B4-Security

Question 1

Technologies and Security Management Features

Answer 1

A. Safeguarding Records and Files-all critical application data should be backed up and stored in a secure off-site location.

B. Backup Files

1. Son-Father-Grandfather Concept-most recent file is the son, the second most is the father, and the preceding file is the grandfather. Periodic transaction files are stored separately. Alwys at least two backup files that can be used to recreate the destroyed file
2. Backup of Systems that Can be shut down-files or databases that have changed since the last back up can be backed up.
3. Backup of systems that do not shut down-applying a transaction log; reapplying thos trans to get back tothe point immediately before failure
4. Mirroring-backup computer to duplicated all of the processes and trans on the primary computer. Can be very expensive.

C. Uninterrupted Power Supply-device that maintains a continuous supply of electricalpower to connected equipment.

D. Program Modification Controls-include both controls designed to prevent changes by unauthroized personnel and contorls that track program changes so that there is a record ofwhat version sof what programs are running production at any specific point in time.

E. Data Encryption-essential for electronic comerce. Involves using a password or a digital key to scrampble a readable (plaintext) message into a unreadable (ciphertext) message. The intended recipient of the message then uses another digital key to decrypt or decipher the ciphertext message back into plaintext. The longer the length of the key, the less likely the key is to be broken by a brute force attack.

1. Digital Certificates-electronic docments created and digitally signed by a trusted party which certifies the identity of the owners of a particluar public key. Public Key Infrastructure (PKI)-refers to the system and processes used to issue and manage asymmetric keys and digital certificates. The org that issues public and private keys ana drecords the bpulic key in a digital cert is called a certificate authority.
2. Digital Signatures

F. Managing Passwords

1. Password Length
2. Password Complexity
3. Password Age
4. Password Reuse

G. User Access

1. Initial Passwords and Authorization for System Access
2. Changes in Position-disable accounts when an employee leaves org

Question 2

Policies

Answer 2

Most crucial element in a corporate information security infrastructure

and must be considered long before security technology is acquired and deployed.

Question 3

Policies

Security Policy Defined

Answer 3

Document that states how an org plans to protect its tangible and intangible information assets. They include

1. Mgmnt instructions-indicating course of action, a guiding principle, or an appropriate procedure
2. High-level statements that provide guidance to workers who must make present and future decisions
3. Generalized requirements that must be written and communicated

Question 4

Polices

Types of Policies

Answer 4

Program Level Policy-mission statement for IT security.Describes info security and assigns responsibility for achievement of security objectives to the IT department.

Program Framework Policy-an expression of strategy. Overall stragety to make mission statement a reality.

Issue Specific Policy-addresses specific issues of concern (how to handle cloud computing)

System Specific Policy-focuses on policy issues that exist for a specific system (the payroll system)