BEC 4 Security and Internet implications for business Flashcards
Technologies and security management features
A. Safeguarding records and files B. Back up files 1. Son-father-grandfather concept 2. Back up of systems that can be shut down 3. Backups of systems that do not shut down 4. Mirroring C. Uninterrupted power supply D. Program modification controls E. Data encryption 1. Digital certificates 2. Digital signatures vs E-signatures F. Managing passwords 1. Password length 2. Password complexity 3. Password age 4. Password reuse G. User access 1. Initial passwords and authorization for system access 2. Changes in position
A. Safeguarding records and files
- inadequate protection may result in damage or loss
- data can be protected by the use of internal and external labels and file protection rings
B. Back up files
Back up files
- Son-father-grandfather concept - the most recent file is called the son and the back up process includes reading the previous file, recording transactions being processed and then creating a new updated master file.There are always at least two back ups.
- Back up of systems that can be shut down - updated when shut down
- Backups of systems that do not shut down - recovery includes applying a transaction log and reapplying those transactions to get back to the point immediately before the failure
- Mirroring - the use of a back up computer to duplicate all of the processes and transactions on the primary computer
C. Uninterrupted power supply
a device that maintains a continuous supply of electrical power to connected equipment. Called battery back up.
D. Program modification controls
Program modification controls are controls over the modification of programs being used in production applications. They include controls designed to prevent changes by unauthorized personnel and also controls that track program changes
E. Data encryption
E. Data encryption - an essential foundation for electronic commerce. Encryption involves using a password or a digital key to scramble a readable message into an unreadable message. Then intended recipient of the message then uses the same or another digital key to decrypt or decipher the ciphertext message back into plaintext.
- Digital certificates - an electronic document, created and digitally signed by a trusted party, which certifies the identity of the owners of a particular public key.
- The public key infrastructure - the system and processes used to issue and manage asymmetric keys and digital certificates.
- Certificate authority - the organization that issues public and private keys and records the public key in a digital certificate. - Digital signatures vs E-signatures - use asymmetric encryption to create legally-blinding electronic documents. Web-based e-signatures are an alternative mechanism for accomplishing the same objectives. An e-signature - a cursive style imprint of a person’s name that is applied to an electronic document
F. Managing passwords
F. Managing passwords - every account needs one
- Password length - 7-8 signs
- Password complexity - upper, lowercase, numeric, ASCII characters !@#$
- Password age - every 3 months
- Password reuse - should not be reused (24 passwords)
G. User access
G. User access
- Initial passwords and authorization for system access
- Changes in position - Hr and IT communication
Brute force attack
the attacker simply tries every possible key until the right one is found
A. Security Policy defined
A. Security Policy defined - a document that states how an org plans to protect the org’s info.
B. Security Policy goal
B. Security Policy goal - requires people to protect info, which protects the org, its people, and customers.
C. States and Locations of information covered by security policies:
- The security policy should seek to secure info that exists in 3 distinct states:
a. Stored information
b. Processed information
c. Transmitted information - Information resides in locations:
a. information technology systems
b. paper
c. human brain - Relationship between states and locations of info (Examples):
a. Info systems - stored hard drives - processed computers - transmitted via internet
b. Paper - file cabinets - copy machine - fax
c. Brain - memory - synapses - language
Types of policies
- Program level policy - used for creating a management sponsored computer security program. A program level policy, at the highest level, might prescribe the need for information security and may delegate the creation and management of the program to a role within the IT department.
- Program-framework policy - establishes the overall approach to computer security
- Issue specific policy
- System specific policy
Development and management of security policies
- Security objectives - series of statements to describe meaningful actions about specific resources.
- Operational security - defines the manner in which a specific data operation would remain secure
- Policy implementation - security is enforced by a combination of technical and traditional management methods.
Policy support documents
- Regulations - laws, rules, regulations represent governmentally imposed restrictions passed by regulators and lawmakers
- Standards and baselines - topic specific (Standards) and system specific (baseline) documents that describe overall requirements for security
- Guidelines - provide hints, tips, and best practices in implementation
- Procedures - step by step instructions on how to perform a specific security activity
Decryption or decipherment
the intended recipient converts the cipher text into plain text
Digital signature
is a means of ensuring that a message is not altered in transmission. It is a form of data encryption
Electronic Commerce (E-Commerce)
- the electronic consummation of exchange transactions,
- can use a private network or the Internet as the communications provided
- may involve communication between previously known parties or between parties that have had no prior contract or agreements
Electronic Business (E-business)
- general term
- any use of information technology like networking and communications technology to perform business processes in an electronic form
- may or may not relate to selling or buying
Electronic Data Interchange (EDI)
the computer to computer exchange of business transaction documents
EDI -Reduced handling costs and increased processing speed
reduces transaction handling costs and speeds transaction processing
EDI- Standard data format
Standard data format
a. Mapping - process of determining the correspondence between data elements in an organization’s terminology and data elements in standard EDU terminology.
b. Standards - several different standards
- XML - extensible markup language - technology that has been developed to transmit data in flexible formats instead of the standard formats of EDI.
EDI - Communication
EDI can be implemented using direct links between the organizations exchanging information via communication intermediaries, VANs or networks of VANs, or over the Internet.
Features of EDI
- allows the transmission of electronic documents between compeer systems in different organizations
- reduces handling costs and speeds transaction processing compared to traditional paper based processing.
- requires that all transactions be submitted in a standard data format
- can be implemented using direct links between the trading partners, communication intermediaries, VANs or networks of VANs, or over the Internet.
Costs of EDI
- Costs of EDI
a. Legal costs
b. Hardware costs
c. Costs of translation software
d. Costs of data transmission
e. Costs associated with security, monitoring and control procedures
EDI controls
Audit trails should include:
- activity logs of failed transactions
- network and sender/recipient acknowledgements
EDI Risks
unauthorized access to the organization’s system is the greatest risk
Comparison of EDI and E-Commerce
Which has higher? Cost - EDI Security - EDI Speed - E-Commerce Network - EDI - VAN (private), E-Commerce - Internet (public)
Business process reengineering
the analysis and redesign of business processes and information systems to achieve significant performance improvements.
Challenges faced in business process reengineering
- Tradition - old ways of doing things do not die easily
- Resistance - people don’t like changes
- Time and cost requirements - takes 2 + years to complete
- Lack of management support
- Skepticism
- Retraining
- Controls
Business to business (B2B)
- Business to Consumer (B2C) transaction - a business sells its products or services to the public
- Business to Business (B2B) transaction - a business sells products to another business
- Consumer to Consumer (C2C) transaction - consumers sell products to other consumers (eBay)
B2B E-Commerce
a lot of business do that, especially in the wholesale markets
Electronic market
Internet transactions can occur between businesses where there is no pre existing relationship.
Direct market
B2B transactions may occur electronically between businesses where there is a pre-existing relationship (EDI, corporate intranets and extranets)
Importance of B2B
- Speed - the faster the better and the Internet is faster than phone, fax or mail.
- Timing - E-Commerce transactions do not have to occur during normal business hours (time zones)
- Personalization - after registering with a new business partner, the website can guide it to the most interesting areas.
- Security - private info is encrypted
- Reliability - transactions occur electronically from one computer directly to another computer, the transactions should be very precisely performed, no opportunity for human error
Factors to consider
- The selection of the business model
- Channel conflicts - the possibility of stealing business from existing sales or channels
- Legal issues - laws governing electronic commerce
- Security - outsiders can hack into your account