Chapter 7 Information System Security and Control



Similar documents
COB 302 Management Information System (Lesson 8)

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

9. Information Assurance and Security, Protecting Information Resources. Janeela Maraj. Tutorial 9 21/11/2014 INFO 1500

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Achieving Truly Secure Cloud Communications. How to navigate evolving security threats

Security Policy JUNE 1, SalesNOW. Security Policy v v

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

i. Definition ii. Primary Activities iii. Support Activities iv. Information Systems role in value chain analysis

Content Teaching Academy at James Madison University

ICANWK406A Install, configure and test network security

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

4. Identify the security measures provided by Microsoft Office Access. 5. Identify the methods for securing a DBMS on the Web.

E-Business, E-Commerce

ABB s approach concerning IS Security for Automation Systems

Network Security Administrator

Certified Information Systems Auditor (CISA)

Network & Information Security Policy

INFORMATION TECHNOLOGY ENGINEER V

E-commerce. business. technology. society. Kenneth C. Laudon Carol Guercio Traver. Second Edition. Copyright 2007 Pearson Education, Inc.

Remote Deposit Terms of Use and Procedures

Office of Inspector General


Business Phone Security. Threats to VoIP and What to do about Them

IT - General Controls Questionnaire

COSC 472 Network Security

Rulebook on Information Security Incident Management General Provisions Article 1

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Introduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI

DATABASE SECURITY, INTEGRITY AND RECOVERY

Data Security Incident Response Plan. [Insert Organization Name]

Exam 1 - CSIS 3755 Information Assurance

Frequently Asked Questions About WebDrv Online (Remote) Backup

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

SESSION 8 COMPUTER ASSISTED AUDIT TECHNIQUE

DEVELOPING A NETWORK SECURITY PLAN

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

State of Illinois Department of Central Management Services GENERAL SECURITY FOR STATEWIDE NETWORK RESOURCES POLICY

Brainloop Cloud Security

ADM:49 DPS POLICY MANUAL Page 1 of 5

A SWOT ANALYSIS ON CISCO HIGH AVAILABILITY VIRTUALIZATION CLUSTERS DISASTER RECOVERY PLAN

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

The data which you put into our systems is yours, and we believe it should stay that way. We think that means three key things.

Chap. 1: Introduction

NCS 330. Information Assurance Policies, Ethics and Disaster Recovery. NYC University Polices and Standards 4/15/15.

Las Vegas Datacenter Overview. Product Overview and Data Sheet. Created on 6/18/2014 3:49:00 PM

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

PATCH MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

How Proactive Business Continuity Can Protect and Grow Your Business. A CenturyLink White Paper

VIRGINIA STATE UNIVERSITY RISK ANALYSIS SURVEY INFORMATION TECHNOLOGY

IY2760/CS3760: Part 6. IY2760: Part 6

Network Instruments white paper

EUCIP - IT Administrator. Module 5 IT Security. Version 2.0

Projectplace: A Secure Project Collaboration Solution

In-House Vs. Hosted Security. 10 Reasons Why Your is More Secure in a Hosted Environment

Intro to Firewalls. Summary

Cybersecurity Health Check At A Glance

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Tom J. Hull & Company Type 1 SSAE

CMPT 471 Networking II

Security in DSL Networks. Issues and Solutions for Small-to-Medium Sized Enterprises

StratusLIVE for Fundraisers Cloud Operations

esoft Technical White Paper: Who Needs Firewall Protection?

Guide to Vulnerability Management for Small Companies

The Ministry of Information & Communication Technology MICT

Management Standards for Information Security Measures for the Central Government Computer Systems

Approved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2

Network Segmentation

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

Enterprise K12 Network Security Policy

PCI Compliance 3.1. About Us

THE CHALLENGES OF DATA SECURITY IN THE MODERN OFFICE

Bendigo and Adelaide Bank Ltd Security Incident Response Procedure

Computer Security Maintenance Information and Self-Check Activities

Chapter 8: Security Measures Test your knowledge

Information Security Services

INSIDE. Securing Network-Attached Storage Protecting NAS from viruses, intrusions, and blended threats

Chapter 11 Manage Computing Securely, Safely and Ethically. Discovering Computers Your Interactive Guide to the Digital World

SRA International Managed Information Systems Internal Audit Report

Alexander Nikov. 9. Information Assurance and Security, Protecting Information Resources. Learning Objectives. You re on Facebook? Watch Out!

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

HIPAA Security COMPLIANCE Checklist For Employers

Information Technology Cyber Security Policy

CYBER SECURITY: SYSTEM SERVICES FOR THE SAFEGUARD OF DIGITAL SUBSTATION AUTOMATION SYSTEMS. Massimo Petrini (*), Emiliano Casale TERNA S.p.A.

