Upgrade to remove ads
Topic 1: Introduction to IS Security and Risk Management
Terms in this set (21)
What is security?
Degree of protection against criminal activity, danger, damage and/or loss.
What is the CIA triad?
in terms of:
What factors increase risk?
1. Today's interconnected, interdependent, wireless networked environment
2. Smaller, faster, cheaper computers and storage devices
3. Decreasing skills necessary to be a hacker:
-New and easier tools make it very easy to attack the network
-Attacks are becoming increasingly sophisticated
4. Organised crime taking over cybercrime
5. Lack of management support
What type of threats can people pose?
1. Human error (careless use, opening questionable emails, careless browsing, downloading and installing unvetted software).
2. Social Engineering (done via tailgating or shoulder surfing, email scams, hazardous spyware that allow backdoor access or map keystrokes).
3. Deliberate threats (information extortion, sabotage or vandalism, information theft like dumpster diving).
4. Deliberate attacks (espionage or trespass, denial of Service, Identity theft, stealing of Intellectual Property, software attacks, alien software, Supervisory control and data acquisition attacks, information warfare and cyberterrorism).
What is Identity Theft?
-the delibrate assumption of another person's identity to gain access to financial information or perpetrate crime.
>Impersonation of trusted organisations (via email or phone)
>Abusing access rights to clients
What are some compromises to Electronic Property and assets?
What are a few Software Attacks?
-Virus: segment of computer code which performs malicious actions once attached to another program.
-Worm: a segment of computer code that spreads and replicates by itself and performs malicious actions.
-Trojan horse: program that hides in other programs.
-Logic Bomb: a segment of computer code that is embedded within a program that is designed to activate and perform destructive actions at a certain time and date.
-Spyware: collects information about users without informed consent.
-Spamware: alien software that uses a computer as a launchpad for sending unsolicited emails.
-Cookies: small deposits of information websites store on your computer.
What is the difference between risks and risk mitigation?
-Risk: managing and analysis potential threats.
-Risk Mitigation: stopping risks via accepting, limiting and transferring risks.
What types of security controls are there?
>state, national and international laws.
>Guards, fences, gates and locks
-Access controls (authentication):
>something the user is (biometrics), has (company data), does (steal or damage) and knows (classified, top secret, public access etc.)
>privileged to least privileged
What types of communication controls are there?
-firewalls (physical or software: built in)
-anti-malware (anti virus software packages)
-white and black listing (e.g. ad-blockers or DNS)
-encryption: converting a message into a form only the intended receiver can read; public access keys and digital certificates.
-VPN: use logins and encryption to establish secure, private connection on a public network.
-TLS: encryption standard for secure transactions, e.g. credit card transactions or online banking.
-monitoring systems: watching employee computers, emails and internet activities via methods like spyware.
What is contingency planning?
-a process that prepares an organisation to respond coherently to an unplanned event.
-Plan to manage disaster circumstances
-Develop resilence to recover quickly
-Getting the business back to normal operation
What types of contingency plans are there?
-Incident Recovery Plan: a policy that defines, in specific terms, and provides a step-by-step that should be followed when an incident occurs.
-Disaster Recovery Plan: document policies, procedures, and actions to limit the disruption to an organisation in the wake of a disaster.
-Business Continuity Management: a framework for identifying an organisation's risk of exposure to internal and external threats.
What categories of IS Risks are there?
-Knowledge Based Risks
What do IS Risks depend on?
-The likelihood of a problematic event occurring in the planning, development or maintenance phases of an IS project.
-the impact on the company.
What is IT Governance?
-The processes that ensure the effective and efficient use of IT in enabling an organisation to achieve its goals.
-used to manage risks when organising and aminstering IT in companies.
-6 principles according to the Australian Standard on Corporate Governance in ICT:
>Establish clearly understood responsibilities in ICT
>Plan ICT to best support the organisation
>Acquire ICT for valid reasons
>Ensure ICT performs well
>Ensure ICT conforms to formal rules
>Respect the human factors in ICT
What is the framework for IT Governance?
>Are we doing the right things?
>Are we doing them the right way?
>Are we getting things done?
>Are we getting benefits?
-In terms of:
>IT Value Delivery
>IT Risk Management
>IT Resource Management
What are Information Security Risks?
-lead to the loss of data confidentiality or integrity in a system, or the loss of information resource availability.
>More devices emerging (e.g. PDAs, tablets, smartphones etc.).
>Employees use the devices to communicate with consumers and companies.
>the downloading of malicious software on to company computer systems.
>Physical threats: vandalism of hardware or poor air conditioning.
>Natural disasters: floods, fires, tornadoes etc.
What are e-business Risks?
>false or malicious websites
>Denial of service
What are some legal and ethical issues related to IS?
-Companies must comply with national and international laws
-Privacy: user information must be disclosed.
-Intellectual Property: do not copy illegally, other people's work without consent.
How is outsourcing risks, a problem?
Can lead to complex costs, relating to training, support, differing laws and regulations, testing etc.
What are Knowledge based risks?
-key source of competitive advantage
>loss of knowledge when experts leave
>employees don't share knowledge.
YOU MIGHT ALSO LIKE...
Chapter 4: Information Security
CH 4 INFORMATION SECURITY
CIS Ch. 4
MIS Chapter 7: Information Security
OTHER SETS BY THIS CREATOR
Predictive Analytics Review
Topic 2: Fundamentals of Information Security
Topic 5: FREEDOM OF EXPRESSION, CENSORSHIP AND WHI…
OTHER QUIZLET SETS
Important People: Midterm 1
Corpsman Manual Chapter 5 BlueJacketeer
fundamental skills I ch 18
GPS Final Exam