Week 9 - Smart Accounting Information Security Management, Business Continuity Planning Flashcards
(22 cards)
Corporate governance and the challenges
–> a collection of mechanism and processes to control and operate a firm
- BYOD (bring your own device) -> allowing their employee to bring their own device (risk: hard to managed the environment)
- data proliferation
- privacy
COBIT is
control objective for information and related technologies
–> framework designed by ISACA (information system audit and control association)
how to be an IS Auditor
- Pass the CISA Exam (5 domains)
- 5 Years of work experience in the fields of IS Auditing, Control, Assurance, or Security
- A work experience waiver is available
How to maintain the CISA certification:
- continuing professional education (CPE)
- annual maintenance fee
- random selection of annual CPE audit
5 Domain in CISA
- IS Auditing Process
- Governance and Management of IT
- IS Acquisition, Development, and Implementation
- IS Operations and Business Resilience
- Protection of Information Assets
Goals of information system security
cost (safeguard) vs risk (loss)
elements of threats/loss
- threats (a person/organization that seeks to obtain data illegally)
- vulnerabilities (opportunity for threats to gain access to individual/organization assets)
- safeguard (some measure that a person/organization takes to block the thread from obtaining the assets)
- target (asset desired by threat)
sources of threats
- Human error
- Computer crime
- natural events and disaster
5 types of security loss
- unauthorized data
- incorrect data modification
- faulty service
- denial of service
- distributed denial of service attack
3 types of safeguard
- technical
- data
- human
describe technical safeguard
(identification n authentication, encryption, firewall, malware protection)
identification - username
authentication - password
weakness: repeated password
how to deal with weakness: change password every few months, 2-factor authentication, link with phone number or email, fingerprint
encryption –> process of transforming clear text into coded, unintelligible text for secure storage or communication
- asymmetric encryption (separate keys, public and private)
- symmetric encryption
firewalls:
- internal
- perimeter
- firewall
Malware protection (viruses, spyware, adware, worms, Trajan horse) → broad category of
software including;
1. Viruses: computer programs that can replicate themselves like cancer to corrupt computer
systems and destroy data
2. Spyware: resides in the background to observe and monitor user activity; reports to the
corresponding organizations
3. Adware: mostly harmless but produce popup ads
describe human safeguard
- Position Definition
- Separate duties and authorities
- Determine the least privilege
- Document position sensitivity - Hiring and screening
- Dissemination and enforcement
- Responsibility
- Accountability
- Compliance - Termination
- friendly - unfriendly
describe data safeguard
protects databases and other organizational data
- data administration –> organization-wide function that oversees developing data
policies and enforcing data standards
- database administration –> function that pertains to a particular database (ERP,
CRM, and MRP databases each have this function)
Business Continuity Planning
- to enable businesses to continue offering critical services
- to survive a disastrous interruption
- rigorous planning and commitment to resources
in BCP, IS Auditor has to: (2)
- identify critical services a company should continue to offer after interruption
- help planning for resources and procedures for recovering your client’s business in the shortest possible time
disasters and other disruptive events
- natural disasters -> earthquakes, floods, tornados, severe thunder storms
- other -> outrage of electricity, telecommunication service, terrorist, hacker attacks
IS Auditor’s Task in BCP (5)
- reviewing BCP, BC teams
- evaluating prior test result and offsite storage
- interviewing key personnel
- evaluating security at an offsite facility
- reviewing alternative processing contracts and insurance coverage
Alerting Key Decision-making Personnel in BCP (explain + should contain:)
1.) Telephone list/ “call tree” → notification directory, of key decision-making, IS and end-user
personnel required to initiate and carry out recovery efforts
2.) Should contain:
- Prioritized list of contacts
- Contacts of each critical contact person (usually key team leaders)
- Contacts of representatives of equipment and software vendors, recovery facilities, media
storage facilities, insurance company agents, HR services, legal/regulatory/governmental
agencies
- A procedure to ascertain how many people were reached while using the call tree
Information ethics
→ ethical and moral issues arising from the development and use of information technologies as well as
the creation, collection, duplication, distribution, and processing of information itself
→ ethical issues in the area of copyright infringement and intellectual property are affecting business and
individual
→ Technology makes it easy to copy everything digital
Everything’s faster, easier, and more globalized e.g.,
- It is easy to download tools to hack a company website
- Downloading and sharing pirated software
technology-related issues - intellectual property
- copyright (the legal protection afforded an expression of an idea)
- fair use doctrine (in certain situations, its legal to use copyrighted material)
- pirated software (unauthorized use, duplication, distribution, or sale of copyrighted software)
- counterfeit software (software that is manufactured to look like the real thing and sold as such)
what can be done to stop technology-related issues
- governments should implement and enforce laws related to information ethics
- the office of privacy commissioner for personal data (PCPD) aims to secure the protection of the privacy of the individual through promotion, monitoring, and supervision of compliance with the personal data (privacy) ordinance
what are the policies companies should adopt?
- ethical computer use policy
- acceptable use policy
- email privacy policy - Email messages may be read by others, users’ expectation of privacy is based on the false assumption that email privacy protection
exists. I.e. no one else can read his/her emails, large organizations regularly read and analyze employees’ emails
