Domain II – Information Security - Section A: Information Protection Flashcards
IT governance
consists of the leadership, organizational structures, and processes that ensure that the enterprise’s information technology supports the organization’s strategies and objectives.
Computer‐Based Information Systems (CBIS)
is a system for collecting data, processing it into information, and storing the information for future reference and output. The system consists of six components:
a. Hardware
b. Software
c. Data/information
d. Procedures
e. People
f. Connectivity
The four major phases of activity in a CBIS are:
a. Input phase during which data is captured electronically and converted to a form that can be processed by a computer.
b. Processing phase during which data is converted into an appropriate form of information.
c. Output phase during which the user makes use of information to perform and manage business activities and for decision‐making.
d. Storage phase during which data, information, and processing instructions are stored in a computer‐usable form.
The IIA’s glossary defines IT controls
are controls that support business management
and governance as well as provide general and technical controls over information technology infrastructure such as applications, information, infrastructure, and people.
Physical access and environmental controls (General IT Controls)
are controls to physically protect the information systems hardware and software. These controls are appropriate to consider during the physical design of a data center.
Logical access controls (General IT Control)
are mainly implemented through the use of special security software and/or by utilizing features of other applications software.
Security software
is software that controls the logical access to information systems.
=> It typically includes user authentication, granting access in accordance with predefined rules, and monitoring, logging and reporting usage.
Data diddling
is the changing of the data prior to its input to the computer.
Trojan horse
is a malicious fraudulent code hidden in an authorized program that is executed every time the authorized program is executed.
Viruses
include a variety of malicious program codes that are inserted into other programs or data files.
Worms
are malicious programs that destroy data or utilize significant computer and communication resources.
Rounding down
involves drawing small amounts of money from a computerized transaction or account and depositing them in the perpetrator’s account.
Salami techniques
involve the slicing down of small amounts of money from a computerized transaction.
Logic bombs
are malicious codes similar to computer viruses, but they do not replicate themselves.
Asynchronous attacks
are attacks that change data while available to be transmitted.
Trap doors
are exits from an authorized program that permits the insertion of unauthorized logic.
Data leakage
is acquiring information out of the computer system in an unauthorized manner or in an authorized manner but by an unauthorized individual.
Piggybacking
is the act of following an authorized person physically through a door or electronically through a connection to gain unauthorized access.
Wire‐tapping
is the eavesdropping on information being transmitted over a telecommunications line.
Denial of Service
is a malicious attack that disrupts or completely denies service to legitimate users.
Authentication
refers to the use of security measures to authenticate identity.
=> Authentication protects against fraudulent logon activities by identifying and verifying the identity of the users and the users’ access authorizations.
Single‐factor (basic) Authentication
usually refers to password‐based authentication that is associated with a user’s unique identity.
Multi‐factor Authentication
refers to the use of multiple factors to identify the users; typically a user id, with a password, and a token (e.g. smart cards, biometric info, pins generated by device) that is in the physical possession of the user.
Cryptographic Authentication
uses additional methods for authentication primarily relying on encrypting and decrypting the sensitive information used for authentication such as public key authentication, password permutations, and digital signatures.
Application controls
are controls over the input, processing, and output functions of a computer‐based information system.
Input controls
are techniques and procedures used to validate, verify, and edit data to ensure that only authorized and correct data are input into the system for processing.
Processing controls
are procedures to provide reasonable assurance that data input is processed as authorized and master files are updated in a complete and accurate manner.
Output controls
are controls to ensure that output from the information system is accurate, complete, and distributed only to authorized individuals.
Integrity controls
are controls to ensure the integrity of data during the various phases to ensure consistency and validity.
Audit trail
are controls that enable management and/or the auditor to track individual transactions throughout the system from their source to their output and vice versa. The trail is intended to disclose who did what and when to the data to highlight the source and/or reason for any errors and/or irregularities.
