Flashcards in Foundations II Deck (302)
What are the infrastructure elements that require protection?
computer hardware, network hardware, network systems, computer platforms
What does network hardware refer to?
equipment such as routers, switches, gateways and access points that facilitate the use and management of a computer network.
What are network servers?
centralized computers that may contain business information accessible to many users, often simultaneously.
What are the two broad categories of network systems?
Local area networks (LANs) and wide area networks (WANs)
What is a LAN?
Local area network - exist within an operational facility, considered within local operational control and are relatively easy to manage.
What is a WAN?
Wide area network - may involve coordination between several groups, are considered outside of local operational control and are relatively difficult to manage.
What is the most common type of LAN connection?
What types of connections are becoming increasingly common with WANs?
Optical connections - they use complex light wave patterns to transmit information rather than electrical impulses.
What network systems must be managed in order to ensure effective information security?
Internet, the cloud, intranet, extranet, private branch exchange (PBX), remote access connectivity, mobile and wireless network connectivity, VoIP, email
When is an extranet formed?
When two or more corporate intranets are connected.
What do PBX systems control?
telephone interactions, store VM, and perform many other functions related to telephony.
What should be used to manage mobile connectivity?
Virtual Private Networks (VPNs)
What is a VPN?
A system that incorporates authentication and encryption schemes in order to create a secure connection to an organizational LAN that is made available to authorized users over the Internet.
What are two common threats to mobile and wireless network connectivity?
Data interception and data emmulation
What is VoIP?
Voice over Internet protocol - allows telephone calls to be made over a private WAN or the Internet itself.
What are the three general categories of computer platforms?
mainframes, servers, and desktops/smaller computers
Should business-critical information be exclusively stored on desktops or other personal computers?
No. Business-critical info should be managed in a centralized manner where it can be secured, backed up and included in a disaster recovery plan.
What are security controls?
The processes used to ensure the security of an information system. It is important that a control monitoring process be set up to provide prompt notification in the event that any of the controls fail.
What are the three main types of security controls?
Preventative, Detective & Corrective
What are the two types of data encryption - generally?
Encryption in communication AND encryption at rest (encryption on data stored locally)
What is decryption?
The function used to reverse the encryption of information and reveal it in plain text.
Is Encryption a good way to ensure authentication?
No, encryption is a good means of ensuring confidentiality, but it is not good for authentication as it does not verify that the person who claims to have sent the message is the true sender.
What is Encryption?
The process of obscuring information, often through the use of a cryptographic scheme, to make the data unreadable without special knowledge.
What is the dual purpose of information security systems?
Providing access to the end user while protecting the data from other end users.
What are some important things that retention schedules should address?
Record types (levels of sensitivity), retention periods (duration of storage), should be based on demonstrated business needs, should be based on any applicable regulatory requirements.
EXTRA CREDIT - How does a traditional computer hard drive work?
It uses a magnet to change the polarity of charged particles on the surface of the magnetic disc. (Remember the eBay example on pg. 91).
What is the measure by which information should be protected?
Information should be protected in accordance with the value of the asset - the higher the value, the greater the security
What are criteria on which asset value should be based for information security purposes?
(1) Sensitivity and confidentiality (2) potential liability (3) intelligence value (4) criticality to the business
What does effective risk management balance?
The potential for loss with the cost of security protection and management.