University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary

Security aspects of e-tailing. Chapter 7

VoIP Survivor s s Guide

MAXIMUM PROTECTION, MINIMUM DOWNTIME

---Information Technology (IT) Specialist (GS-2210) IT Security Competency Model---

White Paper. Information Security -- Network Assessment

Transcription:

Chapter 7 Information System Security and Control Essay Questions: 1. Hackers and their companion viruses are an increasing problem, especially on the Internet. What can a digital company do to protect itself from this? Is full protection feasible? Why or why not? 2. Define the terms input controls, processing controls, and output controls distinguishing among them. 3. The three major concerns of system builders and users are disaster, security, and administrative error. Of the three, which do you think is most difficult to deal with? Why? 4. Define a fault-tolerant computer system and a high-availability computer system. How do they differ? When would each be used? 5. Define the terms load balancing, mirroring, and clustering, distinguishing among them. 6. Discuss the issue of security challenges on the Internet as that issue applies to the global enterprise. List at least 10 Internet security challenges. 7. How does a firewall work and what does it do? Describe the two major types of firewall technology and how each works. 8. What is a digital certificate? How does it work? 9. What is required of an MIS auditor, how does he/she accomplish the task, and what does the MIS audit reveal? 10. How are encryption, authentication, digital signatures, and digital certificates each used to ensure security in electronic commerce?

Answers of Essay Questions: 1. Hackers and their companion viruses are an increasing problem, especially on the Internet. What can a digital company do to protect itself from this? Is full protection feasible? Why or why not? For protection, a company must institute good security measures, which will include firewalls, investigation of personnel to be hired, physical and software security and controls, antivirus software, and internal education measures. These measures are best put in place at the time the system is designed, and careful attention paid to them. A prudent company will engage in disaster protection measures, frequent updating of security software, and frequent auditing of all security measures and of all data upon which the company depends. Full protection may not be feasible in light of the time and expenses involved, but a risk analysis can provide insights into which areas are most important and vulnerable. These are the areas to protect first. 2. Define the terms input controls, processing controls, and output controls distinguishing among them. a) Input controls check the data for accuracy and completeness when they enter the system. There are specific input controls for input authorization, data conversion, data editing, and error handling. b) Processing controls establish that data are complete and accurate during updating. Run control totals, computer matching, and programmed edit checks c) Output controls ensure that the results of computer processing are accurate, complete, and properly distributed. 3. The three major concerns of system builders and users are disaster, security, and administrative error. Of the three, which do you think is most difficult to deal with? Why? a) Disaster might be the most difficult because it is unexpected, broad-based, and frequently life threatening. In addition, the company cannot know if the disaster plan will work until a disaster occurs, and then it s too late to make corrections. b) Security might be the most difficult because it is an ongoing problem, new viruses are devised constantly, and hackers get smarter every day. Furthermore, damage done by a trusted employee from inside cannot be obviated by system security measures. c) Administrative error might be most difficult because it isn t caught until too late, and the consequences may be disastrous. Also, administrative error can occur at any level and through any operation or procedure in the company. 4. Define a fault-tolerant computer system and a high-availability computer system. How do they differ? When would each be used? Both systems use backup hardware resources. Fault-tolerant computer systems contain extra memory chips, processors, and disk storage devices that can back the system up and keep it running to prevent a system failure. High-availability computing places the emphasis on quick recovery from a system crash. A high-availability system includes redundant servers, mirroring, load balancing, clustering, storage area networks, and a good disaster recovery plan. The main difference between them is that fault-tolerant computer systems don t go down; high-availability computer systems go down, but can recover quickly. Companies needing a technology platform with 100 percent, 24-hr system availability, use 75

