Академический Документы
Профессиональный Документы
Культура Документы
Top-Down Approach
o The initiation, support, and direction comes from the top
management and work their way through middle management and
then to staff members.
o Treated as the best approach but seems to based on the I get paid
more therefor I must know more about everything type of mentality.
o Ensures that the senior management who are ultimately responsible
for protecting the company assets is driving the program.
Bottom-Up Approach
o The lower-end team comes up with a security control or a program
without proper management support and direction.
o It is oft considered less effective and doomed to fail for the same flaw
in thinking as above; I get paid more therefor I must know more
about everything.
Since advancement is directly tied to how well you can convince others, who
often fall outside of your of job duties and department, as to your higher
value to the company as stated by your own effective written communication
this leads to amazing resume writers and take no blame style of email
responses that seems to definitely lead to the eventual failure of company's
standards and actual knowledge. It is often covered up by relationships
which form at the power levels within any group of people and those who are
considered so-called experts having no real idea what is really involved
under the hood of the reports/applications they use and no proof presented
in emails written when self declared claims of their expertise is made or
blame is to be put on another.
Security Controls
Security Controls can be classified into three categories
Administrative Controls which include
Example: If a company has antivirus software but does not keep the
virus signatures up-to-date, this is vulnerability. The company is
vulnerable to virus attacks.
The threat is that a virus will show up in the environment and disrupt
productivity.
The likelihood of a virus showing up in the environment and causing
damage is the risk.
If a virus infiltrates the company's environment, then vulnerability has
been exploited and the company is exposed to loss.
The countermeasures in this situation are to update the signatures and
install the antivirus software on all computers
Computer forensics:
• Scientific collection, examination, authentication, preservation, and
analysis of data from computer storage media for use as evidence in court of
law
• Includes recovery of ambient and hidden data, plan needed
General controls
• Govern design, security, and use of computer programs and security of
data files in general throughout organization’s IT infrastructure.
• Apply to all computerized applications
• Combination of hardware, software, and manual procedures to create
overall control environment
• Types of general controls: Software controls, Hardware controls, Computer
operations controls, Data security controls, Implementation controls,
Administrative controls
Application controls
• Specific controls unique to each computerized application, such as payroll
or order processing
• Include both automated and manual procedures
• Ensure that only authorized data are completely and accurately
processed by that application
• Input controls: authorization, conversion, editing, error handling
• Processing controls: updating
• Output controls
Risk assessment
• Determines level of risk to firm if specific activity or process is not properly
controlled
• Determine value of info assets, points of vulnerability, likely frequency of
the problem, potential for damage
• Concentration on the control points with greatest vulnerability and
potential for loss
Security policy
• Ranks information risks, identifies acceptable security goals, and identifies
mechanisms for achieving these goals, most important assets
• Acceptable use policy (AUP): Defines acceptable uses of firm’s information
resources and computing equipment, unacceptable, consequences
• Authorization policies: Determine differing levels of user access to
information assets
Identity management
• Business processes and tools to identify valid users of system and control
access: Identifies and authorizes different categories of users, Specifies
which portion of system users can access, Authenticating users and protects
identities
• Identity management systems: Captures access rules for different levels of
users
Disaster recovery planning: Devises plans for restoration of disrupted
services Business continuity planning: Focuses on restoring business
operations after disaster
MIS audit
• Examines firm’s overall security environment as well as controls governing
individual information systems, data quality
• Reviews technologies, procedures, documentation, training, and personnel
• Simulate disaster to test response of technology, IS staff, other employees
• Lists and ranks all control weaknesses and estimates probability of their
occurrence, Assesses financial and organizational impact of each threat
Encryption
· Transforming text or data into cipher text that cannot be read by
unintended recipients, encryption key
· Secure Sockets Layer (SSL) and successor Transport Layer Security (TLS)
between 2 computers
· Secure Hypertext Transfer Protocol (S--‐ HTTP) limited to individual
messages
· Symmetric key encryption: Sender and receiver use single, shared key ·
Public key encryption: Uses two, mathematically related keys: Public key
and private key, Sender encrypts message with recipient’s public key,
Recipient decrypts with private key
Digital certificate:
· Data file used to establish the identity of users and electronic assets for
protection of online transactions
· Uses a trusted third party, certification authority (CA), to validate a user’s
identity
· CA verifies user’s identity, stores information in CA server, which generates
encrypted digital certificate containing owner ID information and copy of
owner’s public key