IDSC 3001 - IT Compliance and Computing Concepts (Fall 2023 - Professor Kuhn) - Topics 7 & 8

Computing Hardware

Physical components of information technology, which induce the computer and the following peripherals; storage, input, and output devices

Software

Collection of programs that tell hardware what to do

Hardware/Software Layer Cake

User, Application, Operating System, Hardware

Operating System

Provides controls for managing hardware and simplifies user interaction

User Interface

Items like scroll bars and menus displayed on a computer's hardware

Firmware

Software stored on nonvolatile memory chips

Embedded Systems

Special purpose software included inside physical products

Distributed Computing

Systems in different locations collaborating to complete a task

Server

Program that fulfills client requests

Hardware Context

Computer configured to support requests from other computers such as sending or receiving data

Software Context

Program that fulfills requests

Client

Software program that makes requests of a server program

Architecture

Development of technology specifications, models, and guidelines

Platform

Common computing environment, standards, and marketplaces

Technology Platforms

AWS, Azure, Twillio

Computing Platforms

iOS, Android, Windows, macOS, Alexa

Utility Platforms

Google, Kayak, Google Maps

Interaction Networks

Facebook, Snapchat, LinkedIn

Marketplaces

eBay, Amazon marketplace, Airbnb

On-Demand Platforms

Uber, Amazon Home, Doordash

Crowdsourcing Platforms

YouTube, Yelp

Data Harvesting Platforms

Waze, Maavit

Application Server

Software that houses business logic for multiple applications

Web Services

Code accessed via application server for machine-to-machine interaction

API (Application Programming Interface)

Guidelines that tell programs how to perform tasks

SOA (Service Oriented Architecture)

Web services built around an organization's processes

Enterprise Architecture

Framework of technology, application, data, and business architecture

Architecture Methodology

Process of mobilization from current state to target to roadmap

Goals of Enterprise Architecture

Align processes, select/manage tools, manage costs, enhance flexibility

LAMP Stack

Linux-based web servers consisting of Linux, Apache, MySQL, PHP

ISP (Internet Services Provider)

Organization that provides internet access

Internet

Fault-tolerant network of networks

URL (Uniform Resource Locator)

Identifies resources on the internet with application protocol

Protocol

Enables communication by defining data format and exchange rules

HTTP (Hypertext Transfer Protocol)

Application transfer protocol for web browsers and servers

FTP (File Transfer Protocol)

Application transfer protocol for copying files between computers

Web Address

Application transfer protocol in a URL

Host Name

Prefix 'www.' in a web address

Domain Name

Name in a web address

SSL (Secure Sockets Layer)

Security standard for encrypted communication between browsers

Domain Name

Name of the network being connected to

Host

Computer being searched for on a network

Case-Sensitive Aspects of Web Browsers

Host and domains are not, path and files are

Load Balancing

Distributing workload across multiple systems to avoid congestion

Fault Tolerance

Systems capable of continuing operation even if a component fails

Subdomain

Smaller network or subgroup within a larger organization

Web Hosting Services

Firm providing hardware and servers for running websites

ICANN (Internet Corporation for Assigning Names and Numbers)

Nonprofit governance body accrediting registrars worldwide

HTML (Hypertext Markup Language)

Language used to compose web pages

IP Address

Value used to identify a device connected to the internet

Uses of IP Address

Identify physical location, tailor search results, customize advertising

NAT (Network Address Translation)

Maps devices on a private network to single internet-connected devices

DNS (Domain Name Service)

Internet directory service for naming and discovering devices and services

Nameserver

Phonebook-like service for finding web and email servers

EDI (Electronic Data Interchange)

Standards for exchanging formatted data between computer applications

Technologies Replacing EDI

XML (Extensible Markup Language) and JSON (JavaScript Object Notation)

XML (Extensible Markup Language)

Tagging language for identifying data fields used by other applications

JSON (JavaScript Object Notation)

Data interchange format often used for APIs

Client-Server Computing

When one program makes a request to be fulfilled by another program

Cybersquatting

Acquiring a domain name for financial gain

Data Control and Oversight

Governments, partnership-imposed standards, and industry standards

Goals of GRC Programs

Regulatory compliance and risk management

Common GRC Regulations

Data retention, protecting confidential information, financial accountability, disaster recovery

Horizontal Perspective

Laws cutting across all industries

Contractual Obligations Perspective

Laws related to business partners, supply chain, outsourcing, service providers

Vertical Obligations Perspective

Laws specific to specialized areas of business

Strategic Objectives Perspective

Following own rules and maintaining visibility and control

Corporate Governance

Processes, policies, and rules for directing and managing a corporation

Board of Directors

Oversees and monitors a company

Delegation of Authority

Accountability through information systems in an organization

IT Governance

Aligning IT strategy with business strategy

IT Systems

Increasing visibility into the effectiveness of compliance efforts

Principles

Outcome-focused direction for decision-making

Policies

Formal guidelines

Standards

Methods and resources supporting policies

Procedures

Detailed directions on following policies

Guidelines

Informal suggested practices

Audits

Internal, external, tax, operational, compliance, payroll

Controls

Log-in credentials, approvals, legal review, spending limits, account reconciliation

Sarbanes-Oxley Act (SOX)

mandates a strong internal control environment, including the electronic data needed to prove it, internal checks and balances, enhanced corporate governance & and corporate accountability

IT Compliance Challenges

Employees, mobile devices, third parties, cloud service providers

GDPR (General Data Protection Regulation)

European Union's privacy law

Governance

Monitoring and controlling an organization's IT and systems

True/False

The point of governance and compliance is to ensure transparency

Segregation of Duties

Different individuals should be responsible for related activities.

The responsibility for record-keeping for an asset should be separate from the physical custody of that asset.

Why do organizations need a framework?

to identify, track, and mitigate risk

What are the three risk management phases (Gartner)?

Executive, Operational, & Compliance

Health Insurance Portability and Accountability Act (HIPAA)

imposed tough data privacy and protection for any businesses related to health care

Basel IV

introduces changes that limit the reduction in capital, a standardized floor for capital requirements, requiring banks to meet higher maximum leverage ratios

PCI Security Standards

Council offers comprehensive standards to enhance payment card data security

Employees

play a key role in protecting a company's sensitive data

Mobile Devices

serious security and compliance risks, most organizations have weak controls in place to protect regulated data on these

Third Parties

a threat caused by the use of unseen third-party solutions including, services, devices, and apps

Cloud Service Providers

ensure that sensitive data is being properly protected in the cloud

PCI (Security Standards)

Council offers comprehensive standards to enhance payment card data security

Top Down

Corporate governance is the set of process, policies, laws, customs, and rules affecting the way a corporation is directed, managed and controlled

Cache

a temporary storage space used to speed up computing tasks

why are organizations implementing grc programs?

regulatory requirements & awareness of monetary and reputational risks