Chapter 12: Managing Information Security and Privacy

Question 1

Identity Theft

Answer 1

Stealing, misrepresenting, or hijacking the identity of another person or business

vital information, such as a person’s name, address, date of birth, social insurance number, and mother’s maiden name, are often all that is needed to facilitate impersonation

Question 2

The Personal Information Protection and Electronic Documents Act (PIPEDA)

Answer 2

In Canada, PIPEDA gives individuals the right to know why an organization collects, uses, or discloses their personal information

PIPEDA does not, however, facilitate individuals suing organizations

Question 3

Secruity threats

Answer 3

A problem with the security of information or the data therein, caused by human error, malicious activity or natural disaster

Question 4

Three sources of security threats

Answer 4

(1) human error and mistakes,
(2) malicious human activity,
(3) natural events and disasters.

Question 5

Human errors and mistakes

Answer 5

Include accidental problems caused by both employees and others outside the organization.

An example is an employee who misunderstands operating procedures and accidentally deletes customer records

Question 6

malicious human activity

Answer 6

This category includes employees and others who intentionally destroy data or other system components. It also includes hackers who break into a system, virus and worm writers who infect computer systems, and people who send millions of unwanted emails

Question 7

Spam

Answer 7

Unwanted email messages

Question 8

Natural events and disasters

Answer 8

Category includes fires, floods, hurricanes, earthquakes, tsunamis, avalanches, and other acts of nature or accidents.

Problems in this category include not only the initial loss of capability and service but also losses stemming from actions to recover from the initial problem.

Question 9

Five types of security problems

Answer 9

(1) unauthorized data disclosure,
(2) incorrect data modification,
(3) faulty service,
(4) denial of service,
(5) loss of infrastructure

Question 10

Unauthorized data disclosure

Answer 10

Can occur by human error when someone inadvertently releases data in violation of policy.

An example at a college or university would be a new department administrator who posts student names, numbers, and grades in a public place

In Canada, this type of disclosure is covered by PIPEDA

Question 11

Pretexting

Answer 11

Occurs when someone deceives by pretending to be someone else.

A common scam involves a telephone caller who pretends to be from a credit card company and claims to be checking the validity of credit card numbers

Question 12

Phishing

Answer 12

technique for obtaining unauthorized data, and it uses pretexting via email. The phisher pretends to be a legitimate company and sends an email requesting confidential data, such as account numbers, social insurance numbers, account passwords, and so on

Question 13

Spoofing

Answer 13

term for someone pretending to be someone or somewhere else. If you pretend to be your professor, you are spoofing your professor

Question 14

IP spoofing

Answer 14

occurs when an intruder uses another site’s IP (Internet Protocol) address as if it were that other site

Question 15

Sniffing

Answer 15

technique for intercepting computer communications. With wired networks, sniffing requires a physical connection to the network.

Question 16

drive-by sniffers

Answer 16

simply access computers with wireless connections through an area and search for unprotected wireless networks. They can monitor and intercept wireless traffic at will.

Question 17

Incorrect Data Modification

Answer 17

Incorrectly increasing a customer’s discount or incorrectly modifying an employee’s salary, earned days of vacation, or annual bonus are actions that might fall under this category

can occur through human error when employees follow procedures incorrectly or when procedures have been incorrectly designed

Question 18

Hacking

Answer 18

when a person gains unauthorized access to a computer system. Although some people hack for the sheer joy of doing it, other hackers invade systems for the malicious purpose of stealing or modifying data.

Question 19

Faulty Service

Answer 19

Includes problems due to incorrect system operations. Faulty service encompasses incorrect data modification, as well as systems that incorrectly send the wrong order to customers, programs that incorrectly bill customers, and software that sends erroneous information to employees.

Question 20

denial of service (DOS)

Answer 20

Security problems in which users are not able to access an information system; can be caused by human errors, natural disaster, or malicious activity

Question 21

Loss of Infrastructure

Answer 21

Examples are a bulldozer cutting fibre-optic cables, or the maintenance staff unplugging an important device in order to plug in a vacuum cleaner.

