Study Unit 14 Flashcards
System Availability
uninterrupted flow of electricity
protection of computer hardware from environmental hazards
protection of software and data files from unauthorized alteration
preservation of functioning comm channels bet devices
Risks associated with Business Information Systems
System Availability Volatile Trans Trails- short lived Decreased human involvement Uniform processing of transactions unauthorized access data vulnerability reduced segregation of duties reduced indiv authorization of transactions malware
Malware
any program code that enters a computer with potential to degrade it trojan horse virus -logic bombs worm denial of service phishing back door
Trojan horse
appears innocent but includes hidden function that can damage when activated
virus
program that copies itself from file to file, may destroy data or programs
logic bombs-type of virus triggered by predetermined event
worm
copies itself not from file to file but from computer to computer, very rapidly
repeated replication overloads a system by depleting memory or overwhelming ntwk
COBIT- 5 Key principle
govt framewk that addresses IT
1) Meet Stakeholder needs
2) Cover Enterprise End 2 End
3) Apply Single, Integrated Frmwk
4) Holistic Approach
5) Separate Governance from Mgt
Stakeholder Needs
value creation most basic stakeholder need; fundamental goal
value creation- realization of benefits, optimization of risk, optimal use of resources
Covering Enterprise E2E
comprehensive look @ fucntions and processes req enterprise wide IT
Applying Single, Integrated Framework
stds consistently applied
Enabling a Holistic Approach
7 categories that support comprehensive IT governance and mgt -principles, policies, frmwk -processes -org structure -culture, ethics, behavior -info -svc, infrastructure, apps -ppl, skills, competencies Last 3 items are resources; should be optimized
Separating Governance from mgt
req treatment as distinct activities
gov - setting of overall objectives, monitoring progress (BOD)
mgt- carrying out activities to pursue enterprise goals
-4 responsibility areas addressed: plan, build, run, monitor
3 principal goals for info security programs
data confidentiality- protect from disclosure to unauthorized persons
data availability- ensure IS up and running for access
data integrity-ensure data accurately reflects business events & not tampered with or destroyed
Step to Create information security plan
ID threats to info
ID risks the threats entail- 2 phases (likelihood of threat and potential level of damage)
Design controls for risks
Make controls part of enterprise wide info security plan
Set up policies
General controls
umbrella under which IT operates; affect entire processing environment include controls over
- data center and ntwk ops
- systems sftwr acquistion, change, maintenance
- access security
- app sys acq, development, maint
Controls over data center and network ops
ensure efficient and effective ops of computer activity
include control env and risk assessment
controls over software acquisition, change, maintenance
ensure proper software is available to use
controls over access encompass
to hdwr (physical access) and to data and programs through the system (logical access)
Application controls
particular to org’s apps
input- assurance data rec’d has proper auth; data not lost, improperly changed (relate to rejection)
concurrent update- ensure correct result for concurrent ops are generated
processing-processing performed as intended for the application. all trans processed as auth; no auth trans omitted; no unauth trans added
output- ensure accuracy of processing result and receipt of output by auth personnel only
Hardware controls
built into the eqt by the mfr; ensure proper internal handling of data as moved and stored
-include parity checks, echo check, read-after-write checks, and built into eqt to ensure data integrity
Physical control
limit physical access and environmental damage to computer eqt, data, important docs includes access controls -passwords, ID #s -device auth table -system access log -encryption -callback- req remote user to call give ID and wait for call to authorized # -controlled disposal of docs -biometric tech -auto log-off -security personnel
logical controls
limit access based on elements that person needs to perform their job
- elements of user account mgt
- -change pword periodically, unique ID needed for access,, policy prevents employees from leaving IDs/pwords written down in plain sight
GC examples
firewall, logical controls, hardware controls
firewall
combo of hardware and software that separates internal ntwk from external ntwk; stops passage of suspicious traffic
2 types
-ntwk - regulate traffic to entire ntwk (LAN)
-application- regulate traffic to specified app (email or file transfer)
Network firewall
examines each query, based on rules of network security admin, denies entry to network based on source, destination, ect.
Queries from a source address w/ repeated failed attempts may be penetration attempt
firewall can notify personnel
Input controls
ensure only correct, authorized data enter systems and data are processed and reported properly
provide assurance data submitted for processing are authorized, complete, and accurate
Types of input controls
preformat- screen looks like doc
edit (field) check- allow certain characters (SS#)
limit (reasonableness) check- rejection based on known limits
validity check- to process other records must exist in another file (invoice accepted b/c vendor MF)
sequence check - file sorted on designated field, the “key” before match (A/P file and MF sorted before match)
closed-loop - user input transmitted and displayed on screen
check-digit (self-check digit)- algorithm applied and incorporated into number entered by user
zero- balance check- system reject trans when sum of all debits and credits doesn’t = 0
Batch input controls
mgt release
record count- # records matched number calculated by user
financial total- sum of $ amounts = amounts user calc
hash total-sum of numeric field, has no meaning by itself ( sum of SS#s)
Processing control
assurance data submitted are processed and only approved data are processed
validation
completeness
arithmetic control
sequence check
run 2 run control total- controls wrt given batch checked after each stage to check all trans processed
key integrity- record’s key is group of values in designated fields that uniquely ID the record
Output control
Trans logs
error listing
record count
run 2 run control total- new balance = old balance + any activity
DBA
develop and maintain org db and establish control to protect integrity
- only 1 to update data dictionary
- perform some fx of DBMS
Network tech
maintains bridges, hubs, routers, switches, cabling, other devices that interconnect comp’s
responsible for maintaining connection to other ntwks
Webmaster
responsible for website content
works w/ programmers and ntwk tech to ensure proper content displayed and site is available to users
Computer operators
day 2 day fx of data center
load data, mount storage devices, operate eqt
should not be assigned programming duties or system design
shouldn’t be able to make changes in programs and systems bc they operate the eqt
Librarians
maintain ctrl over and accountability for doc, programs, data storage media
Systems programmers
maintain and fix ops systems on medium/large comps
may modify programs, data files, controls
no access to data center ops/production programs or data
Application programmres
design write test and doc computer programs according to specifications provided by end users
Systems analyst
determine how app should be best designed for users’ needs
duties combined w/ app programmer
no access to data center ops, production programs, data files
Help desk
log users’ problems, resolve minor issues, fwd difficult problems to appropriate person
Info security officer
develop info security policies, comment on security controls in new apps, monitor and investigate unsuccessful login attemps
End users
able to change production data, not programs