CHAPTER 8

(1)

CHAPTER 10 CHAPTER 10 Interactive Session: Organizations: The

Interactive Session: Organizations: The Flash Crash: A New CulpritFlash Crash: A New Culprit

Case Study Questions:

1Identi!y the pro"le# and the control wea$nesses descri"ed in this case

Experts initially attributed the crash to structural and

Experts initially attributed the crash to structural and organizationorganizational features of al features of the electronicthe electronic

trading systems that execute the majority of trades on the Dow and the rest of

trading systems that execute the majority of trades on the Dow and the rest of the world’sthe world’s

major stock exchanges. The huge wave of f

major stock exchanges. The huge wave of flash crash sell orders intensified because oflash crash sell orders intensified because of

highspeed computerized trading programs. !ighfre"uency traders #!$Ts% have taken over

many of the

many of the responsibiliresponsibilities once filled by stock ties once filled by stock exchange specialiexchange specialists and market makerssts and market makers

whose job was to provide the

whose job was to provide the majority of stock market li"uidity. &ut many electronic systems'majority of stock market li"uidity. &ut many electronic systems'

such as those !$Ts use' are automated' using algorithms to place their nearly instant

trades. (n situations like the

trades. (n situations like the flash crash' when an algorithm is flash crash' when an algorithm is insufficieninsufficient to t to handle thehandle the

complexity of the event in

complexity of the event in progress' electronic trading systems have the potential to make progress' electronic trading systems have the potential to make aa

bad situation much worse.

$ive years later' another explanation emerged. ) single trader who operated out of his *est

+ondon home was largely responsible for the event. ,n )pril -' -/0' the 1nited 2tates

3ustice Department had &ritish authorities arrest

3ustice Department had &ritish authorities arrest 45yearold 6avinder 2arao'charg45yearold 6avinder 2arao'charging himing him

with profiting from the f

with profiting from the flash crash by boldly manipulating markets and using illegal tradinglash crash by boldly manipulating markets and using illegal trading

strategies between -//7 and -/8.

-.

-.%hat #anage#ent& organization& and technology !actors contri"uted to %hat #anage#ent& organization& and technology !actors contri"uted to thisthis

pro"le#' To what e(tent was it a technology pro"le#' To what e(tent was it a

#anage#ent and organizational pro"le#'

)anage#ent

)anage#ent9 )de"uate controls were not in place to prevent 9 )de"uate controls were not in place to prevent traders like 2arao fromtraders like 2arao from

manipulating the markets. :anagement is responsible for

manipulating the markets. :anagement is responsible for ensuring general controls likeensuring general controls like

software' hardware' implemen

software' hardware' implementation' and administrative are in place and tation' and administrative are in place and are ade"uate toare ade"uate to

prevent these kinds of situations.

Organization

Organization9 +ong before the 9 +ong before the flash crash' the exchange had "uestioned 2arao about hisflash crash' the exchange had "uestioned 2arao about his

trading activity' but the exchange did not take any action against him' and 2arao continued

his trading activities until

his trading activities until a whistleblower brought forward new information. The organizationa whistleblower brought forward new information. The organization

should have fully investigated 2arao

should have fully investigated 2arao and taken appropriate action.and taken appropriate action.

Technology

Technology9 investigators overlooked evidence availab9 investigators overlooked evidence available hours after the le hours after the flash crashflash crash

thatcould have led them to 2arao. )t that time' investigators had access to the full set of data

from the day of the flash crash

from the day of the flash crash but focused only on the data related to actual trades. (f theybut focused only on the data related to actual trades. (f they

had included all bids and offers entered' they

had included all bids and offers entered' they would have more likely noticed the pattern ofwould have more likely noticed the pattern of

2arao’s market manipulation

4.

