Storing data at local sites increases users’ control.Permitting local access to data and reducing the volume of data that must be transmitted between sites improves transaction processing response time.Partitioned databases can reduce the potential for disaster. By having data located at several sites, the loss of a single site cannot terminate all data processing by the organization.

PTS: 1

14. What is a replicated database and what are the advantages of this approach?

ANS:The entire database is replicated at each distributed site.

Replicated databases are effective in companies where there exists a high degree of data sharing but no primary user. Since common data are replicated at each site, the data traffic between sites is reduced considerably.

PTS: 1

15. What is a legacy system? ANS:Legacy systems are large mainframe systems that were implemented from the late 1960s through the 1980s. Organizations today still make extensive use of these systems.

PTS: 1

16. What is the flat-file model?

ANS:The flat-file model describes an environment in which individual data files are not related to other files. End users in this environment own their data files rather than share them with other users.

PTS: 1

17. What are the four primary elements of the database approach?

ANS:The users, the database management system, the database administrator, and the physical database structures.

PTS: 1

18. What types of problems does data redundancy cause?

ANS: a. increased data storage because the same data is stored in multiple files b. increased data updating because changes must be made to multiple files c. problem of current data in some files, but not all files

PTS: 1

19. What flat-file data management problems are solved as a result of using the database concept? ANS:

a. no data redundancy b. single update of data c. current values for all user applications d. task-data independence. PTS: 1

20. What are four ways in which database management systems provide a controlled environment to manage user access and the data resources?

ANS:Program development, backup and recovery, database usage reporting, and database access. PTS: 1

21. Explain the relationship between the three levels of the data definition language. As a user, which level would you be most interested in?

ANS:One level is the schema, which is the conceptual view of the data. The schema describes the entire database and it represents the database logically. The second level is the internal view, which is the physical arrangement of the records. At this level, the data records are described as well as linkages between files. The next level is the subschema, which is the external view of the database that specific users have authorization to use. This is also called the user view and is the level that users find of most interest.PTS: 1

22. What is the internal view of a database?

ANS:The internal view of a database is the physical arrangement of the records. It describes the data structure, the linkages between files, and the physical arrangement of the records.

PTS: 1

23. What is DML?

ANS:DML is the proprietary database language that a particular DBMS uses to retrieve, process, and store data.PTS: 1

24. What is a data dictionary, and what purpose does it serve?

ANS:The data dictionary describes every data element in the database. It enables all users (and programmers) to share a common view of the data resource, thus greatly facilitating the analysis of user needs.

PTS: 1

25. Discuss and give an example of one-to-one, one-to-many, and many-to-many record associations.

ANS:A one-to-one association means that for every occurrence in record type X, either zero or one

occurrence exists of record type Y. An example would be that for every student, only one social security number exists.

A one-to-many association means that for every occurrence in record type X, either zero, one, or many occurrences exist of record type Y. An example would be buyers of assigned seating at concerts. Each potential buyer would leave the sales box office with zero, one, or many seats.

A many-to-many association is a two-way relationship. For each occurrence of record types X and Y, zero, one, or many occurrences exist of record type Y and X, respectively. An example would be a student-professor relationship. Each student has multiple professors each semester, and each professor has multiple students each semester.

PTS: 1

ESSAY

1. What are the four elements of the database approach? Explain the role of each.

ANS:Users are the individuals in the organization who access the data in the database. This may happen via user programs or by direct query.

The database management system is a set of programs that control access to the database and that manage the data resource through program development, backup and recovery functions, usage reporting, and access authorization.

The database administrator is a function (which may involve part of one individual’s duties or an entire department) which manages the database resources through database planning, design, implementation, operation and maintenance, and growth and change.

The physical database is the only physical form that the database has. It is comprised of magnetic spots on magnetic media.

PTS: 1

2. Explain the three views of a database.

ANS:The unique internal view of the database is the physical arrangement of records which describes the structure of data records, the linkages between files, and the physical arrangement and sequence of records in the file.

The unique conceptual view (or schema) represents the database logically and abstractly.

The many user views (or subschema) define the portion of a database that an individual user is authorized to access.

PTS: 1

3. Explain a database lockout and the deadlock phenomenon. Contrast that to concurren-cy control and the timestamping technique. Describe the importance of these items in relation to database integrity.

ANS:In a centralized database, a lockout is used to ensure data currency. A lockout prevents simultaneous access to individual data elements by different information processing units (IPU). When one IPU requests access to a data element, a lock is put on the file, record, or element. No other IPU can access the file, record, or element until the lock is released.

In a partitioned database, lockouts are also used to ensure data currency. It is possible, however, for multiple sites to place locks on records that results in a deadlock condition which prevents transactions from processing. All transactions are in a wait state until the locks are removed. A deadlock cannot be resolved without outside intervention from the user’s application, the DBMS, or the operating system.

In a replicated database, a large volume of data flows between sites, and temporary inconsistencies in the database may occur. Concurrency control ensures that transactions executed at each IPU are accurately reflected in the databases of all other sites. A popular method for concurrency control is to timestamp transactions. Transactions that may be in conflict are assigned a system-wide timestamp. Then, the identified transactions are processed in timestamp order.

