ACC444 Chapter 7

  1. Five basic principles that contribute to systems reliability
    • - Security
    • - Confidentiality
    • - Online privacy
    • - Processing integrity
    • - Availability
  2. Restrict system access to only authorized users and protect:
    • a.) The confidentiality of sensitive organizational data
    • b.) The privacy of personal identifying information collected from customers
  3. security procedures provide for processing integrity by preventing:
    • a.) Submission of unauthorized or fictitious transactions
    • b.) unauthorized changes to stored data or programs
  4. SOX section 302 and 906 requires that:
    The CEO and CFO certify the accuracy of the financial statements
  5. SOX section 404 requires that:
    the annual report include a report on the company's internal controls.
  6. The trust services framework identifies four essential criteria for successfully implementing the five principles of systems reliability:
    • 1. Develop and document policies
    • 2. Effectively communicate those policies to all authorized users
    • 3. Design and employ appropriate control procedures to implement those policies
    • 4. Monitor the system, and take corrective action to maintain compliance with the policies
  7. time-based model of security focuses on:
    preventive, detective, corrective controls
  8. Preventive controls:
    limit actions to those in accord with the organization's security policy and disallow all others.
  9. Detective controls:
    identify when preventive controls have been breached
  10. Corrective controls:
    repair damage from problems that have occurred and improve preventive and detective controls to reduce likelihood of similar incidents.
  11. time-based model measures and compares the relationship among three variables:
    • P = Time it takes an attacker to break through the organization's preventive controls
    • D = Time it takes to detect that an attack is in progress
    • C = Time to respond to the attack
  12. Based on the time-based model's three variables, security procedures are effective when:
    P > (D + C)
  13. Defense in depth
    Having multiple layers of controls to avoid having a single point of failure
  14. Redundancy applies to what type of controls?
    detective and corrective
  15. Computer security involves using a combination of:
    firewalls, passwords, and other preventative procedures to restrict access
  16. Preventive controls involves two related functions:
    Authentication and authorization
  17. multi-factor authentication
    the use of two or three basic authentication methods in conjunction
  18. Access control matrix
    specifies what part of the IS a user can access
  19. Compatibility test
    matches the user's authentication credentials against the access control matrix to determine if the action should be allowed.
  20. border router
    connects an organization's information system to the internet
  21. behind the border router is:
    the main firewall
  22. demilitarized zone (DMZ)
    web servers and emails servers that are placed in a separate network - not accessible from the internet.
  23. access control list (ACL)
    determines which packets are allowed in and which are dropped
  24. static packet filtering
    screens individual packets based only on the contents of the source and/or destination fields in the packet header
  25. stateful packet filtering
    uses ACLs to determine what to do with each packet
  26. deep packet inspection
    examines the data in the body of an IP packet
  27. hardening
    the process of turning off unnecessary features
  28. encryption
    process of transforming plaintext into ciphertext
  29. symmetric encryption system
    use the same key to encrypt and decrypt
  30. advantages of symmetric encryption
    it is much faster than asymmetric encryption
  31. disadvantages of symmetric encryption
    • - both parties need to know the secret key
    • - A different key needs to be created for each party
    • - since both sides are using the same key, there is no way to prove which of the two parties created a document.
  32. asymmetric encryption systems:
    • - use two keys (public and private)
    • - either key can be used to encrypt
  33. hashing
    takes plaintext of any length and transforms it into a short code called hash
  34. digital signatures
    information encrypted with the creator's private key
  35. digital certificate
    electronic document, created and digitally signed by a trusted third party.
  36. certificate authority
    organization that issues public and private keys and records the public key in a digital certificate.
  37. Two of the trust services framework criteria for effective security are the existence of procedures to:
    • - react to system security breaches and other incidents
    • - take corrective action on a timely basis
  38. three key components that satisfy criteria for effective security:
    • 1. Establishment of a computer emergency response team
    • 2. Designation of a specific individual with organization-wide responsibility for security
    • 3. an organized patch management system
  39. patch management
    fixing known vulnerabilities and installing latest updates for system security
Card Set
ACC444 Chapter 7
ACC444 Chapter 7