4.To what e(tent was Sarao responsi"le' *(plain your answerTo what e(tent was Sarao responsi"le' *(plain your answer

The ;ommodity $utures Tradi

The ;ommodity $utures Trading ;ommission did not blame the ng ;ommission did not blame the crash solely on 2arao' butcrash solely on 2arao' but

according to the

according to the ;ommission;ommission’s director of ’s director of enforcemenenforcement' )itan <oelman' 2arao’s conductt' )itan <oelman' 2arao’s conduct

was significantly responsibl

was significantly responsible for the e for the order imbalance that led to torder imbalance that led to the crash. 2arao’s lawyershe crash. 2arao’s lawyers

argued that the crash was caused by other factors and market participants. ;ertainly' if

(2)

ade"uate safeguards and controls had been in place and 2arao’s conduct fully investigated' it’s likely he never would have been able to pull it off.

8.Is there an e!!ective solution to this pro"le#' Can another !lash crash "e prevented' *(plain your answer

=es' another flash crash can be prevented but only if all the necessary safeguards are put in place and controls fully enforced.

)fter the flash crash' several reforms were implemented' including a system to slow trading in stocks if they became too volatile and a re"uirement for trading firms sending orders into the market to tighten their risk controls. The financial industry is also working on a

consolidated audit trail' or ;)T' that would enable regulators to monitor stock and options orders in real time and "uickly pinpoint manipulators. ;)T has yet to be completed.

Interactive Session: Technology: +,O-: A Security Night#are' Case Study Questions

1 It has "een said that a s#artphone is a co#puter in your hand -iscuss the security i#plications o! this state#ent

2martphones have many of the same computing features and capabilities as any laptop' desktop' or client>server computing network' making them as vulnerable to malware. !ardly anyone would consider not protecting the ?typical? computer from security threats but don@t think about doing the same for a smartphone.

*ith millions of people bringing their personal mobile devices to work and accessing the (nternet and corporate networks from them' business firms are increasingly having a tough time keeping up. :obile devices are continually opening new avenues for accessing

corporate data that need to be closely monitored and protected. Experts believe that

smartphones and other mobile devices now pose one of the most serious security threats for organizations today.

-.%hat $inds o! security pro"le#s do #o"ile co#puting devices pose'

2martphones of all kinds are susceptible to browserbased malware that takes advantage of vulnerabilities in all browsers. (n addition' most smartphones' including the iAhone' permit the manufacturers to remotely download configuration files to update operating systems and security protections.

$iftynine percent of businesses who were "uestioned about security reported that

employees circumvented or disabled security features such as passwords and key locks. (ntruders can also gain physical access to mobile devices by plugging into a device using a 12& connection or 2D card slot.

:obile security breaches carry a hefty price tag. 2ecurity breaches can also cause huge intangible losses to a company’s reputation. The 2ecurities and Exchange ;ommission re"uires unauthorized disclosure of confidential information' whether from unsecured

(3)

devices' untrusted apps' or weak cloud security' must be announced publicly if the information could affect a company’s stock price.

4.%hat #anage#ent& organizational& and technology !actors #ust "e addressed "y s#artphone security'

)anage#ent9 ,ne of the biggest problems with people using their personal smartphones to access corporate data is that they lose the devices. They aren’t diligent about protecting them from unauthorized access by leaving the devices laying around for others to access within seconds or minutes. Aersonal carelessness is the number one threat. (t is almost impossible to prevent employees from downloading apps that might track critical information when people use their own devices in the workplace.

Organizational9 ;loud services are causing continually escalating problems because employees are not careful about what documents they upload to the Bopen’ services. 2ome free cloud services like Dropbox and <oogle Drive are more open to unauthorized access than employees realize. )pple iTunes app rules make some user information available to all app programs by default' including the user@s <A2 position and name. 2ecurity on the )ndroid platform is much less under <oogle@s control because it has an open app model.

<oogle removes from its official )ndroid :arket any apps that break its rules against malicious activity.

Technology9 )pple has removed hundreds of apps because of security concerns. <oogle relies on technical hurdles to limit the impact of malicious code' as well as user and security expert feedback. <oogle can perform a remote wipe of offending apps from all )ndroid phones without user intervention. That@s good but it could become a security threat itself if hackers gain access to the remote wipe capability at <oogle.

