Securing Information Systems

Flashcards about securing information systems.

What are policies, procedures, and technical measures used to prevent unauthorized access, alteration, theft, or physical damage to information systems?

Security

What are methods, policies, and organizational procedures that ensure the safety of an organization's assets and the accuracy and reliability of its accounting records?

Controls

What makes networks vulnerable?

Accessibility, hardware problems, software problems, disasters, use of networks outside of firm's control, and loss/theft of portable devices.

What are some vulnerabilities related to internet usage?

Open networks, size of the Internet allowing wide impact, fixed Internet addresses creating targets, unencrypted VOIP, and risks associated with email, P2P, and IM.

What are some wireless security challenges?

Easy scanning of radio frequency bands, risks associated with SSID broadcasting, war driving, and rogue access points.

What is Malware?

Malicious software that includes viruses, worms, Trojan horses, and spyware.

How do worms and viruses spread?

Through downloads, drive-by downloads, email, and IM attachments.

What actions are included with hackers?

System intrusion, system damage, cybervandalism, spoofing, and sniffing.

What are the common computer crimes?

Denial-of-service attacks, distributed denial-of-service attacks, botnets, and spam.

What are the common activities related to identity theft?

Phishing, evil twins, and pharming.

What are the methods in which internal employees are seen as security threats?

Inside knowledge, sloppy security procedures, user lack of knowledge, and social engineering.

What can failed computer systems lead to?

Significant or total loss of business function.

What does HIPPA require?

Medical security and privacy rules and procedures.

What does the Gramm-Leach-Bliley Act require?

Financial institutions to ensure the security and confidentiality of customer data.

What does the Sarbanes-Oxley Act require?

Companies and their management to safeguard the accuracy and integrity of financial information.

What is electronic evidence?

Evidence for white-collar crimes that is often in digital form.

What is computer forensics?

The scientific collection, examination, authentication, preservation, and analysis of data from computer storage media for use as evidence in court of law.

What are general controls?

Controls that govern the design, security, and use of computer programs and the security of data files in general throughout organization.

What are application controls?

Controls unique to each computerized application.

What does risk assessment determine?

Level of risk to a firm if specific activity or process is not properly controlled.

What policies does security policy drive?

Acceptable use policy (AUP) and identity management.

What is disaster recovery planning?

Devising plans for restoration of disrupted services.

What is business continuity planning?

Focusing on restoring business operations after a disaster.

What does an information systems audit examine?

A firm’s overall security environment as well as controls governing individual information systems.

What does identity management software do?

Automates keeping track of all users and privileges; authenticates users, protecting identities, controlling access.

What is a firewall?

A combination of hardware and software that prevents unauthorized users from accessing private networks.

What does an intrusion detection system do?

Monitors hot spots on corporate networks to detect and deter intruders.

What does antivirus and antispyware software do?

Checks computers for presence of malware and can often eliminate it as well; requires continual updating.

What is WEP security?

Static encryption keys that can be relatively easy to crack.

What does the WPA2 specification offer?

Replaces WEP with stronger standards and uses continually changing, longer encryption keys.

What is encryption?

Transforming text or data into cipher text that cannot be read by unintended recipients.

What is symmetric key encryption?

Sender and receiver use single, shared key.

What is public key encryption?

Uses two, mathematically related keys: public key and private key.

What is a digital certificate?

A data file used to establish the identity of users and electronic assets for protection of online transactions.

What is public key infrastructure (PKI)?

The use of public key cryptography working with a certificate authority; widely used in e-commerce.

What are fault-tolerant computer systems?

Systems that contain redundant hardware, software, and power supply components that create an environment that provides continuous, uninterrupted service.

What are SLAs?

Service level agreements with 3rd party vendors.

What are known as objective assessments of a system in form of quantified measurements?

Software Metrics

What describes the review of specification or design document by small group of qualified people?

Walkthrough

What describes the process by which errors are eliminated?

Debugging