IS Security Flashcards
Information Security
The information managers and workers are obligated to make safe and secure the person (organization), process, data, application and infrastructure of information.
Information Security Definition
The protection of information assets from unauthorized disclosure, modification, or destruction; or the inability to process that information
dolazimo do 3 principa :
1.Integrity principle == unauthorized disclosure
2.Confidentiality principle == modification or destruction of information
3.Availability principle == inability to process information
CIA TRIAD
Confidentiality – restrict access to authorized individuals
Secrecy, Privacy and Authority
Integrity – data has not been altered in an unauthorized manner
Accurate, Complete and Compliant
Availability – information can be accessed and modified by authorized individuals in an appropriate timeframe
System Vulnerability and Abuse
1.Accessibility of networks
2.Hardware problems (breakdowns, configuration errors, damage from
improper use or crime)
3.Software problems (programming errors, installation errors,
unauthorized changes)
4.Disasters
5.Use of networks/computers outside of firm’s control
6.Loss and theft of portable devices
Tools for Information Security
Authentication
Access Control
Encryption
Passwords
Backup
Firewalls
Virtual Private Networks (VPN)
Physical Security
Security Policies
Authentication
Persons accessing the information is who they say they are
Factors of identification:
Something you know – user ID and password
Something you have – key or card
Can be lost or stolen
Something you are – physical characteristics (i.e., biometrics)
Much harder to compromise
A combination of at least 2 factors is recommended
Access Control
Once authenticated – only provide access to information necessary to perform their job duties to read, modify, add, and/or delete information by:
1.Access control list (ACL) created for each resource (information)
List of users that can read, write, delete or add information
Difficult to maintain all the lists
2.Role-based access control (RBAC)
Rather than individual lists
Users are assigned to roles
Roles define what they can access
Simplifies administration
Encryption
An algorithm (program) encodes or scrambles information during transmission or storage
Decoded/unscrambled by only authorized individuals to read it
How is this done?
Both parties agree on the encryption method (there are many) using keys
Symetric and public key
Passwords
Single-factor authentication (user ID/password) is the easiest to break
Password policies ensure that this risk is minimized by requiring:
A certain length to make it harder to guess
Contain certain characters – such as upper and lower case, one
number, and a special character
Changing passwords regularly and do not a password to be
reused
Employees do not share their password
Notifying the security department if they feel their password has
been compromised.
Yearly confirmation from employees that they understand their
responsibilities
Backup
Important information should be backed up and store in a separate location
A good backup plan requires:
Understanding of the organizational information resources
Regular backups of all data
Offsite storage of backups
Test of the data restoration
Complementary practices:
UPS systems
Backup processing sites
Firewalls
-Can be a piece of hardware and/or software
-Inspects and stops packets of information that don’t apply to a strict set of rules
-Hardware firewalls are connected to the network
-Intrusion Detection Systems (IDS) watch for specific types of activities to alert
security personnel of potential network attack
-Can implement multiple firewalls to allow segments of the network to be partially secured to conduct business
Virtual Private Networks (VPN)
1.Some systems can be made private using an internal network to limit access to them
2.VPN allows users to remotely access these systems over a public network like the Internet
3.CPP students have this ability for:
Physical Security
Protection of the actual equipment
– Hardware and Networking components
Organizations need to identify assets that need to be physically secured:
Locked doors
Physical intrusion detection - e.g., using security cameras
Secured equipment
Employee training
Security Policies
–Starting point in developing an overall security plan
–Security policies focus on confidentiality, integrity, and availability
–Bring Your Own Device (BYOD) policies for mobile devices
–Difficult to balance the need for security and users’ needs
Securing Information Systems
1.Identify the information assets
2.Perform the assessment of vulnerabilities and threats that surround the creation, storage, use and sharing of information.
3.Develop, document and implement