8.%hat steps can individuals and "usinesses ta$e to #a$e their s#artphones #ore secure'

$irst of all' and most importantly' employees using their personal devices on the job need to protect them more C both from theft and accidental access.

)ll smartphone users and businesses should treat a smartphone  and now tablet devices  just like they would a fullblown computer system and ade"uately protect it from malware

and intrusion. Download appropriate and ade"uate security protection software and keep it updated. $or security analysts' largescale smartphone attacks are just disasters waiting to happen.

Case Study: .S O!!ice o! /ersonnel )anage#ent -ata +reach: No 0outine ac$ 2314 5ist and descri"e the security and control w ea$nesses at O/) that are discussed in this case

,A: was saddled with outdated technology and weak management. ) D!2 $ederal

(nformation 2ecurity :anagement )ct #$(2:)% )udit for fiscal year -/8 audit of the ,ffice of the (nspector <eneral found serious flaws in ,A:’s network and the way it was managed. ,A: did not maintain an inventory of systems and baseline configurations' with  servers operating without valid authorization. The auditors could not independently verify ,A:’s monthlyautomated vulnerability scanning program for all servers. There was no senior

(4)

information security specialist or chief information security officer #;(2,% responsible for network security. ,A: lacked an effective multifactor authentication strategy and had poor management of user rights' inade"uate monitoring of multiple systems' many unpatched computers' and a decentralized and ineffective cybersecurity function. 2ensitive data were unencrypted and stored in old database systems that were vulnerable. ,A: used

contractors in ;hina to manage some of its databases. These deficiencies had been pointed out to ,A: many times since a $(2:) audit in -//. ,A: had the vulnerabilities' no

securityoriented leadership' and a skillful and motivated adversary. #+earning ,bjective 9 *hy are information systems vulnerable to destruction' error' and abuseF ));2&9 )nalytical thinking' Geflective thinking' )pplication of knowledge.%

2316 %hat #anage#ent& organization& and technology !actors contri"uted to these pro"le#s' ow #uch was #anage#ent responsi"le'

)anage#ent9 :ost attacks are the work of highly skilled professionals. !owever' when people don’t take the problem seriously and constantly be on alert for hacking incidents and other network vulnerabilities' cyberattacks can go unnoticed until it’s too late. (n some cases' even though appropriate safeguards are in place' people may override them and open a hole for the malware to enter systems just as happened at ,A:.

Organization9 ,rganizations' public and private' continually do not ade"uately plan for security before building any kind of computer system t hus opening the way for cyberattacks. The ,A: had been warned multiple times of security vulnerabilities and failings. ) :arch -/0 ,A: ,ffice of the (nspector <eneral semiannual report to ;ongress mentioned

persistent deficiencies in ,A:’s information system security program' including incomplete security authorization packages' weaknesses in testing information security controls' and inaccurate plans of action and milestones

Technology9 Tracing the identities of specific attackers through cyberspace is next to impossible. 2ecurity experts have stated that the biggest problem with the breach was not ,A:’s failure to prevent remote breakins but the absence of mechanisms to detect outside intrusion and inade"uate encryption of sensitive data. if someone has the credentials of a user on the network' then he or she can access data even if they are encrypted' so

encryption in this instance would not have protected the ,A: data. #+earning ,bjective 9 *hy are information systems vulnerable to destruction' error' and abuseF +earning

,bjective -9 *hat is the business value of security and controlF ));2&9 )nalytical thinking' Geflective thinking' )pplication of knowledge.%

2317 %hat was the i#pact o! the O/) hac$'

The attackers had stolen user credentials from a contractor to access ,A: networks' most likely through social engineering. The hackers then planted malware' which installed itself within ,A:’s network and established a backdoor for plundering data. $rom there' attackers escalated their privileges to gain access to a wide range of ,A: systems.

