Chapter 6 Textbook Outline
Chapter 6 Textbook Outline ACC 375
Popular in Accounting Information Systems
Popular in Department
This 4 page Class Notes was uploaded by Lauren95 on Wednesday March 30, 2016. The Class Notes belongs to ACC 375 at Pace University taught by Dr. Farrell in Spring 2016. Since its upload, it has received 11 views.
Reviews for Chapter 6 Textbook Outline
Report this Material
What is Karma?
Karma is the currency of StudySoup.
Date Created: 03/30/16
Chapter 6 – Information Security Information security involves protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide: o Confidentiality: preserving authorized restrictions on access and disclosure, including means from protecting personal privacy and proprietary information. o Integrity: guarding against improper information modification or destruction, and ensuring information nonrepudiation and authenticity, o Availability: ensuring timely and reliable access to and use of information. The term information security (computer security) is a broad concept that deals with the security of all information in the organization, regardless of whether it is computerized or not. The information security management system (ISMS) is an organizational internal control process that controls the special risks associated with information within the organization. o Confidentiality o Integrity o Availability of information ISMS typically has the basic elements of any information system: o Hardware o Databases o Procedures o Reports Information security management system is part of the larger enterprise risk management (ERM) process. o ERM is the process by which management balances risk versus opportunities. Information security systems are developed by applying the established methods of system analysis: o Design o Implementations o Operation, evaluation, and control Life-Cycle Phase: o System analysis Analyze system vulnerabilities in terms of relevant threats and their associated loss exposures. o System design Design security measures and contingency plans to control the identified loss exposures. o Systems implementation Implement the security measures as designed. o Systems operation, evaluation, and control Operate the system and assess its effectiveness and efficiency. Make changes as circumstances require. Security System o Phase 1: produce a vulnerability and threat analysis report. o Phase 2: design a comprehensive set of risk-control measures, including both security measures to prevent loss and contingency plans to deal with losses should they occur. o All phases are referred to as information system risk management. Process of assessing and controlling information risk systems. ISO 27001 uses the terms planning, doing, checking, and acting. o Planning corresponds to analysis and design. o Doing corresponds to implementation and operation o Checking and acting correspond to evaluation and control. Information security system must be managed by a chief security office (CSO). o Report directly to the Board of Directors to maintain complete independence. o CSO should present reports to the Board of Directors for approval. Life-Cycle Phases: o Systems analysis A summary of all relevant loss exposures. o Systems design Detailed plans for controlling and managing losses, including a complete security budget. o Systems implementation, systems operation, evaluation, and control Specifies on security systems performance, including an itemization of losses and security breaches, an analysis of compliance, and costs of operating the security system Quantitative approach to risk assessment – each loss exposure is computed as the product of the cost of an individual loss times the likelihood of its occurrence. Qualitative approach to risk assessment – lists out the systems vulnerabilities and threats, subjectively ranking them in order of their contribution to the company’s total loss exposures. o Business interruption o Loss of software o Loss of data o Loss of hardware o Loss of facilities o Loss of reputation Vulnerability is a weakness in a system. Threat is a potential exploitation of a vulnerability. o Active vs Passive Threats Active threats include information system fraud and computer sabotage. Passive threats include system faults, as well as natural disasters. System faults represent component equipment failures such as disk failures and power outages. System personnel include computer maintenance persons, programmers, operators, information systems administrative personnel, and data control clerks. Maintenance persons install hardware and software, repair hardware, and correct minor errors in software. System programmers often write programs to modify and extend the network, network operating systems, workstations, and so on. Network operators are individuals who oversee and monitor the immediate operation of the computer and communications network. Information systems administrative personnel – the systems supervisor is in the position of trust. This person normally has access to security secrets, files, programs, etc. Data control clerks are people responsible for the manual and automated inputting of data into the computer. Users are composed of heterogeneous groups and people and can be distinguished from others because of their functional area does not lie in the data processing or information technology. Intruder – anyone who accesses equipment, electronic data, files, or any kind of privileged information without proper authorization. Hackers – intruders who use electronic and other means to break into or attack information systems for fun, challenge, profit, or other nefarious motives. White hat hackers probe systems for weaknesses in order to help with security. Black hat hackers attack systems for illegitimate reasons. Pretexting is a form of social engineering in which the perpetrator impersonates another person, usually in a phone call or other electronic communication. Phishing is another form of social engineering. o Aims to trick victims into giving passwords, money, or other valuable assets directly to the perpetrator. Malware (malicious software) describes software that is malicious. Trojan horse describes malware that either is contained within benign software or is masquerading as benign software. Keyboard loggers secretly record and transmit to the hacker all the victims’ keystrokes. Backdoor is a method of covertly eluding normal authentication procedures while accessing a computer system. Botnet is a collection of computers that are infected with malware and controlled by a hacker. Denial-of-service attacks involve flooding the victim with such enormous amounts of illegitimate network traffic that the victims become so overloaded they ca no longer process legitimate information. Virus are designed to replicate themselves and thus spread throughout a computer or a network. Spyware is covertly installed on a victim’s computer and then collects and relays to the perpetrator personal information about the victim. Adware is software that displays advertisements. Worm is malware that silently spreads from one computer to another over a network. A distributed DoS attack is a DoS attack that is distributed over many different nodes on the internet or other network. Shoulder surfing involves the surreptitious direct observation of confidential information. Dumpster diving involves sifting through garbage to find confidential information such as discarded bank statements, department store bills, utility bills, and tax returns. A cloned cell phone is an exact and illegitimate copy of another cell phone. o Intercept text messages sent to and from the counterpart phone. o Intercept voice calls also An exploit occurs when a hacker takes advantage of a bug, glitch, or other software or hardware vulnerability to access the software or hardware, or related data or other resources in an unauthorized manor. Code injection involves tricking a computer program into accepting and running software supplied to a user. Vulnerability scanner remotely scan networked computers, searching for responses on open ports connected to software that has a known vulnerability. Methods of Attach by information system personnel and users: o Input manipulation – least amount of technical skill. o Program alteration – requires programing skills that are only possessed by only a limited number of people. o Direct file alteration – individuals find ways to bypass the normal process for imputing data into computerized information, and by doing so directly access and pilfer information from or alter computer files. o Data theft o Sabotage – destruction of a computer or software. o Misappropriation or theft of information resources – use companies resources for their personal use or their own business. Layered approach to access control involves erecting multiple layers of controls that spate the would-be perpetrator from his or her potential targets. Site-access controls is to physically separate unauthorized individuals from information systems resources. Software piracy is the illegal copying and distributing of copyrighted software. System access controls is to authenticate users by using means such as user IDs, passwords, IP addresses, and hardware devices. File-access controls prevent unauthorized access to data and program files. Virtualization involves running multiple operating systems, or multiple copies of the same operating system, all on the same machine. The individual operating system instances run under the control of a “master program” called a hypervisor Grid computing involves clusters of interlinked computers that share common workloads. Risk management concerns prevention and contingency planning. A cold site is an alternate computing site that contains the wiring form computers but no equipment. A hot site is an alternate site that contains the wiring and the equipment as well. A business continuity plan is a strategy to mitigate disruption to business operations in the event of a disaster.