Study Unit 14 Flashcards
(41 cards)
System Availability
uninterrupted flow of electricity
protection of computer hardware from environmental hazards
protection of software and data files from unauthorized alteration
preservation of functioning comm channels bet devices
Risks associated with Business Information Systems
System Availability Volatile Trans Trails- short lived Decreased human involvement Uniform processing of transactions unauthorized access data vulnerability reduced segregation of duties reduced indiv authorization of transactions malware
Malware
any program code that enters a computer with potential to degrade it trojan horse virus -logic bombs worm denial of service phishing back door
Trojan horse
appears innocent but includes hidden function that can damage when activated
virus
program that copies itself from file to file, may destroy data or programs
logic bombs-type of virus triggered by predetermined event
worm
copies itself not from file to file but from computer to computer, very rapidly
repeated replication overloads a system by depleting memory or overwhelming ntwk
COBIT- 5 Key principle
govt framewk that addresses IT
1) Meet Stakeholder needs
2) Cover Enterprise End 2 End
3) Apply Single, Integrated Frmwk
4) Holistic Approach
5) Separate Governance from Mgt
Stakeholder Needs
value creation most basic stakeholder need; fundamental goal
value creation- realization of benefits, optimization of risk, optimal use of resources
Covering Enterprise E2E
comprehensive look @ fucntions and processes req enterprise wide IT
Applying Single, Integrated Framework
stds consistently applied
Enabling a Holistic Approach
7 categories that support comprehensive IT governance and mgt -principles, policies, frmwk -processes -org structure -culture, ethics, behavior -info -svc, infrastructure, apps -ppl, skills, competencies Last 3 items are resources; should be optimized
Separating Governance from mgt
req treatment as distinct activities
gov - setting of overall objectives, monitoring progress (BOD)
mgt- carrying out activities to pursue enterprise goals
-4 responsibility areas addressed: plan, build, run, monitor
3 principal goals for info security programs
data confidentiality- protect from disclosure to unauthorized persons
data availability- ensure IS up and running for access
data integrity-ensure data accurately reflects business events & not tampered with or destroyed
Step to Create information security plan
ID threats to info
ID risks the threats entail- 2 phases (likelihood of threat and potential level of damage)
Design controls for risks
Make controls part of enterprise wide info security plan
Set up policies
General controls
umbrella under which IT operates; affect entire processing environment include controls over
- data center and ntwk ops
- systems sftwr acquistion, change, maintenance
- access security
- app sys acq, development, maint
Controls over data center and network ops
ensure efficient and effective ops of computer activity
include control env and risk assessment
controls over software acquisition, change, maintenance
ensure proper software is available to use
controls over access encompass
to hdwr (physical access) and to data and programs through the system (logical access)
Application controls
particular to org’s apps
input- assurance data rec’d has proper auth; data not lost, improperly changed (relate to rejection)
concurrent update- ensure correct result for concurrent ops are generated
processing-processing performed as intended for the application. all trans processed as auth; no auth trans omitted; no unauth trans added
output- ensure accuracy of processing result and receipt of output by auth personnel only
Hardware controls
built into the eqt by the mfr; ensure proper internal handling of data as moved and stored
-include parity checks, echo check, read-after-write checks, and built into eqt to ensure data integrity
Physical control
limit physical access and environmental damage to computer eqt, data, important docs includes access controls -passwords, ID #s -device auth table -system access log -encryption -callback- req remote user to call give ID and wait for call to authorized # -controlled disposal of docs -biometric tech -auto log-off -security personnel
logical controls
limit access based on elements that person needs to perform their job
- elements of user account mgt
- -change pword periodically, unique ID needed for access,, policy prevents employees from leaving IDs/pwords written down in plain sight
GC examples
firewall, logical controls, hardware controls
firewall
combo of hardware and software that separates internal ntwk from external ntwk; stops passage of suspicious traffic
2 types
-ntwk - regulate traffic to entire ntwk (LAN)
-application- regulate traffic to specified app (email or file transfer)