-
Five basic principles that contribute to systems reliability
- - Security
- - Confidentiality
- - Online privacy
- - Processing integrity
- - Availability
-
Restrict system access to only authorized users and protect:
- a.) The confidentiality of sensitive organizational data
- b.) The privacy of personal identifying information collected from customers
-
security procedures provide for processing integrity by preventing:
- a.) Submission of unauthorized or fictitious transactions
- b.) unauthorized changes to stored data or programs
-
SOX section 302 and 906 requires that:
The CEO and CFO certify the accuracy of the financial statements
-
SOX section 404 requires that:
the annual report include a report on the company's internal controls.
-
The trust services framework identifies four essential criteria for successfully implementing the five principles of systems reliability:
- 1. Develop and document policies
- 2. Effectively communicate those policies to all authorized users
- 3. Design and employ appropriate control procedures to implement those policies
- 4. Monitor the system, and take corrective action to maintain compliance with the policies
-
time-based model of security focuses on:
preventive, detective, corrective controls
-
Preventive controls:
limit actions to those in accord with the organization's security policy and disallow all others.
-
Detective controls:
identify when preventive controls have been breached
-
Corrective controls:
repair damage from problems that have occurred and improve preventive and detective controls to reduce likelihood of similar incidents.
-
time-based model measures and compares the relationship among three variables:
- P = Time it takes an attacker to break through the organization's preventive controls
- D = Time it takes to detect that an attack is in progress
- C = Time to respond to the attack
-
Based on the time-based model's three variables, security procedures are effective when:
P > (D + C)
-
Defense in depth
Having multiple layers of controls to avoid having a single point of failure
-
Redundancy applies to what type of controls?
detective and corrective
-
Computer security involves using a combination of:
firewalls, passwords, and other preventative procedures to restrict access
-
Preventive controls involves two related functions:
Authentication and authorization
-
multi-factor authentication
the use of two or three basic authentication methods in conjunction
-
Access control matrix
specifies what part of the IS a user can access
-
Compatibility test
matches the user's authentication credentials against the access control matrix to determine if the action should be allowed.
-
border router
connects an organization's information system to the internet
-
behind the border router is:
the main firewall
-
demilitarized zone (DMZ)
web servers and emails servers that are placed in a separate network - not accessible from the internet.
-
access control list (ACL)
determines which packets are allowed in and which are dropped
-
static packet filtering
screens individual packets based only on the contents of the source and/or destination fields in the packet header
-
stateful packet filtering
uses ACLs to determine what to do with each packet
-
deep packet inspection
examines the data in the body of an IP packet
-
hardening
the process of turning off unnecessary features
-
encryption
process of transforming plaintext into ciphertext
-
symmetric encryption system
use the same key to encrypt and decrypt
-
advantages of symmetric encryption
it is much faster than asymmetric encryption
-
disadvantages of symmetric encryption
- - both parties need to know the secret key
- - A different key needs to be created for each party
- - since both sides are using the same key, there is no way to prove which of the two parties created a document.
-
asymmetric encryption systems:
- - use two keys (public and private)
- - either key can be used to encrypt
-
hashing
takes plaintext of any length and transforms it into a short code called hash
-
digital signatures
information encrypted with the creator's private key
-
digital certificate
electronic document, created and digitally signed by a trusted third party.
-
certificate authority
organization that issues public and private keys and records the public key in a digital certificate.
-
Two of the trust services framework criteria for effective security are the existence of procedures to:
- - react to system security breaches and other incidents
- - take corrective action on a timely basis
-
three key components that satisfy criteria for effective security:
- 1. Establishment of a computer emergency response team
- 2. Designation of a specific individual with organization-wide responsibility for security
- 3. an organized patch management system
-
patch management
fixing known vulnerabilities and installing latest updates for system security
|
|