BEC 4 Types of Information Systems and Technology Risks and Appendix Flashcards
Strategic risk
- risk of choosing inappropriate technology
Operating risk
- risk of doing the right things in the wrong way
Financial risk
- risk of having financial resources lost, wasted or stolen
Information risk
- risk of loss of data integrity, incomplete transactions, or hackers
Specific risk
- Error - carelessness, failure to follow directions or ignorance due to poor training
- Intentional acts - sabotage, embezzlements, viruses, denial of service attacks
- Disasters - fires, floods, earthquakes, high winds, terrorism and war
Virus
- a piece of a computer program that inserts itself into some other program, including operating systems to propagate.
- It requires a host program to propagate and can’t run independently
Worm
- a program that can run independently and normally propagates itself over a network
- it can’t detach itself to other programs
Trojan horse
- a program that appears to have a useful function but contains a hidden and unintended function that presents a security risk
Denial of Service attack
- one computer bombards another computer with a flood of information intended to keep legitimate users from accessing the target computer or network
Phishing
- sending of phony emails to try to lure people to phony websites asking for financial information
Spam
unsolicited email
Risk assessment and control activities
- Risk - possibility of harm or loss
- Threat - any eventuality that represents a danger to an asset or a capability linked to hostile intent
- Vulnerability - characteristic of a design, implementation or operation that renders the system susceptible to a threat
- Safeguards and controls - policies and procedures that when effectively applied, reduce or minimize vulnerabilities
Risk assessment
- identify risks
- evaluate the risks in terms of the probability of occurrence
- evaluate the exposure of potential loss
- identify controls
- evaluate the costs and benefits of implementing the controls
- implement the controls that are cost effective
Evaluation and Types of controls
- evaluated on cost/benefit basis
Access controls
- Physical access
a. User identification codes
b. File attributes - Assignment and maintenance of security levels
- Callback on dial up systems
- File attributes
- Firewalls
a. firewalls deter
b. network firewalls
c. application firewalls
d. firewalls methodologies
- packet filtering - examines packets of data as they pass via the firewall according to the rules. Firewall configuration
- circuit level gateways - allow data into a network that result from requests from computers inside the network
- application level gateways - examine data coming into the gateway in a more sophisticated fashion
Disaster recovery
consists of an entity’s plans for continuing operations in the event of the destruction of not only program and data files, but also processing capabilities.
Major players in disaster recovery
- organization itself
- external service provider,
the disaster recovery services provider
Steps in disaster recovery
- assess the risks
- identify mission critical applications and data
- develop a plan for handling applications
- determine the responsibilities of the personnel involved
- test the disaster recovery plan
Advantages and disadvantages of disaster recovery and business continuity
- without the plan, the company may be out of business
Split mirror backup
as the size of data needed to support many large companies grows. so does the time and resources that it takes those companies to back up and recover their data.
Use of a disaster recovery services
different services like an empty room to providing facilities across the country to relocate end user personnel
Internal disaster recovery
- some organizations with the requirement for instantaneous or almost instant resumption of processing in the event of a disaster provide their own duplicate facilities in separate locations.
- data might be mirrored and processing can be switched almost instant from one location to the other
- duplicate data center and data mirroring is very expensive
Multiple data center backups
- Full backup - exact copy of the entire database
- Partial backup
- an incremental backup - copying only the data items that have changed since the last back up
- differential backup - all changes made since the last full backup, each new differential backup file contains the cumulative effects of all activity since the last full backup
Types of off site locations
- Cold site *
- Hot site
- Warm site
Cold site - off site location that has all the electrical connections and other physical requirements for data processing, but it does not have the actual equipment
Types of off site locations
- Cold site
- Hot site *
- Warm site
Hot site - an off site location that is equipped to take over the company’s data processing. Backup copies of essential data files and programs may also be maintained at the location or data storage facility.
- Telecommunications network
- Floor space and equipment determination
- Personnel issues
Types of off site locations
- Cold site
- Hot site
- Warm site *
Warm site - a facility that is already stocked with all the hardware that it takes to create a reasonable facsimile of the primary data center
Business information system risks
- Strategic risk
- Operating risk
- Financial risk
- Information risk
Access controls
Access controls limit access to documentation, data files, programs, and computer hardware to authorized personnel.
Examples include locks, passwords, user identification codes, assignment of security levels, callbacks on dial up systems, the setting of file attributes, and the use of firewalls.
Firewall
a system often both hardware and software, of user identification and authentication that prevents unauthorized users from gaining access to network resources
Disaster recovery
Plans for continuing operations in the event of destruction of not only programs and data but also processing capabilities.
Hot site
off site location that is equipped to take over a company’s data processing
Cold site
off site location that has all of the electrical connections and other physical requirements for data processing but does not have the actual equipment
Types of backups
- Full backup
- Incremental backup
- Differential backup
Disaster recovery
- Disaster recovery service
- Internal disaster recovery
- Multiple data center recovery
Off site location
- Cold site
- Warm site
- Hot site
Disadvantage of a disaster recovery and business continuity plan
cost and effort required to implement the plan
DBMS
- Database development
- Database query
- Database maintenance
- Application development
LAN
- Node
- Workstation
- Server
- Network interface card
- Transmission media
- Network Operating System
- Communications Device
Value added network
- privately owned
- communication network
- provides additional services beyond standard data transmission
- good security
- uses periodic batch processing
- may be expensive
Internet based network
- uses Internet protocols
- public communications channels
- establishes network communication
- transmits transactions immediately
- is relatively affordable
- increases the number of potential trading partners
Intranet
connects geographically separate LANs within a company
Extranet
permits specified external parties to access the company’s network
Database
integrated collection of data records and data files
Database management system
the software that allows an organization to create, use and maintain a database
Data warehouse
collection of databases that store both operations and management data
Data mining
processing of data in a data warehouse to attempt to identify trends and patterns of business activity
Advantages of DBMS
- Data redundancy and inconsistency are reduced
- Data sharing exists
- Data independence exists
- Data standardization exists
- Data security is improved
- Data fields can be expanded without adverse effects on application programs
Difference between WANs and LANs
WANs - longer distance
LANs - short distance
