ITEC 85 (SIR CAUREL) Flashcards
is an important
asset to every individual or
organization
Digital information
it is a field the
process the safeguarding of the
integrity of data use by individuals or
organization
Information Assurance
Prevents unwanted access to private
information
Information Security
Development and implementation of
tools and technique for keeping data
safe.
Information Security
Designing of defense mechanism
software
Information Security
Information Security
Similarities of Information Assurance and
Security
CNSS SECURITY MODEL
John McCumber called McCumber
Cube
smartphone that fits a
pocket or large as a super computer
Computer Hardware-
-peripherical devices, such as
keyboards, externals disk, drives and routes
Computer Hardware-
let the hardware
knows what to do
- Computer Software-
-it sends signal task
- Computer Software-
– connects the
hardware together to form a network.
- Telecommunication
a network is a set of computers that
is connected wired or wireless.
- Telecommunication
-LAN & WAN
- Telecommunication
-component where the “material”
that the other component work with resides.
-place where data is collected and
from which it can be retrieved by QUERYING
- Database and Database Warehouse
- the final and possibly most
important component of information system
is the human element. - people that are needed to run the
system and the procedure
- Human Resources and ProcedureS
➢ Should result in a high-quality system
that meets customers expectations,
reaches completion within time and
cost evolutions and works.
(RDITDOM)
* Requirements
* Design
* Implementation
* Testing
* Deployment
* Operation
* MaintenancE
SYSTEM DEVELOPMENT LIFE CYCLE (SDLC)
– Systematic approach which
explicitly breaks down the work into phase
that required to implement (PADIM
PHASE OD SDLC
obtain approval of project
initiate, plan schedule
Planning:
understand business needs
and processing needs
Analysis
solution system based on
requirements and analysis decision
Design
construct, test, train
users, install new system
Implementation
: keep system healthy
and improve
Maintenance
Is defined as the set of procedures
that are executed in a sequence in the
software development cycle (SDLC)
SECURITY SYSTEM DEVELOPMENT LIFE CYCLE
process is
started by the officials/directives
working at the top-level management
- System Investigation
detailed
documentation analysis of the
documents form
- System Analysis
development of tools
and the following blueprints
- Logical Design
technical teams
acquire tool and blueprint
- Physical Design
carried out with the
help of various teams aggressively
testing
- Implementation
the security program
must be kept up to date
- Maintenance-
in layman’s term, is
digital assault on computer network.
cyberattack
Is malicious
act that attempts to damage data,
steal data or destroy life in general
cyber threat
include computer
viruses, data breathes and denial of
service
Cyber threats
Here are 8 biggest threats of businesses.
- Financial Issues
- Laws And Regulation
- Broad Economic Uncertainly
- Attracting And Retaining Talent
- Legal Liability
- Cyber, Computer, Technology
Risk/Data Breaches - Increasing Employee Benefits Cost
- Medical Cost Inflation
extortion of money in
exchange of files
- Ransomware
unauthorized access
- Malware
– to trick a user in
giving sensitive information
- Social Engineering
– sending fraudulent e-mails
- Phishing
encrypting
malware
- Crypting Services
- buying and selling
malware on the Dark Web
- Crimeware
hackers control over the devicE
- Remote Administration tools
malwares that records
keyboard stroke
- Keyloggers
visiting a trusted site but
then get redirected to a malicious site
- Exploit kits
stolen data from a
user’s machine
- Leaked data-
implanted in bank
teller machine and PQS
- Cards skimmers
outdate systems
are vulnerable to attack.
- Unpatched systems-
- Security is very essentials because
when a company ignores that it
exposes itself to risk - Huge amount of data can be stolen at
anytime - Few business don’t tale this seriously
and end up with financial losses and
bruised reputation
Security Software Development
- continuous
monitoring for vulnerabilities results
in better applications quality and
mitigation of business risk
- Higher security
early attention to
flows significantly reduces the effort
required to detect and fix them
- Cost reduction
encourages a
conscientious attitude towards security
- related laws and regulation.
Ignoring them may result in fines and
penalties, even if no sensitive data is
lost.
- Regulatory compliance
As _________ explains in
The Social Contract, or Principles of
Political Right, the rules the members
of a society create to balance the
individual rights to self-determination
against the needs of the society as a
whole are called laws.
Jean Jacques Rousseau
These policies are guidelines that
describe acceptable and unacceptable
employee behaviors in the workplace,
function as organizational laws,
complete with penalties, judicial practices, and sanctions to require
compliance.
Organizational Liability and the Need for
Counsel
The
organization must be able to demonstrate
that the relevant policy has been made readily
available for review by the employee.
Dissemination (distribution) –
- The organization must be
able to demonstrate that it disseminated the
document in an intelligible form, including
versions for illiterate, non-English reading,
and reading-impaired employees.
Review (reading) -
The
organization must be able to demonstrate
that the employee understood the
requirements and content of the policy
Comprehension (understanding) -
The organization
must be able to demonstrate that the
employee agreed to comply with the policy
through act or affirmation
Compliance (agreement) -
The organization must
be able to demonstrate that the policy has
been uniformly enforced, regardless of
employee status or assignment.
