7 Securing Information Systems Flashcards
(45 cards)
What are the different parts of the security triangle?
- Availability
- Integrity
- Confidentiality
What are some reasons why systems are vulnerable?
- Accessibility of networks
- Hardware problems (breakdowns, configuration errors, damage from improper use or crime)
- Software problems (programming errors, installation errors, unauthorised changes)
- Disasters
- Use of networks/computers outside of firm’s control
- Loss and theft of portable devices
Why is the internet vulnerable?
- Network open to anyone
- Size of Internet means abuses can have wide impact
- Use of fixed Internet addresses with cable / DSL modems creates fixed targets for hackers
- Unencrypted VOIP
- Email, IM
- Interception
- Attachments with malicious software
- Transmitting trade secrets
What are some security threats?
- Malware (malicious software).
- Viruses.
- Worms.
- Mobile Device Malware
- Social Network Malware.
Who can be an internal threat?
Employees
Why can employees be an internal threat?
- Security threats often originate inside an organisation
- Inside knowledge
- Sloppy security procedures
- User lack of knowledge
- Social engineering
- Both end users and information systems specialists are sources of risk
Why can software be vulnerable?
- Commercial software contains flaws that create security vulnerabilities
- Patches
What are some other security threats?
- Trojan Horse
- Ransomware
- Spyware
- Identity Theft
- Click Fraud
- Cyberterrorism
- Cyberwarfare
- Spoofing
- Denial-of-service attack
- Rogue Security Software
- Phishing Scams
What are some flaws in commercial software?
- Bugs (programme code defects)
- Zero defects cannot be achieved
- Flaws can open networks to intruders
What are patches?
- Small pieces of software to repair flaws
* Patch management
What is the Business Value of Security and Control?
- Failed computer systems can lead to significant or total loss of business function.
- Firms now are more vulnerable than ever.
- A security breach may cut into a firm’s market value almost immediately.
- Inadequate security and controls also bring forth issues of liability.
Why are firms now more vulnerable than ever?
Because of..
• Confidential personal and financial data.
• Trade secrets, new products, strategies.
What are some Legal and Regulatory Requirements for Electronic Records Management?
- HIPAA
- Gramm-Leach-Bliley Act
- Sarbanes-Oxley Act
- GDPR (General Data Protection Regulation)
What is HIPAA?
Medical security, privacy rules and procedures.
What is the Gramm-Leach-Bliley Act?
Requires financial institutions to ensure the security and confidentiality of customer data.
What is the Sarbanes-Oxley Act?
Imposes responsibility on companies and their management to safeguard the accuracy and integrity of financial information that is used internally and released externally.
What is Electronic Evidence?
- Evidence for white collar crimes often in digital form.
* Proper control of data can save time and money when responding to legal discovery request.
What is Computer Forensics?
- Scientific collection, examination, authentication, preservation, and analysis of data from computer storage media for use as evidence in court of law.
- Recovery of ambient data.
What are some Information Systems Controls
- Physical Controls.
- Administrative Controls.
- Technical Controls.
What are Physical Controls?
- Who can access the building, data centre
* Fences around buildings, lock
What are Administrative Controls?
Concerned with humans.
• Backup checks
• Policies
• Security awareness training
What are Technical Controls?
Implementing the security policies.
• An access control list at a gateway or firewall
• Access controls inside a database
What is Risk Assessment?
- Determines level of risk to firm if specific activity or process is not properly controlled
- Types of threat
- Probability of occurrence during year
- Potential losses, value of threat
- Expected annual loss
What is disaster recovery planning?
Devises plans for restoration of disrupted services.
