Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

Chapter 8 Summary

Download as pdf or txt
Download as pdf or txt
You are on page 1of 2

Chapter 8: Securing Information Systems

8-1 Why are information systems vulnerable to destruction, error, and abuse?

When doing business today, the top priority should be security and control. Security is policies,
procedures, and technical measures used to prevent unauthorized access by other parties.
Control methods, policies, and organizational practices ensure the organization's safety.
Extensive data stored in electronic form are vulnerable to many kinds of threats. Vulnerability
can exist in each layer of communication. When a system malfunction breaks down, it is
exposed to cyber-attacks. Same with smartphones that contain essential data.

The Internet is more vulnerable than internal networks since it is open to everyone. A
vulnerability has also increased from the widespread use of email, instant messaging, and peer-
to-peer file-sharing programs. Hackers can unleash denial-of-service (DoS) attacks or penetrate
corporate networks, causing severe system disruptions. Bluetooth and Wi-Fi networks are also
dangerous to hackers. Wi-Fi networks can easily be skewered by intruders using sniffer
programs to obtain an address to access the network's resources.

Malware is malicious software programs that include computer viruses, worms, and Trojan
horses. Malware can disable systems and websites, with mobile devices a significant target.
Hacker is an unauthorized individual who wants to gain access to information. The dispersed
nature of cloud computing makes it challenging to track unauthorized activity or apply controls
from afar. The software presents problems because software bugs may be impossible to
eliminate and because hackers and malicious software can exploit software vulnerabilities. End
users often introduce errors.

8-2 What is the business value of security and control?

Many companies have valuable information assets they need to protect, such as individual
taxes, financial assets, trade secrets, new product development plans, and marketing strategies.
Businesses with inadequate security and control can result in legal liability. Not only the
company itself but the business must also protect its customers, employees, and business
partners. If they cannot fulfill that, they need to pay a litigation fee for data exposure or theft.
Laws, such as
- HIPAA: medical security and privacy rules
- Gramm-Leach-Bliley Act: Financial Services Modernization Act 1999
- Sarbanes-Oxley Act: Public Company Accounting Reform and Investor Protection Act
of 2002
require companies to practice stringent electronic records management and adhere to strict
security, privacy, and control standards. Legal actions requiring electronic evidence and
computer forensics also need firms to pay more attention to security and electronic records
management.
8-3 What are the components of an organizational framework for security and control?

Even with security tools, the information system will not be reliable unless we know how and
where to deploy them. Firms must establish a good set of general and application controls for
their information systems. Reasonable control takes care of the design, security, use of
computer programs, and security of data files. Meanwhile, application control is specific rules
specific to the application. Risk assessments determine the risk level if the firm's typical activity
is not controlled. After the risks have been assessed, system builders will concentrate on the
control points with the greatest vulnerability and potential loss.

Security policy can be made after the company has identified the main risk of the system.
Security policy consists of statements ranking information risks, identifying acceptable
security goals, and identifying the mechanisms for achieving these goals. The security policy
drives other policies determining the fair use of the firm's information resources and which
company members have access to its information assets. When you have a business, you also
need to take measures of unwanted events that might happen. Disaster recovery planning
devises plans for restoring disrupted computing and communications services.

8-4 What are the most important tools and technologies for safeguarding information
resources?

Businesses need to have technologies to protect the information they have. Identity
management is an automated use to keep track of all these users and their system privileges. It
also has essential features for authenticating users, protecting user identities, and controlling
access to system resources. Passwords, tokens, smart cards, and biometric authentication are
used to show system users.
There are essential business tools needed to protect the business agist malware and intruders:
1. Firewalls: prevent unauthorized users from accessing private networks.
2. Intrusion detection systems: full-time monitoring tools placed at the most vulnerable
points to detect intruders continually.
3. Anti-malware software: used to prevent, detect, and remove malware such as viruses.
4. Unified threat management (UTM): security management that includes firewalls,
virtual private networks, intrusion detection systems, and web content filtering and anti-
spam software.
Coding and scrambling messages or encryption are commonly used to secure electronic
transmissions over unprotected networks. Blockchain technology allows companies to create
and verify tamper-proof transactions on a network without a central authority. Digital
certificates and public key encryption further protect electronic transactions by authenticating
a user's identity. Companies can use fault-tolerant computer systems to ensure that their
information systems are always available. The use of software metrics and rigorous software
testing help improve software quality and reliability.

You might also like