Topic 3.2 Information Systems Control For Systems Reliabilty Flashcards
What are the features in the trust service framework?
Security
- access to the system and data is controlled and restricted to legitimate uses
Confidentially
- sensitive organisational data is protected
Privacy
- personal information about trading partners, investors, and employees are protected
Processing integrity
- data are processed accurately, completely, in a timely manner, and only with proper authorisation
Availability
- system and information are available
Good way to remember trust service framework
Like a building
The roof =system reliability
The walls =confidently, privacy, processing integrity, availability
The foundation = security
What is the security life cycle? And whose issue is it?
1) assess threats & select risk response
2) develop and communicate policy
3) acquire & implement solutions
4) monitor performance
Security is a management issue
What is the security approach formula?
Time-based model, security is effective if:
P > D + C where or
P - D + C
P - is the time it takes an attacker to break through preventive control
D - is time it takes to detect an attack in progress
C - is time it takes to respond to the attack and take corrective action
How to prevent or respond to risk in AIS?
Preventive controls
- people
- Process
- IT solutions
- Physical security
Detective controls
- Log analysis
- intrusive detective systems
- Continuous monitoring
Response
- Computer Incident Response Terms (CIRT)
- Chief Information Security Officer (CISO)
How can people be a prevention to attacks?
Culture of security
- tone set at the top with management
Training
-follow safe computing practices:
Never open bad emails
Use only approved software
Do not share password
Physically protect laptops and cellphones
Protect against social engineering
How can prevention processes access prevent attacks?
Authentication - verifies the person e.g questions before login or app
Authorisation- determines what person can access e.g scan card
How can prevention processes of changing controls and changing management help attacks?
Formal process used to ensure that modifications to hardware, software or processes do not reduce systems reliability
Good change management and controls requires
- documentation
- approval
- testing
- develop “backout” plan
- monitoring
How can preventive IT solutions help prevent attacks
anti malware controls
network access controls
device and software hardening controls
- endpoint configuration
- users accounts
- software design
Encryption
How can prevention physical securities access controls help prevent attacks?
Physical security access controls
- limit entry to building
- restrict access to network and data
How to Detect attacks
Log analysis - examining logs to identify evidence of possible attacks
Intrusive detection systems (IDSs) - system that creates logs of network traffic that was permitted to pass the firewall and then analysis those logs for signs of attempted or successful intrusions
Continuous monitoring - employee compliance with organisation’s information security polices and overall performance of business processes
Cloud computing is generally more secure than traditional computing. true or False
False
Logs need to be analysed regularly to detect problems in a timely manner. True or False
True
What protocol specifies the structure of packets sent over the internet and the route to get them to the proper destination
Internet protocol
The steps that criminals take to identify potential points of remote entry is called
Scanning and mapping the target