fault-tolerant computer systems. High-availability computing environments are a minimum requirement for firms with heavy electronic commerce processing or that depend on digital networks for their internal operations. 5. Define the terms load balancing, mirroring, and clustering, distinguishing among them. a) Load balancing uses multiple servers to distribute large numbers of access requests. The requests are directed to the most available server so that no single device is overwhelmed. Post offices, banks, and other firms that use service windows use load balancing when all customers go into a main line, and as each person comes to the front of the line, he or she chooses the next available service window in the group. b) Mirroring uses a backup server to duplicate all the processes and transactions of the primary server. If the primary server fails, the backup server immediately takes its place with no interruption in service. This is a very expensive process because each server requires two machines at all times. c) Clustering links two computers together so the second computer can act as a backup to the primary computer. If the primary computer fails, the second computer picks up its processing with no pause in the system. The second computer is not a mirror of the first; it simply picks up processing where the first one left off. 6. Discuss the issue of security challenges on the Internet as that issue applies to the global enterprise. List at least 10 Internet security challenges. Large public networks, including the Internet, are more vulnerable because they are virtually open to anyone and because they are so huge that when abuses do occur, they can have an enormously widespread impact. When the Internet becomes part of the corporate network, the organization s information systems can be vulnerable to actions from outsiders. Computers that are constantly connected to the Internet via cable modem or DSL line are more open to penetration by outsiders because they use a fixed Internet address where they can be more easily identified. The fixed Internet address creates the target for hackers. To benefit from electronic commerce, supply chain management, and other digital business processes, companies need to be open to outsiders such as customers, suppliers, and trading partners. Corporate systems must be extended outside the organization so that employees working with wireless and other mobile computing devices can access them. This requires a new security culture and infrastructure, allowing corporations to extend their security policies to include procedures for suppliers and other business partners. Some of the challenges to Internet security are computer viruses, line taps, loss of the machine itself, tapping, sniffing, message alteration, theft and fraud, hacking, computer viruses, vandalism, denial of service attacks, copying of data, and alteration of data. 7. How does a firewall work and what does it do? Describe the two major types of firewall technology and how each works. A firewall is a computer program generally placed between internal LANS and WANS and external networks such as the Internet. Its controls access to the organization s internal networks by acting as a gatekeeper to examine each user s credentials before the user is allowed to access the network. The firewall identifies names, Internet protocol addresses, applications, and other characteristics of incoming traffic. It checks this information against the access codes programmed into the system 76

by the network administrator. The two major types of firewall are: a) Proxies stop data originating outside the organization at the firewall, inspect them, and pass a proxy to the other side of the firewall. If a user outside the company wants to communicate with the user inside the organization, the outside user first talks to the proxy application and the proxy application communicates with the firm s internal computer. Because the actual message doesn t pass through the firewall, proxies are considered one of the most secure firewall. The problem is that they consume system resources and can cause network performance degradation. b) Stateful inspection scans each packet of incoming data, and checks its source, destination address, or service. It sets up state tables to track information over multiple packets. User-defined access rules identify every type of packet that the organization does not want to admit. This system is theoretically not as secure because some data pass through the firewall, but it consumes fewer network resources than proxies. 8. What is a digital certificate? How does it work? A digital certificate is a data file used to establish the identity of people and electronic assets for protection of online transactions. It uses a trusted third party known as a certificate authority to validate a user s identity. It can be run as a function inside an organization or by an outside company. The certificate authority verifies a digital certificate user s identity off-line. This information is put into a certificate authority server, which generates an encrypted digital certificate containing owner identification information and a copy of the owner s public key. The certificate authority makes its own public key available publicly either in print or on the Internet. The recipient of an encrypted message uses the certificate authority s public key to decode the digital certificate attached to the message, verifies it was issued by the certificate authority, and then obtains the sender s public key and identification information contained in the certificate. Using this information, the recipient can send an encrypted reply. 9. What is required of an MIS auditor, how does he/she accomplish the task, and what does the MIS audit reveal? An MIS audit identifies all of the controls that govern individual information systems and assesses their effectiveness. To accomplish this, the auditor must acquire a thorough understanding of the operations, physical facilities, telecommunications, control systems, data security objectives, organizational structure, personnel, manual procedures, and individual applications of the company. The auditor usually interviews key individuals, who use and operate a specific information system, concerning their activities and procedures. Application controls, overall integrity controls, and control disciplines are examined. The auditor traces the flow of sample transactions through the system and performance tests, using, if appropriate, automated audit software. The audit itself lists and ranks all control weaknesses and estimates the probability of their occurrence. It then assesses the financial and organizational impact of each threat. It includes a section for notifying management of such weaknesses and for management s response. Management is then expected to devise a plan to counter the significant weaknesses 77

10. How are encryption, authentication, digital signatures, and digital certificates each used to ensure security in electronic commerce? a) Encryption scrambles the message according to a key, sends the scrambled message, and unscrambles the message at the other end using a matching key. b) Authentication uses digital signatures and digital certificates to make sure that the messages are sent between known parties, and changed or copied during transmission. c) Digital signatures are digital codes attached to an electronically transmitted message that are used to verify the origins and content of the message. d) Digital certificates are data files used to establish the identity of people and electronic assets for protection of online transactions. They use a trusted third party to validate the user s identities, with combinations of public and private encryption codes to scramble and unscramble the messages. 78

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information