BEC 4 Security and Internet implications for business Flashcards
Technologies and security management features
A. Safeguarding records and files B. Back up files 1. Son-father-grandfather concept 2. Back up of systems that can be shut down 3. Backups of systems that do not shut down 4. Mirroring C. Uninterrupted power supply D. Program modification controls E. Data encryption 1. Digital certificates 2. Digital signatures vs E-signatures F. Managing passwords 1. Password length 2. Password complexity 3. Password age 4. Password reuse G. User access 1. Initial passwords and authorization for system access 2. Changes in position
A. Safeguarding records and files
- inadequate protection may result in damage or loss
- data can be protected by the use of internal and external labels and file protection rings
B. Back up files
Back up files
- Son-father-grandfather concept - the most recent file is called the son and the back up process includes reading the previous file, recording transactions being processed and then creating a new updated master file.There are always at least two back ups.
- Back up of systems that can be shut down - updated when shut down
- Backups of systems that do not shut down - recovery includes applying a transaction log and reapplying those transactions to get back to the point immediately before the failure
- Mirroring - the use of a back up computer to duplicate all of the processes and transactions on the primary computer
C. Uninterrupted power supply
a device that maintains a continuous supply of electrical power to connected equipment. Called battery back up.
D. Program modification controls
Program modification controls are controls over the modification of programs being used in production applications. They include controls designed to prevent changes by unauthorized personnel and also controls that track program changes
E. Data encryption
E. Data encryption - an essential foundation for electronic commerce. Encryption involves using a password or a digital key to scramble a readable message into an unreadable message. Then intended recipient of the message then uses the same or another digital key to decrypt or decipher the ciphertext message back into plaintext.
- Digital certificates - an electronic document, created and digitally signed by a trusted party, which certifies the identity of the owners of a particular public key.
- The public key infrastructure - the system and processes used to issue and manage asymmetric keys and digital certificates.
- Certificate authority - the organization that issues public and private keys and records the public key in a digital certificate. - Digital signatures vs E-signatures - use asymmetric encryption to create legally-blinding electronic documents. Web-based e-signatures are an alternative mechanism for accomplishing the same objectives. An e-signature - a cursive style imprint of a person’s name that is applied to an electronic document
F. Managing passwords
F. Managing passwords - every account needs one
- Password length - 7-8 signs
- Password complexity - upper, lowercase, numeric, ASCII characters !@#$
- Password age - every 3 months
- Password reuse - should not be reused (24 passwords)
G. User access
G. User access
- Initial passwords and authorization for system access
- Changes in position - Hr and IT communication
Brute force attack
the attacker simply tries every possible key until the right one is found
A. Security Policy defined
A. Security Policy defined - a document that states how an org plans to protect the org’s info.
B. Security Policy goal
B. Security Policy goal - requires people to protect info, which protects the org, its people, and customers.
C. States and Locations of information covered by security policies:
- The security policy should seek to secure info that exists in 3 distinct states:
a. Stored information
b. Processed information
c. Transmitted information - Information resides in locations:
a. information technology systems
b. paper
c. human brain - Relationship between states and locations of info (Examples):
a. Info systems - stored hard drives - processed computers - transmitted via internet
b. Paper - file cabinets - copy machine - fax
c. Brain - memory - synapses - language
Types of policies
- Program level policy - used for creating a management sponsored computer security program. A program level policy, at the highest level, might prescribe the need for information security and may delegate the creation and management of the program to a role within the IT department.
- Program-framework policy - establishes the overall approach to computer security
- Issue specific policy
- System specific policy
Development and management of security policies
- Security objectives - series of statements to describe meaningful actions about specific resources.
- Operational security - defines the manner in which a specific data operation would remain secure
- Policy implementation - security is enforced by a combination of technical and traditional management methods.
Policy support documents
- Regulations - laws, rules, regulations represent governmentally imposed restrictions passed by regulators and lawmakers
- Standards and baselines - topic specific (Standards) and system specific (baseline) documents that describe overall requirements for security
- Guidelines - provide hints, tips, and best practices in implementation
- Procedures - step by step instructions on how to perform a specific security activity
Decryption or decipherment
the intended recipient converts the cipher text into plain text
Digital signature
is a means of ensuring that a message is not altered in transmission. It is a form of data encryption
Electronic Commerce (E-Commerce)
- the electronic consummation of exchange transactions,
- can use a private network or the Internet as the communications provided
- may involve communication between previously known parties or between parties that have had no prior contract or agreements
Electronic Business (E-business)
- general term
- any use of information technology like networking and communications technology to perform business processes in an electronic form
- may or may not relate to selling or buying
Electronic Data Interchange (EDI)
the computer to computer exchange of business transaction documents
EDI -Reduced handling costs and increased processing speed
reduces transaction handling costs and speeds transaction processing
EDI- Standard data format
Standard data format
a. Mapping - process of determining the correspondence between data elements in an organization’s terminology and data elements in standard EDU terminology.
b. Standards - several different standards
- XML - extensible markup language - technology that has been developed to transmit data in flexible formats instead of the standard formats of EDI.
EDI - Communication
EDI can be implemented using direct links between the organizations exchanging information via communication intermediaries, VANs or networks of VANs, or over the Internet.
Features of EDI
- allows the transmission of electronic documents between compeer systems in different organizations
- reduces handling costs and speeds transaction processing compared to traditional paper based processing.
- requires that all transactions be submitted in a standard data format
- can be implemented using direct links between the trading partners, communication intermediaries, VANs or networks of VANs, or over the Internet.