Uniform enforcement
comprises a wide variety of
laws that govern a nation or state.
Civil law
addresses activities and
conduct harmful to society, and is
actively enforced by the state.
Criminal law
encompasses family law,
commercial law, and labor law, and
regulates the relationship between
individuals and organizations.
Private law
regulates the structure and
administration of government
agencies and their relationships with
citizens, employees, and other
governments.
Public law
is the cornerstone of
many computer-related federal laws
and enforcement efforts.
The Computer Fraud and Abuse Act of
1986 (CFA Act)
Many organizations are collecting,
swapping, and selling personal information as
a commodity, and many people are looking to
governments for protection of their privacy.
Privacy -
- The
Privacy of Customer Information Section of
the common carrier regulation states that any
proprietary information shall be used
explicitly for providing services,
Privacy of Customer Information
The Federal Trade
Commission (FTC) describes identity theft as
“occurring when someone uses your
personally identifying information, like your
name without permission.
Identity Theft
It is important for IT professionals and
information security practitioners to
realize that when their organizations
do business on the Internet, they do
business globally.
As a result, these professionals must
be sensitive to the laws and ethical
values of many different cultures,
societies, and countries.
INTERNATIONAL LAWS AND LEGAL BODIES
It created an international task force
to oversee a range of security
functions associated with Internet
activities for standardized technology
laws across international borders.
Signed by 43 countries in Budapest,
November 2001.
Council of Europe Convention on Cybercrime
The Agreement on Trade-Related
Aspects of Intellectual Property Rights
(TRIPS), created by the World Trade
Organization (WTO)
Agreement on Trade-Related Aspects of
Intellectual Property Rights
TRIPS establishes minimum standards
for the availability, scope, and use of
seven forms of intellectual property:
copyrights, trademarks, geographical
indications, industrial designs,
patents, layout designs for integrated
circuits, and undisclosed information
is the American contribution
to an international effort by the
World Intellectual Properties
Organization (WIPO).
The Digital Millennium Copyright Act
(DMCA)
is a federal law that is
designed to protect copyright holders
from online theft—that is, from the
unlawful reproduction or distribution
of their works. The DMCA covers
music, movies, text and anything that
is copyrighted.
The Digital Millennium Copyright Act
(DMCA)
Many Professional groups have
explicit rules governing ethical
behavior in the workplace.
For example, doctors and lawyers
who commit egregious violations of
their professions’ canons of conduct
can be removed from practice.
The information technology field in
general, and the information security
field in particular, do not have a
binding code of ethics.
ETHICS AND INFORMATION SECURITY
_____ can make it
difficult to determine what is and is
not ethical—especially when it comes
to the use of computers
Cultural differences
The topic of software license
infringement, or piracy, is routinely
covered by the popular press.
Among study participants, attitudes
toward piracy were generally similar;
however, participants from the
United States and the Netherlands
showed statistically significant
differences in attitudes from the
overall group.
Software License Infringement
The study respondents unilaterally
condemned viruses, hacking, and
other forms of system abuse.
Illicit Use
The scenarios used to examine the
levels of tolerance for misuse of
corporate resources each presented a
different degree of noncompany use
of corporate assets without specifying
the company’s policy on personal use
of company resources.
Misuse of Corporate Resources
There are three general causes of unethical
and illegal behavior:
Ignorance, Accident, Intent
Ignorance of the law is no
excuse
Ignorance
Careful planning and
control, helps prevent accidental
modification to systems and data
Accident:
Criminal or unethical intent
goes to the state of mind of the
person performing the act
Intent
Potential offenders
must fear the penalty. Threats of
informal reprimand may not have the
same impact as the threat of
imprisonment or forfeiture of pay.
Fear of penalty
- Potential
offenders must believe there is a
strong possibility of being caught.
Penalties will not deter illegal or
unethical behavior unless there is
reasonable fear of being caught.
Probability of being caught
- Potential offenders
must believe that the penalty will in
fact be administered
Probability of penalty being
administered
A number of professional
organizations have established codes
of conduct or codes of ethics that
members are expected to follow.
Codes of ethics can have a positive
effect on people’s judgment regarding
computer use
CODE OF ETHICS AND PROFESSIONAL
ORGANIZATION
is a nonprofit organization that
focuses on the development and
implementation of information
security certifications and credentials
International Information
Systems Security Certification
Consortium, Inc. (ISC) (www.isc2.org)
which was
founded in 1989, is a professional
research and education cooperative
organization with a current
membership of more than 156,000
security professionals, auditors,
system administrators, and network
administrators
System Administration,
Networking, and Security Institute
(SANS) (www.sans.org),
is a
nonprofit society of information
security professionals.
The Information Systems Security
Association (ISSA) (www.issa.org)
WHEN WAS THE System Administration,
Networking, and Security Institute
(SANS) (www.sans.org) FOUNDED
1989