(nformation targeted in the breach included personally identifiable information such as social security numbers as well as names' dates and places of birth' and addresses. )lso stolen was detailed security clearanceCrelated background information. The hackers’ biggest prize was probably more than -/ years of background check data like information about family members' college roommates' foreign contacts' and psychological information.

,A: systems containing information related to the background investigations of current' former' and prospective federal government employees' including 1.2. military personnel'

(5)

and those for whom a federal background investigation was conducted may have been

extracted. <overnment officials say that the exposure of security clearance information could pose a problem for years. #+earning ,bjective 9 *hy are information systems vulnerable to destruction' error' and abuseF +earning ,bjective -9 *hat is the business value of security and controlF ));2&9 )nalytical thinking' Geflective thinking' )pplication of knowledge.%

2318 Is there a solution to this pro"le#' *(plain your answer

)s data breaches rise in significance and fre"uency' the ,bama administration and ;ongress are proposing new legislation that would re"uire firms to report data breaches within specific time frames' and sets standards for data security.

There are other measures every organization' public and private can and should take to secure their systems and information. 2ection .8' *hat are the most important tools and technologies for safeguarding information resources' of this chapter provides a list9

• 1se appropriate identity management and authentication procedures and processes • 1se ade"uate firewalls' intrusion detection systems' and antivirus software

• 2ecure wireless networks

• 1se ade"uate encryption and public key infrastructures  this alone would have

saved 2ony a lot of grief and money

• ;ontrol network traffic with deep packet inspection technology

:any security experts believe that 1.2. cybersecurity is not well organized. The $&( and Department of !omeland 2ecurity released a Hcyber alertI memo describing lessons learned from the ,A: hack. The memo lists generally recommended security practices for ,A: to adopt' including encrypting data' activating a personal firewall at agency workstations' monitoring users’ online habits' and blocking potentially malicious sites. The ,bama

administration ordered a 4/day ;ybersecurity 2print across all agencies to try to fix the big problems. *ithout a strong foundation' this investment could prove futile in the long run. ,A: and the federal government as a whole need to invest more in managers with (T security expertise and give those individuals real authority to act. #+earning ,bjective 89 *hat are the most important tools and technologies for safeguarding information resourcesF ));2&9 )nalytical thinking' Geflective thinking' )pplication of knowledge.%

0eview Questions

231 %hy are in!or#ation syste#s vulnera"le to destruction& error& and a"use' 5ist and descri"e the #ost co##on threats against conte#porary in!or#ation syste#s The most common threats against contemporary information systems include9 technical' organizational' and environmental factors compounded by poor management decisions. $igure  includes the following9

• Technical9 1nauthorized access' introducing errors

• ;ommunications9 Tapping' sniffing' message alternation' theft and fraud' radiation • ;orporate servers9 !acking' viruses and worms' theft and fraud' vandalism' denial of

(6)

• ;orporate systems9 Theft of data' copying data' alteration of data' hardware failure'

and software failure. Aower failures' floods' fires' or other natural disasters can also disrupt computer systems.

• Aoor management decisions9 Aoorly designed safeguards that protect valuable data

from being lost' destroyed' or falling into the wrong hands. #+earning ,bjective 9 *hy are information systems vulnerable to destruction' error' and abuseF ));2&9 )pplication of knowledge.%

-e!ine #alware and distinguish a#ong a virus& a wor#& and a Tro9an horse

:alware #for malicious software% is any program or f ile that is harmful to a computer user. Thus' malware includes computer viruses' worms' Trojan horses' and also spyware

programs that gather information about a computer user without permission.

• Jirus9 ) program or programming code that replicates itself by being copied or

initiating its copying to another program' computer boot sector or document.

• *orm9 ) selfreplicating virus that does not alter files but resides in active memory

and duplicates itself without human intervention.

