Chapter 12: Managing Information Security and Privacy Flashcards Preview

MGMT 250: Information Technology Management > Chapter 12: Managing Information Security and Privacy > Flashcards

Flashcards in Chapter 12: Managing Information Security and Privacy Deck (76)
Loading flashcards...

Identity Theft

Stealing, misrepresenting, or hijacking the identity of another person or business

vital information, such as a person’s name, address, date of birth, social insurance number, and mother’s maiden name, are often all that is needed to facilitate impersonation


The Personal Information Protection and Electronic Documents Act (PIPEDA)

In Canada, PIPEDA gives individuals the right to know why an organization collects, uses, or discloses their personal information

PIPEDA does not, however, facilitate individuals suing organizations


Secruity threats

A problem with the security of information or the data therein, caused by human error, malicious activity or natural disaster


Three sources of security threats

(1) human error and mistakes,
(2) malicious human activity,
(3) natural events and disasters.


Human errors and mistakes

Include accidental problems caused by both employees and others outside the organization.

An example is an employee who misunderstands operating procedures and accidentally deletes customer records


malicious human activity

This category includes employees and others who intentionally destroy data or other system components. It also includes hackers who break into a system, virus and worm writers who infect computer systems, and people who send millions of unwanted emails



Unwanted email messages


Natural events and disasters

Category includes fires, floods, hurricanes, earthquakes, tsunamis, avalanches, and other acts of nature or accidents.

Problems in this category include not only the initial loss of capability and service but also losses stemming from actions to recover from the initial problem.


Five types of security problems

(1) unauthorized data disclosure,
(2) incorrect data modification,
(3) faulty service,
(4) denial of service,
(5) loss of infrastructure


Unauthorized data disclosure

Can occur by human error when someone inadvertently releases data in violation of policy.

An example at a college or university would be a new department administrator who posts student names, numbers, and grades in a public place

In Canada, this type of disclosure is covered by PIPEDA



Occurs when someone deceives by pretending to be someone else.

A common scam involves a telephone caller who pretends to be from a credit card company and claims to be checking the validity of credit card numbers



technique for obtaining unauthorized data, and it uses pretexting via email. The phisher pretends to be a legitimate company and sends an email requesting confidential data, such as account numbers, social insurance numbers, account passwords, and so on



term for someone pretending to be someone or somewhere else. If you pretend to be your professor, you are spoofing your professor


IP spoofing

occurs when an intruder uses another site’s IP (Internet Protocol) address as if it were that other site



technique for intercepting computer communications. With wired networks, sniffing requires a physical connection to the network.


drive-by sniffers

simply access computers with wireless connections through an area and search for unprotected wireless networks. They can monitor and intercept wireless traffic at will.


Incorrect Data Modification

Incorrectly increasing a customer’s discount or incorrectly modifying an employee’s salary, earned days of vacation, or annual bonus are actions that might fall under this category

can occur through human error when employees follow procedures incorrectly or when procedures have been incorrectly designed



when a person gains unauthorized access to a computer system. Although some people hack for the sheer joy of doing it, other hackers invade systems for the malicious purpose of stealing or modifying data.


Faulty Service

Includes problems due to incorrect system operations. Faulty service encompasses incorrect data modification, as well as systems that incorrectly send the wrong order to customers, programs that incorrectly bill customers, and software that sends erroneous information to employees.


denial of service (DOS)

Security problems in which users are not able to access an information system; can be caused by human errors, natural disaster, or malicious activity


Loss of Infrastructure

Examples are a bulldozer cutting fibre-optic cables, or the maintenance staff unplugging an important device in order to plug in a vacuum cleaner.


A security program has three components:

(1) senior management involvement,
(2) safeguards of various kinds,
(3) incident response


(1) senior management involvement,

First, senior management must establish the security policy. This policy sets the stage for the organization’s response to security threats.

Senior management’s second function, therefore, is to manage risk by balancing the costs and benefits of the security program.


Technical safeguards

involve the hardware and software components of an information system


primary technical safeguards

1) identification and authentication
2) Encryption
3) Firewalls
4) Malicious protection
5) Design for secure applications


1) identification and authentication

Every non-trivial information system should require some form of authentication.



The process whereby an informing system identifies a user by requiring the user to sign on with a user name and password



The process whereby an information system approves (authenticates) a user by checking the user's password


authentication methods fall into three categories:

(1) what you know (password or PIN),
(2) what you have (smart card),
(3) what you are (biometric).



-users tend to be careless in their use
-users tend to be free in sharing their passwords with others
-many users choose ineffective, simple passwords or use the same password for many systems