Question 22

A security program has three components:

Answer 22

(1) senior management involvement,
(2) safeguards of various kinds,
(3) incident response

Question 23

(1) senior management involvement,

Answer 23

First, senior management must establish the security policy. This policy sets the stage for the organization’s response to security threats.

Senior management’s second function, therefore, is to manage risk by balancing the costs and benefits of the security program.

Question 24

Technical safeguards

Answer 24

involve the hardware and software components of an information system

Question 25

primary technical safeguards

Answer 25

1) identification and authentication
2) Encryption
3) Firewalls
4) Malicious protection
5) Design for secure applications

Question 26

1) identification and authentication

Answer 26

Every non-trivial information system should require some form of authentication.

Question 27

identification

Answer 27

The process whereby an informing system identifies a user by requiring the user to sign on with a user name and password

Question 28

authentication

Answer 28

The process whereby an information system approves (authenticates) a user by checking the user’s password

Question 29

authentication methods fall into three categories:

Answer 29

(1) what you know (password or PIN),
(2) what you have (smart card),
(3) what you are (biometric).

Question 30

Passwords

Answer 30

• users tend to be careless in their use
• users tend to be free in sharing their passwords with others
• many users choose ineffective, simple passwords or use the same password for many systems

Question 31

Smart card

Answer 31

Plastic card that is similar to a credit card. Unlike credit, debit, and ATM (automatic teller machine) cards, which have a magnetic strip, smart cards have a microchip. The microchip holds far more data than a magnetic strip and has identifying data or algorithms.

Question 32

personal identification number (PIN)

Answer 32

Form of authentication whereby the user supplies a number that only they know

Question 33

challenge-response authentication

Answer 33

Form of authentication that uses a varying form of numeric question and algorithmic response (usually involving sophisticated computerized tokens) to validate users

Question 34

Biometric authentication

Answer 34

uses personal physical characteristics, such as fingerprints, facial features, and retinal scans, to authenticate users.

Question 35

malware

Answer 35

malware includes viruses, worms, Trojan horses, spyware, and adware

Broad definition, has many def’s

Question 36

Spyware

Answer 36

Programs are installed on the user’s computer without the user’s knowledge or permission. Spyware resides in the background and, without the user’s knowledge, observes the user’s actions and keystrokes, monitors computer activity, and reports that activity to sponsoring organizations

Question 37

Adware

Answer 37

Similar to spyware in that it is installed without the user’s permission and resides in the background to observe user behaviour. Most adware is benign in that it does not perform malicious acts or steal data. It does, however, watch user activity and produce pop-up ads

Question 38

Malware Safeguards

Answer 38

1) Install antivirus and anti-spyware programs
2) Set up your anti-malware programs to scan your computer frequently.
3) Update malware definitions
4) Open email attachments only from known sources
5) Promptly install software updates from legitimate sources.
6) Browse only in reputable Internet neighbourhoods

Question 39

Malware definitions

Answer 39

patterns that exist in malware code—should be downloaded frequently. Anti-malware vendors update these definitions continually, and you should install these updates as they become available.

Question 40

Data safeguards

Answer 40

Steps taken to protect databases and other organizational data by means of data administration and database administration

Question 41

Two organizational units are responsible for data safeguards

Answer 41

1) data administration

2) database administration

Question 42

Data administration

Answer 42

refers to an organization-wide function that is in charge of developing data policies and enforcing data standards

typically a staff function reporting to the chief information officer (CIO).

Question 43

Database administration

Answer 43

refers to a function that pertains to a particular database.

The enterprise resource planning (ERP), customer relationship management (CRM), and supply chain management (SCM) databases each have a database administration function

Question 44

key escrow

Answer 44

Control procedure whereby a trusted party is given a copy of a key used to encrypt database data

Question 45

Human safeguards

Answer 45

involve the people and procedures components of information systems. In general, human safeguards result when authorized users follow appropriate procedures for system use and recovery.

Question 46

Position Definitions

Answer 46

Effective human safeguards begin with creating definitions of job tasks and responsibilities.

In general, job descriptions should provide a separation of duties and authorities.

Question 47

Hiring and Screening

Answer 47

Security considerations should be part of the hiring process. Of course, if a position involves no sensitive data and no access to information systems, then screening for information systems security purposes will be minimal.