• Trojan horse9 ) program in which malicious or harmful code is contained inside

apparently harmless programming or data. ) Trojan horse is not itself a virus because it does not replicate but is often a way for viruses or other malicious code to be introduced into a computer system. #+earning ,bjective 9 *hy are information systems vulnerable to destruction' error' and abuseF ));2&9 )pplication of knowledge.%

-e!ine a hac$er and e(plain how hac$ers create security pro"le#s and da#age syste#s

) hacker is an individual who gains unauthorized access to a computer system by finding weaknesses in security protections used by websites and computer systems. !ackers not only threaten the security of computer systems' but they also steal goods and information' as well as damage systems and commit cybervandalism. They may intentionally disrupt' deface' or even destroy a website or corporate information system. #+earning ,bjective 9 *hy are information systems vulnerable to destruction' error' and abuseF ));2&9

)pplication of knowledge.%

-e!ine co#puter cri#e /rovide two e(a#ples o! cri#e in which co#puters are targets and two e(a#ples in which co#puters are used as instru#ents o! cri#e The Department of 3ustice defines computer crime as Hany violations of criminal law that involve a knowledge of computer technology for their perpetration' investigation' or

prosecution.I ;omputer crime is defined as the commission of illegal acts through the use of a computer or against a computer system. Table - provides examples of computer crimes. ;omputers as targets of crime9

• &reaching the confidentiality of protected computerized data • )ccessing a computer system without authority

• Knowingly accessing a protected computer to commit fraud

• (ntentionally accessing a protected computer and causing damage' negligently or

(7)

• Knowingly transmitting a program' program code' or command that intentionally

causes damage to a protected computer

• Threatening to cause damage to a protected computer

;omputers as instruments of crime9

• Theft of trade secrets

• 1nauthorized copying of software or copyrighted intellectual property' such as

articles' books' music' and video

• 2chemes to defraud

• 1sing email for threats or harassment

• (nternationally attempting to intercept electronic communication

• (llegally accessing stored electronic communications' including email and voice mail • Transmitting or processing child pornography using a computer #+earning ,bjective

9 *hy are information systems vulnerable to destruction' error' and abuseF ));2&9 )pplication of knowledge.%

-e!ine identity the!t and phishing and e(plain why i dentity the!t is such a "ig pro"le# today

(dentity theft is a crime in which an imposter obtains key pieces of personal information' such as social security identification number' driver’s license number' or credit card numbers' to impersonate someone else. The information may be used to obtain credit' merchandise' or services in the name of the victim or to provide the thief with false credentials.

(t is a big problem today as the (nternet has made it easy for identity thieves to use stolen information because goods can be purchased online without any personal interaction. ;redit card files are a major target of website hackers. :oreover' ecommerce sites are wonderful sources of customer personal information that criminals can use to establish a new identity and credit for their own purposes.

Ahishing involves setting up fake websites or sending email messages that look like those of legitimate businesses to ask users for confidential personal data. The email instructs

recipients to update or confirm records by providing social security numbers' bank and credit card information' and other confidential data either by responding to the email message or by entering the information at a bogus website. 6ew phishing techni"ues such as evil twins and pharming are very hard to detect. #+earning ,bjective 9 *hy are information systems vulnerable to destruction' error' and abuseF ));2&9 )pplication of knowledge.%

-escri"e the security and syste# relia"ility pro"le#s e#ployees create

The largest financial threats to business institutions come from employees. 2ome of t he largest disruptions to service' destruction of ecommerce sites' and diversion of customer credit data and personal information have come from insiders. Employees have access to privileged information' and in the presence of sloppy internal security procedures' they are often able to roam throughout an organization’s systems without leaving a trace.

:any employees forget their passwords to access computer systems or allow other

coworkers to use them' which compromises the system. :alicious intruders seeking system access sometimes trick employees into revealing their passwords by pretending to be

legitimate members of the company in need of information #social engineering%. Employees can introduce errors by entering faulty data or by not following proper instructions for

(8)

processing data and using computer e"uipment. (nformation specialists can also create software errors as they design and develop new software or maintain existing programs. #+earning ,bjective 9 *hy are information systems vulnerable to destruction' error' and abuseF ));2&9 )pplication of knowledge.%

