IT Risk And Responses Flashcards
The overall process for understanding how risks can be identified and addressed in IT is through the:
Security life cycle
Examples of some technology risks that disrupt a business are:
Security risks - deal with hackers or employee abusing access
Availability risks - “the systems down”
Operational risks - not having correct software, or not using correct software effectively
Financial risk - using company printer for personal use
Compliance risk - HIPA laws, etc.
Strategic risk - misalignment with business and IT strategies
Four types of IT threats
Natural and political disasters
Errors in software and equipment malfunction
Accidental actions - human error
Intentional actions - fraud
What are the two categories of IT controls?
General controls - focus on broader IT infrastructure and environment
Application controls - focus on specific applications and transaction processing
Ensure that an organizations control environment (people, processes, and IT) is stable and well-managed. Common components of general IT controls include:
System development life-cycle standards and controls
Physical and logical controls over infrastructure
Business resiliency management
Change management procedures
Software acquisition, development, operations, and maintenance controls
Software specific mechanisms within a computer program that manage use access, permissions, and functionality. Application controls ensure transactions and data processed through a computer are:
Accurate
Complete
Valid
Authorized
An IT control can serve one of three functions:
Preventative
Detective
Corrective
Examples of preventative controls are:
Hire competent people
Segregation of duties
Physical access controls
Firewall/antivirus software
Example of detective controls:
Bank recon Surveillance cameras intrusion detection systems Change controls Log management and system monitoring Alerts when incidents occur and track them
Example of corrective controls:
Applying operating system upgrades
Maintaining data and system backups
Fixing data entry or transaction errors
Utilize software no protocols to monitor and control access to information and organizations IT infrastructure, typically built into software packages and enforce security measures for access.
Logical access controls
Authentication controls which is the specific access level or clearance granted based on their job. Examples of authentication controls are:
Passwords PIN number Biometrics Smart cards or physical tokens Push notification CAPTCHA (select all pictures that include bridges) Multifactor authentication
This control has authorization that restrict access and actions of authenticated users based on granted permissions
Access control list
Works in conjunction with a firewall that monitor network activities for malicious activities.
Intrusion detection systems (IDS)
This controls is in place for organizations using operating systems that need to be reviewed when installed and on an ongoing basis to ensure proper authorization and usage:
Vulnerability controls
Examples of vulnerability controls include:
Hardening - turning off features not needed in an operation
Patch management - fixing vulnerabilities before they are exploited
Anti-malware program - an example would be blocking a company’s access to a website like youtube
Two types of encryption:
Symmetric encryption - sender and receiver use the same shared key
Asymmetric encryption - two keys are used; one is public and the other is private
Electronic documents that are created and digitally signed by a trusted party that certify the identity of the owners of a particular public key
Digital certificate
Use asymmetric encryption to create legally binding electronic documents
Digital signatures
Cursive style imprint of an individuals name that is applied to a document and is legally binding
E-signature
What’s the difference between a system analyst and a computer programmer?
System analyst design an information system to meet user needs; the computer programmer will then use that design to create an information system by writing computer programs
OR
System analysts deals with hardware and a computer programmer deals with software
Difference between security administrators and computer operators/programmers
Security administrators are responsible for restricting access to system, applications, or databases to the appropriate personnel; so a security admin could not also be a computer operator/programmer because they could gain access to unauthorized areas or give others unauthorized access.
The inherent risk that the loss of an organizations ? Could lead to financial losses, operational inefficiencies, and contractual and other legal issues.
Critical information
There is a risk that the loss of ? Could cause reputational, operational, and or financial harm to an organization
Confidential data
The integration of system availability controls, crisis management, disaster recovery plans, and business continuity plans that ensure a business can continue to operate or quickly return to operations without irreparable harm to its people, information, or assets:
Business resiliency
A type of control that includes activities to prevent system disruptions and loss of information as well as procedures to continue operations or provide quick recovery from all incidents.
System availability controls
What are the characteristics of a cold site that maintains IT operations in case of disaster:
Off-site location has connections in place has no equipment in place 1-3 days until operational and is cheapest cost
What are the characteristics of a warm site that maintains IT operations in case of disaster:
Off-site location Can/cannot have connections in place Can/cannot have equipment in place 0-3 days to be operational Moderately expensive
What are the characteristics of a hot site that maintains IT operations in case of disaster:
Off-site location Has connections in place Has equipment in place Immediately operational Most expensive