Both database lockouts and concurrency controls are designed to ensure that the transactions are completely processed and that all transactions are accurately reflected in the firm’s databases. Failure to implement these controls can result in transactions being lost, being partially processed, or with inconsistent databases.

PTS: 1

4. One purpose of a database system is the easy sharing of data. But this ease of sharing can also jeopardize security. Discuss at least three forms of access control designed to reduce this risk.

ANS:Many types of access control are possible. A user view is a subset of a database that limits a user’s view or access to the database. The database authorization table contains rules that limit what a user can do, i.e., read, insert, modify, delete. A user-defined procedure adds additional queries to user access to prevent others from accessing in a specific user’s place. To protect the data in a database, many systems use data encryption to make it unreadable by intruders. A newer technique uses biometric devices to authenticate users.

PTS: 1

5. In a distributed data processing system, a database can be centralized or distributed. What are the options? Explain.

ANS:In a distributed data processing system, a database can be centralized or distributed. When the database is centralized, the entire database is stored at a central site which processes requests from users at remote locations. Certain concerns arise when data processing is distributed. Questions arise with regard to data currency when multiple users have access to the database. Database lockout prevents more than one user from making changes at the same time.

Distributed databases can be partitioned with parts stored at different sites, or replicated, with the entire database stored in multiple locations. When the database is partitioned, users have more control over data stored at local sites, transaction processing time is improved, and the potential of data loss is reduced. When the database is replicated, the entire database is stored at multiple locations. This works well when the primary use of the database is for querying. When transactions are processed at many sites, problems of database concurrency arise.

PTS: 1

6. Ownership of data in traditional legacy systems often leads to data redundancy. This in turn leads to several data management problems. What are they? How does the database approach solve them?

ANS:Data redundancy causes significant data management problems in three areas: data storage, data updating, and currency of information. Data storage is a problem because if multiple users need the data, it must be collected and stored multiple times at multiple costs. When multiple users hold the same information, changes must be updated in all locations or data inconsistency results. Failure to update all occurrence of a data item can affect the currency of the information.

With a database system, these problems are solved. There is no data redundancy since a data item is stored only once. Hence changes require only a single update, thus leading to current value.

PTS: 1

7. What services are provided by a database management system?

ANS:Database management systems typically provide the following services: a. program development which permits both programmers and end users to create applications to

access the database;

b. backup and recovery is built in therefore reducing likelihood of data loss;c. database usage reporting captures statistics on what data is being used, by whom, when; and

especiallyd. database access is provided to authorized users.

PTS: 1

8. Discuss the key factors to consider in determining how to partition a corporate database.

ANS:The partitioned approach works best for organizations that require minimal data sharing among users at remote sites. To the extent that remote users share common data, the problems associated with the centralized approach will apply. The primary user must now manage requests for data from other sites. Selecting the optimum host location for the partitions to minimize data access problems requires an in-depth analysis of end-user data needs.

PTS: 1

9. Distinguish between a database lockout and a deadlock.

ANS:To achieve data currency, simultaneous access to individual data elements or records by multiple users needs to be prevented. The solution to this problem is a database lockout, which is a software control that prevents multiple simultaneous accesses to data. A deadlock occurs when multiple users seeking access to the same set of records lockout each other. As a result, the transactions of all users assume a wait state until the locks are removed. A deadlock is a permanent condition that must be resolved by special software that analyzes each deadlock condition to determine the best solution.

PTS: 1

10. Replicated databases create considerable data redundancy, which is in conflict with the database concept. Explain the justification of this approach.

ANS:The primary justification for a replicated database is to support read-only queries in situations involving a high degree of data sharing, but no primary user exists. With data replicated at every site, data access for query purposes is ensured, and lockouts and delays due to network traffic are minimized. A potential problem arises, however, when replicated databases need to be updated by transactions. Since each site processes only local transactions, the common data attributes that are replicated at each site will be updated by different transactions and thus, at any point in time, will have uniquely different values. System designers need to employ currency control techniques to ensure that transactions processed at different locations are accurately reflected in all the databases copies.

PTS: 1

11. Contrast the navigational databases with relational databases. What is the primary advantage of the relational model?

ANS:The most apparent difference between the relational model and navigational models is the way that data associations are represented to the user. In navigational models, data are represented in tree structures or network structures. The navigational database models have explicit links, called pointers, between records. Data are accessed using defined data paths.

The relational model portrays data in the form of two-dimensional tables. Users do not perceive any

pointers linking the tables. At the conceptual level (logical view) and the external level (user’s view), data are represented only as tables. Relations between tables are formed by an attribute (data element) that is common to the tables. This attribute is a primary key in one table and a foreign key in the other.

The relational model is more flexible than a navigational model. Users can obtain data from the database by using the primary key and a database query language. Typically users do not require assistance from programmers to obtain answers to ad hoc queries.

PTS: 1