*(plain how so!tware de!ects a!!ect syste# relia"ility and security

The software can fail to perform' perform erratically' or give erroneous results because of undetected bugs. ) control system that fails to perform can mean medical e"uipment that fails or telephones that do not carry messages or allow access to the (nternet. ) business system that fails means customers are under or overbilled. ,r' it could mean that t he business orders more inventory than it needs. ,r an automobile’s braking system may fail. :ajor "uality problems are the bugs or defects caused by incorrect design. The other

problem is maintenance of old programs caused by organizational changes' system design flaws' and software complexity. &ugs in even mildly complex programs can be impossible to find in testing' making them hidden bombs. #+earning ,bjective 9 *hy are information systems vulnerable to destruction' error' and abuseF ));2&9 )nalytical thinking.%

23 %hat is the "usiness value o! security and control'*(plain how security and control provide value !or "usinesses

2ecurity refers to the policies' procedures' and technical measures used to prevent unauthorized access' alteration' theft' or physical damage to information systems.

;ontrols consist of all the methods' policies' and organizational procedures that ensure the safety of the organization’s assetsL the accuracy and reliability of its account recordsL and operational adherence to management standards.

The business value of security and control9

• $irms relying on computer systems for their core business functions can lose sales

and productivity.

• (nformation assets' such as confidential employee records' trade secrets' or business

plans' lose much of their value if they are revealed to outsiders or if t hey expose the firm to legal liability. #+earning ,bjective -9 *hat is the business value of security and controlF ));2&9 )nalytical thinking.%

-escri"e the relationship "etween security and control and recent .S govern#ent regulatory re;uire#ents and co#puter !orensics

+egal actions re"uiring electronic evidence and computer forensics also re"uire firms to pay more attention to security and electronic records management. ;omputer forensics is the scientific collection' examination' authentication' preservation' and analysis of data held on or retrieved from computer storage media in such a way that the information can be used as evidence in the court of law. (t deals with the following problems9

• Gecovering data from computers while preserving evidential integrity. • 2ecurely storing and handling recovered electronic data.

• $inding significant information in a large volume of electronic data. • Aresenting the information to a court of law.

(9)

Gecent 1.2. government regulatory re"uirements include9

• !ealth (nsurance Aortability and )ccountability )ct #!(A))% • <ramm+each&liley )ct

• 2arbanes,xley )ct

These laws re"uire companies to practice stringent electronic records management and adhere to strict standards for security' privacy' and control. #+earning ,bjective -9 *hat is the business value of security and controlF ));2&9 )pplication of knowledge.%

234 %hat are the co#ponents o! an organizational !ra#ewor$ !or security and control'-e!ine general controls and descri"e each type o! general control <eneral controls govern the design' security' and use of computer programs and the security of data files in general throughout the organization’s information technology

infrastructure. They apply to all computerized applications and consist of a combination of hardware' software' and manual procedures that create an overall control environment. <eneral controls include software controls' physical hardware controls' computer operations controls' data security controls' controls over implementation of system processes' and

administrative controls. Table 4 describes each type of general control. #+earning ,bjective 49 *hat are the components of an organizational framework for security and controlF

));2&9 )pplication of knowledge.%

-e!ine application controls and descri"e each type o! application control

)pplication controls are specific controls uni"ue to each computerized application. They include both automated and manual procedures that ensure that only authorized data are completely and accurately processed by that application.

)pplication controls can be classified as9

• Input controls: ;heck data for accuracy and completeness when they enter the

system. There are specific input controls for input authorization' data conversion' data editing' and error handling.

• /rocessing controls: Establish that data are complete and accurate during

updating.

• Output controls9 Ensure that the results of computer processing are accurate'

complete' and properly distributed. #+earning ,bjective 49 *hat are the components of an organizational framework for security and controlF ));2&9 )pplication of knowledge.%

-escri"e the !unction o! ris$ assess#ent and e(plain how it is conducted !or in!or#ation syste#s

) risk assessment determines the level of risk to the firm if a specific activity or process is not properly controlled. &usiness managers working with information systems specialists can determine the value of information assets' points of vulnerability' the likely fre"uency of a problem' and the potential for damage. ;ontrols can be adjusted or added to focus on the areas of greatest risk. )n organization does not want to overcontrol areas where risk is low and undercontrol areas where risk is high.

