Flashcards in BEC 4 Types of Information Systems and Technology Risks and Appendix Deck (48)
Loading flashcards...
1
Strategic risk
- risk of choosing inappropriate technology
2
Operating risk
- risk of doing the right things in the wrong way
3
Financial risk
- risk of having financial resources lost, wasted or stolen
4
Information risk
- risk of loss of data integrity, incomplete transactions, or hackers
5
Specific risk
1. Error - carelessness, failure to follow directions or ignorance due to poor training
2. Intentional acts - sabotage, embezzlements, viruses, denial of service attacks
3. Disasters - fires, floods, earthquakes, high winds, terrorism and war
6
Virus
- a piece of a computer program that inserts itself into some other program, including operating systems to propagate.
- It requires a host program to propagate and can’t run independently
7
Worm
- a program that can run independently and normally propagates itself over a network
- it can’t detach itself to other programs
8
Trojan horse
- a program that appears to have a useful function but contains a hidden and unintended function that presents a security risk
9
Denial of Service attack
- one computer bombards another computer with a flood of information intended to keep legitimate users from accessing the target computer or network
10
Phishing
- sending of phony emails to try to lure people to phony websites asking for financial information
11
Spam
unsolicited email
12
Risk assessment and control activities
1. Risk - possibility of harm or loss
2. Threat - any eventuality that represents a danger to an asset or a capability linked to hostile intent
3. Vulnerability - characteristic of a design, implementation or operation that renders the system susceptible to a threat
4. Safeguards and controls - policies and procedures that when effectively applied, reduce or minimize vulnerabilities
13
Risk assessment
- identify risks
- evaluate the risks in terms of the probability of occurrence
- evaluate the exposure of potential loss
- identify controls
- evaluate the costs and benefits of implementing the controls
- implement the controls that are cost effective
14
Evaluation and Types of controls
- evaluated on cost/benefit basis
15
Access controls
1. Physical access
a. User identification codes
b. File attributes
3. Assignment and maintenance of security levels
4. Callback on dial up systems
5. File attributes
6. Firewalls
a. firewalls deter
b.network firewalls
c. application firewalls
d. firewalls methodologies
- packet filtering - examines packets of data as they pass via the firewall according to the rules. Firewall configuration
- circuit level gateways - allow data into a network that result from requests from computers inside the network
- application level gateways - examine data coming into the gateway in a more sophisticated fashion
16
Disaster recovery
consists of an entity’s plans for continuing operations in the event of the destruction of not only program and data files, but also processing capabilities.
17
Major players in disaster recovery
- organization itself
- external service provider,
the disaster recovery services provider
18
Steps in disaster recovery
1. assess the risks
2. identify mission critical applications and data
3. develop a plan for handling applications
4. determine the responsibilities of the personnel involved
5. test the disaster recovery plan
19
Advantages and disadvantages of disaster recovery and business continuity
- without the plan, the company may be out of business
20
Split mirror backup
as the size of data needed to support many large companies grows. so does the time and resources that it takes those companies to back up and recover their data.
21
Use of a disaster recovery services
different services like an empty room to providing facilities across the country to relocate end user personnel
22
Internal disaster recovery
- some organizations with the requirement for instantaneous or almost instant resumption of processing in the event of a disaster provide their own duplicate facilities in separate locations.
- data might be mirrored and processing can be switched almost instant from one location to the other
- duplicate data center and data mirroring is very expensive
23
Multiple data center backups
1. Full backup - exact copy of the entire database
2. Partial backup
- an incremental backup - copying only the data items that have changed since the last back up
- differential backup - all changes made since the last full backup, each new differential backup file contains the cumulative effects of all activity since the last full backup
24
Types of off site locations
1. Cold site *
2. Hot site
3. Warm site
Cold site - off site location that has all the electrical connections and other physical requirements for data processing, but it does not have the actual equipment
25
Types of off site locations
1. Cold site
2. Hot site *
3. Warm site
Hot site - an off site location that is equipped to take over the company’s data processing. Backup copies of essential data files and programs may also be maintained at the location or data storage facility.
1. Telecommunications network
2. Floor space and equipment determination
3. Personnel issues
26
Types of off site locations
1. Cold site
2. Hot site
3. Warm site *
Warm site - a facility that is already stocked with all the hardware that it takes to create a reasonable facsimile of the primary data center
27
Business information system risks
1. Strategic risk
2. Operating risk
3. Financial risk
4. Information risk
28
Access controls
Access controls limit access to documentation, data files, programs, and computer hardware to authorized personnel.
Examples include locks, passwords, user identification codes, assignment of security levels, callbacks on dial up systems, the setting of file attributes, and the use of firewalls.
29
Firewall
a system often both hardware and software, of user identification and authentication that prevents unauthorized users from gaining access to network resources
30