c) Security Flashcards
safeguarding files and records
- data can be protected through the use of internal and external labels and file protection rings
- ALL critical application data should be backed up and stored in a secure off site lcoation
Son-Father-Grandfather concept
- Whats the version of the data
- The most recent file is the son, second most recent file is the father and the preceding file is the gfather
- Process includes reading the previous file, recording (adding) transactions being processed and creating a new updated master file.
- There are always at least two backup files that can be used to recreate the destroyed file
Backups of systems that can be shut down
files or databases that have changed since the last backup (or just all data) can be backed up using son, father, gfather concept
Backups of systems that do not shut down
files or databases that have changed since the last backup (or just all data) can be backed up sing son, father, gfather concept
mirroring
use of a backup computer to duplicate all of the processes and transactions on the primary computer-can be expensive
Uninterrupted Power supply
device that maintains a continuous supply of electrical power to connected equipment. A UPS is also called a battery backup. The battery will eventually run out
program modification controls
include both controls designed to prevent changes by unauthorized personnel and controls that track program changes so that there is a record of what versions of what programs are running in production at any specific point in time
data encryption
- essential foundation for electronic commerce
- uses a password or digital key to scramble a readable (plaintext) message into an unreadable (ciphertext) mesasge.
- the intended recipient then uses another digital key to decrypt or decipher the message back into plaintext.
- the longer the length of the key, the less likely is the message to be decrypted
brute force attack
attacker simply tries every possible key until the right one is found
digital certificates
electronic docs created and digitally signed by a trusted party which certifies the identity of owners of a particular public key
PKI
Public key infrastructure
- the system and processes used to issue and manage asymmetric keys and digital certificates.
- the org that issues public and private keys and records the public key in the digital certificate is called a certificate authority -IE Verasign
Digital signatures
Use asymmetric encryption to create legally binding electronic documents
Esignature
an alternative to digital signatures and are provided by vendors as a software product. They are legally binding, as if the user had really signed the paper copy of the document.
Managing passwords
The first rule in password policy is that every account must have a password
Password length
general rule: minimum of 7 or 8 characters for password length
Password complexity
feature three of the four characteristics:
- uppercase
- lowercase
- numeric characters
- symbols
password age
no true standard; changing every 90 days is considered a good policy. Admin passwords should be changed more frequently
Password reuse
no true standard; passwords should not be reused until a significant amount of time has passed
initial passwords and authorization for user access to system
HR should generate the request for a user account and system access rights; Based on the level of access being granted, the Info Security officer may need to approve account
Changes in position
Require the coordination of effort between HR & IT; It is important to have procedures in place for changes in jobs/roles and to remove access/disable accounts for terminated employes
Policies
the most crucial element in a corporate information security infrastructure; must be considered long before security technology is acquired and deployed
Security policy
document that states how an org plans to protect its tangible and intangible information assets
- mgmt instructions indicating a course of action, principle or procedure
- high level stmts providing guidance to workers who must make present and future decisions
security policy goal
require people to protect info, which in turn protects hte org, its employees and its customers
security policy secures information in 3 states
Stored information
Processed information
Transmitted information