2ecurity risk analysis involves determining what you need to protect' what you need to

(10)

ranking those risks by level of severity. This process involves making costeffective decisions on what you want to protect. The old security adage says that you should not spend more to protect something than it is actually worth. Two elements of a risk analysis that should be considered are9 #% identifying the assets and #-% identifying the threats. $or each asset' the basic goals of security are availability' confidentiality' and integrity. Each threat should be examined with an eye on how the threat could affect these areas. ,ne step in a risk analysis is to identify all the things that need to be protected. 2ome things are obvious' like all the various pieces of hardware' but some are overlooked' such as the people who actually use the systems. The essential point is to list all things that could be affected by a security

problem. #+earning ,bjective 49 *hat are the components of an organizational framework for security and controlF ));2&9 )pplication of knowledge.%

-e!ine and descri"e the !ollowing: security policy& accepta"le use policy& and identity #anage#ent

) security policy consists of statements ranking information risks' identifying acceptable security goals' and identifying the mechanisms for achieving these goals. The security policy drives policies determining acceptable use of the firm’s information resources and which members of the company have access to its information assets.

)n acceptable use policy #)1A% defines acceptable uses of the f irm’s information resources and computing e"uipment' including desktop and laptop computers' wireless devices'

telephones' and the (nternet. The policy should clarify company policy regarding privacy' user responsibility' and personal use of company e"uipment and networks. ) good )1A defines unacceptable and acceptable actions for each user and specifies conse"uences for noncompliance.

(dentity management consists of business processes and software tools for identifying valid system users and controlling their access to system resources. (t includes policies for

identifying and authorizing different categories of system users' specifying what systems or portions of systems each user is allowed to access' and the processes and technologies for authenticating users and protecting their identities. #+earning ,bjective 49 *hat are the components of an organizational framework for security and controlF ));2&9 )pplication of knowledge.%

*(plain how in!or#ation syste#s auditing pro#otes security and control

;omprehensive and systematic :(2 auditing organizations determine the effectiveness of security and controls for their information systems. )n :(2 audit identifies all of the controls that govern individual information systems and assesses their effectiveness. ;ontrol

weaknesses and their probability of occurrence will be noted. The results of the audit can be used as guidelines for strengthening controls' if re"uired. #+earning ,bjective 49 *hat are the components of an organizational framework for security and controlF ));2&9 )nalytical thinking.%

236 %hat are the #ost i#portant tools and technologies !or sa!eguarding in!or#ation resources'

Na#e and descri"e three authentication #ethods

)uthentication refers to the ability to know that a person is who he or she claims to be. 2ome methods are described below9

(11)

• *hat you know9 Aasswords known only to the authorized users.

• *hat you have9

• Token is a physical device that is designed to provide the identity of a single user. • 2mart card is a device that contains a chip formatted with access permission and

other data.

• *hat you are9 &iometrics is based on the measurement of a physical or behavioral

trait that makes each individual uni"ue. #+earning ,bjective 89 *hat are the most important tools and technologies for safeguarding information resourcesF ));2&9 )pplication of knowledge.%

-escri"e the roles o! !irewalls& intrusion detection syste#s& and antivirus so!tware in pro#oting security

) firewall is a combination of hardware and software that controls the flow of incoming and outgoing network traffic. $irewalls prevent unauthorized users from accessing internal networks. They protect internal systems by monitoring packets for the wrong source or destination' or by offering a proxy server with no access to the internal documents and systems' or by restricting the types of messages that get through' for example' email. $urther' many authentication controls have been added for web pages as part of firewalls. (ntrusion detection systems monitor the most vulnerable points or Hhot spotsI in a network to detect and deter unauthorized intruders. These systems often also monitor events as they happen to look for security attacks in progress. 2ometimes they can be programmed to shut down a particularly sensitive part of a network if it receives unauthorized traffic.