Question 48

Dissemination and Enforcement

Answer 48

Employees cannot be expected to follow security policies and procedures that they are not aware of. Therefore, employees need to be made aware of the security policies and procedures and of their responsibilities.

Question 49

Enforcement consists of three interdependent factors:

Answer 49

(1) responsibility,
(2) accountability,
(3) compliance

Question 50

Termination

Answer 50

Standard human resources policies should ensure that system administrators receive notification in advance of the employee’s last day so that they can remove accounts and passwords

Question 51

Human Safeguards for Non-employees

Answer 51

Business requirements may necessitate opening information systems to non-employees—temporary personnel, vendors, partner personnel (employees of business partners), volunteers, and the public.

Question 52

Hardening a site

Answer 52

means to take extraordinary measures to reduce a system’s vulnerability. Hardened sites use special versions of the operating system and lock down or eliminate operating system features and functions that are not required by the application

Question 53

Account Administration

Answer 53

The administration of user accounts, passwords, and help-desk policies and procedures is an important component of the security system.

Question 54

Account Management

Answer 54

Account management concerns the creation of new user accounts, the modification of existing account permissions, and the removal of unneeded accounts.

Question 55

System Procedures

Answer 55

normal operation, backup, and recovery

Question 56

Security Monitoring

Answer 56

Important monitoring functions are analysis of activity logs, security testing, and investigating and learning from security incidents.

Question 57

What Is Disaster Preparedness?

Answer 57

The best safeguard against a disaster is appropriate location

place computing centres, Web farms, and other computer facilities in locations not prone to floods, earthquakes, hurricanes, tornados, or avalanches

Question 58

Disaster Preparedness Guidelines

Answer 58

1) locate infrastructure in safe location
2) Identify mission-critical systems
3) Identify resources needed to run those systems
4) Prepare remote backup facilities
5) Train and rehearse

Question 59

hot sites

Answer 59

remote processing centres and may be run by commercial disaster-recovery services. For a monthly fee, they provide all the equipment needed to continue operations following a disaster and there may be minimal downtime or unavailability following a disaster

Question 60

Cold sites

Answer 60

provide space and limited technology and customers provide and install the equipment needed to continue operations following a disaster. Recovery time is considerably longer

Question 61

Warm sites

Answer 61

somewhere in the middle of the two extremes.

Question 62

Factors in Incident Response

Answer 62

1) Have plan in place
2) Centralized reporting
3) Specific responses (speed, preparation pays, dont make problems worse)
4) Practice

Question 63

____________________ provides useful information about what identity theft is and who to contact if it happens to you.

Answer 63

The Public Safety Canada website

Question 64

​Equifax, a global technology company specializing in proving credit scores and personal privacy​ protection, had a cybersecurity incident and​ 1,000,000 Canadian customers were impacted. Compromised personal information included all the​ following, except:

Answer 64

email addresses.

Question 65

An easy way to remember information systems safeguards is to arrange them according to the​ ______ components of an information system.

Answer 65

5

Question 66

What two critical factors do organizations need to address when responding to security​ threats?

Answer 66

security policy and risk management

Question 67

What should data administration define​ initially?

Answer 67

Data policies

Question 68

Which of the following is not an example of a data​ safeguard?

Answer 68

Virus protection

Question 69

The organizational function that pertains to developing and enforcing data policies and standards is called​ ________.

Answer 69

Data administration

Question 70

Which is the single most important safeguard that an individual computer user can​ implement?

Answer 70

Using strong passwords

Question 71

Human safeguards involve the​ ___________ and​ ___________ components of information systems.

Answer 71

people, procedure

Question 72

All the following are major disaster preparedness​ tasks, except:

Answer 72

Monitor security

Question 73

Preparing a​ ________________ facility is very​ expensive; however, the costs of establishing and maintaining that facility are a form of insurance.

Answer 73

backup

Question 74

​__________________ allows the organization to learn about security​ threats, take consistent actions in​ response, and apply specialized expertise to all security problems.

Answer 74

Centralized reporting

Question 75

​________ will enable an organization to determine whether it is under systemic attack or whether an incident is isolated.

Answer 75

Centralized reporting

Question 76

When an incident does​ occur, ____________ is of the essence.

Answer 76

speed