Antivirus so!tware is designed to check computer systems and drives for the presence of computer viruses and worms and often eliminates the malicious software' whereas

antispyware software combats intrusive and harmful spyware programs. ,ften the software can eliminate the virus from the infected area. To be effective' antivirus software must be continually updated. #+earning ,bjective 89 *hat are the most important tools and technologies for safeguarding information resourcesF ));2&9 )pplication of knowledge.%

*(plain how encryption protects in!or#ation

Encryption' the coding and scrambling of messages' is a widely used technology for

securing electronic transmissions over the (nternet and over wifi networks. Encryption offers protection by keeping messages or packets hidden from the view of unauthorized readers. Encryption is crucial for ensuring the success of electronic commerce between the

organization and its customers and between the organization and its vendors. #+earning ,bjective 89 *hat are the most important tools and technologies for safeguarding information resourcesF ));2&9 )nalytical thinking.%

-escri"e the role o! encryption and digital certi!icates in a pu"lic $ey in!rastructure Digital certificates combined with public key encryption provide further protection of

electronic transactions by authenticating a user’s identify. Digital certificates are data fields used to establish the identity of the sender and to provide the receiver with the means to encode a reply. They use a trusted third party known as a certificate authority to validate a user’s identity. &oth digital signatures and digital certificates play a role in authentication. )uthentication refers to the ability of each party to know that the other parties are who they

claim to be. #+earning ,bjective 89 *hat are the most important tools and technologies for safeguarding information resourcesF ));2&9 )pplication of knowledge.%

(12)

Disaster recovery planning devises plans for the restoration of computing and communications services after they have been disrupted by an event such as an

earth"uake' flood' or terrorist attack. Disaster recovery plans focus primarily on the technical issues involved in keeping systems up and running' such as which files to back up and the maintenance of backup computer systems or disaster recovery services.

&usiness continuity planning focuses on how the company can restore business operations after a disaster strikes. The business continuity plan identifies critical business processes and determines action plans for handling missioncritical functions if systems go down. #+earning ,bjective 89 *hat are the most important tools and technologies for

safeguarding information resourcesF ));2&9 )nalytical thinking.%M

Identi!y and descri"e the security pro"le#s cloud co#puting poses

)ccountability and responsibility for protection of sensitive data reside with the company owning that data even though it’s stored offsite. The company needs to make sure its data are protected at a level that meets corporate re"uirements. The company should stipulate to the cloud provider how its data are stored and processed in specific jurisdictions according to the privacy rules of those jurisdictions. The company needs to verify with the cloud

provider how its corporate data are segregated from data belonging to other companies and ask for proof that encryption mechanisms are sound. The company needs to verify how the cloud provider will respond if a disaster strikes. *ill the cloud provider be able to completely restore the company’s data and how long will t hat takeF *ill the cloud provider submit to external audits and security certificationsF #+earning ,bjective 89 *hat are the most important tools and technologies for safeguarding information resourcesF ));2&9 )pplication of knowledge.%

-escri"e #easures !or i#proving so!tware ;ualit y and relia"ility

1sing software metrics and rigorous software testing are two measure for improving software "uality and reliability.

2oftware metrics are objective assessments of the system in the form of "uantified

measurements. :etrics allow an information systems department and end users to jointly measure the performance of a system and identify problems as they occur. :etrics must be carefully designed' formal' objective' and used consistently. Examples of software metrics include9

• 6umber of transactions that can be processed in a specified unit of time. • ,nline response time.

• 6umber of known bugs per hundred lines of program code.

Early' regular' and thorough testing will contribute significantly to system "uality. Testing can prove the correctness of work but also uncover errors that always exist in software. Testing can be accomplished through the use of9

• *alkthroughs9 ) review of a specification or design document by a small group of

people.

• ;oding walkthroughs9 ,nce developers start writing software' these can be used to

review program code.