MIS EXAM 3

b) According to one study, on average, how much does it cost a company when a security threat becomes reality for a company resulting in downtime?

$260,000

Social Engineering:

(in the context of information security) the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.

a) What is the dilemma we face as business professionals in dealing with the handling of personal information, as discussed in class?

1. As a business, you want to know everything about your customers so you can sell/serve them better. 2. As a customer, you don't want the business the know everything about you because then you lose privacy.

j) What are the 4 parts of the "Fair Use" exceptions to the Copyright Law. 2

1. If use is for noncommercial purposes (i.e. showing us Dilbert) 2. If work is factual, rather than creative (i.e. CNN story, news, etc) 3. If you use only a tiny, insubstantial amount of the material (i.e. eight notes from a full song) 4 If your use does not affect the potential market for or value of the protected work. That is, your use is not a reasonable substitute for the original work

d) In what 3 ways do systems projects often fail? schedule, budget, functionality.

1. Only been developing complex software for around 50 years 2. Managers of development projects often know too little about IS development 3. Hardware life cycles are different from software lifecycles

VPN (Virtual Private Network)

A VPN is an application that sits between your other applications and the network 1. Encrypt your data transmissions. A VPN encrypts your transmissions from your device through the destination so evil doers can't intercept it and steal it 2. Mask your identity and personal information. A VPN hides your identity and personal information on the internet so hackers can't steal it 3. By pass geo-restrictions. A VPN lets you go through anonymous servers so that your local server can't track where you go,

e) What is a Systems Development Life Cycle (SDLC) and why do companies use it to build systems?

A discipline, semi-sequential approach to systems development. Allows other employees to join in mid-project easily. Development Phase: 1. Planning Phase 2. Requirements Phase 3. Design Phase 4. Development Phase 5. Implementation Phase Production Phase: 6. Maintenance Phase

Trojan horse:

A program designed to breach the security of a computer system while ostensibly performing some innocuous function.

f) What are the two main factors in securing data assets? Know what each means and what examples of each could be.

Authentication: a method for confirming identities. Something the user knows Something the user has Something that is part of the user Authorization - The process of giving someone permission to do or have something.

What are the 3 ways companies acquire information systems? Buy:

BUY: COTS (Commercial Off The Shelf) •Systems that you buy from vendors and install, either on premise or on cloud. •Advantages: already exists so faster to get in production, cost is clearer, vendor handles bugs •Disadvantages: might not be exactly what you need, no strategic advantage •Ex: Biff's Boards buys an enterprise accounting system from Oracle and installs it on their "on premise" technology

Firewalls:

Computer or a router that controls access in and out of the organization's networks

i) What does copyright law protect? Specifically, the 5 rights.

Copyright laws protect original "works of authorship"

What are the 3 ways companies acquire information systems? Build:

Custom •Systems that you build on your own •Advantages and Disadvantages are flip side of COTS •Ex: Biff's Boards conceives, designs, and builds a Virtual Reality app to help customers envision how they'd look on their board

c) Be able to name and describe the three levels of system security (slides and Belanger Fig 8.2)

DATA ACCESS: Who/what can access databases and what can they do with that access? Create, Read, Update, Delete (CRUD) - Protection of the information itself (Who/what can access databases and what can they do with those databases?) APP ACCESS: Which applications can do CRUD on which data? Who can use those applications? - Protection of the computer on which the information is stored (Which applications can do CRUD on which data? Who can use those applications?) NETWORK ACCESS: Who may access the resources on our network? Intranet? Extranet?- Protection of the network to which the computer is connected (Who may access the resources on our network? Intranet? Extranet?)

c) From the videos we saw in class, what is a data broker?

Data brokers are entities that collect information about consumers, then sell the information to other data brokers, companies, or other people

d) How do data brokers get your personal information?

Data brokers create surveys, websites, track where you go, etc... get in any way Then sell to you or people like you

a) Understand the difference between an external threat to a business system and an internal threat. Be familiar with the example in the slides and Belanger Fig 8.1

EXTERNAL THREATS: Legal and Regulatory, Natural Disasters, Pranksters, Criminals and Terrorists, Viruses, Hackers. INTERNAL THREATS: Policies not followed, data, Internal controls, System Development, Malicious Employees. INCREASED RISKS= FINANCIAL, OPERATIONAL, TECHNOLOGICAL, INFORMATIONAL

h) Know what "encryption" is. You don't need to know how to encrypt, just what it is. i) Know what this sentence means: "VPN software encrypts your data transmission from your device to a wifi router, making it more secure than if you don't use a VPN"

Encryption - the use of mathematical algorithms to convert a message or data into scrambled information that makes it unreadable Using the Virtual Private Network masks your identity and personal information and bypasses your geo-restrictions

What is a "hacker"? What is the difference between a "black hat hacker" and a "white hat hacker"?

Experts in technology who use their evil knowledge to break into computers and computer networks, either for profit or just motivated by the challenge. More recently, for social mayhem. BLACK HAT HACKER: is a hacker who "violates computer security for little reason beyond maliciousness or for personal gain". WHITE HAT HACKER: A white hat hacker is a computer security specialist who breaks into protected systems and networks to test and asses their security. White hat hackers use their skills to improve security by exposing vulnerabilities before malicious hackers can detect and exploit them.

Trade Secrets-

Formula, process that gives one company a business advantage (i.e. Coca-Cola formula or Google search algorithm)

Know what these SQL operators mean/do: FROM

From: The From clause lists the table or tables in which the data resides. So far, all our queries access only one table to get their result, but later we will see how we can access multiple tables to answer a query

k) Know what "gap analysis" is in the Systems Analysis phase.

Gap analysis: is comparing actual performance with potential or desired future performance. An important aspect is identifying what needs to be done in a project The goal is to identify gaps in optimized performance

h) What is "intellectual property?"

Intellectual property - Patents - ownership of an invention (i.e. Microsoft "double clicking") Trademarks - phrase, symbol, or design that distinguishes the source of products or services (i.e. Apple) Trade Secrets - formula, a process that gives one company a business advantage (i.e. Coca-Cola formula or Google search algorithm) Copyright - protected assets Non Digital assets Digital assets

Know what these SQL operators mean/do: JOIN

Join: Logical Condition that matches a column in one table with a column from another table

d) Know what these common security threats are. Malware, Phishing, Social Engineering, Ransomware, and Trojan Horse. Don't be afraid to search online for descriptions and examples of each!

MALWARE: General term covering all the different types of threats to your computer safety (ex: viruses, spyware, worms, etc.) Phishing - a type of social engineering attack used to steal user data through fake emails, texts, and messages that look official, but take your information Social Engineering - non-technical strategy relying on human interaction and often involves tricking people into breaking telling their passwords Ransomware - A type of malicious software that threatens to publish the victim's data or block access until ransom is paid, generally in the form of bitcoin. Very common in the United States. Trojan Horse - viruses embedded into a legitimate file TYPES: Backdoor program Denial-of-service attack (DoS) Distributed denial-of-service attack (DDoS) Trojan-horse virus Worm Ransomware

b) Know what these SQL functions mean/do: MONTH(datefield), YEAR(datefield), CONCAT

Month(datefield): A built in SQL-Feature, . This expression will show only those rows where the month of the SaleDate is 10 (October) but it can be any month. Example Month(SaleDate) = 10 YEAR(datefield): Other built-in functions that work on date-time values are Year, which return the the year of the date, respectively. Basically the same function as "Month" but now in Years CONCAT: In the book, it says it is Self explanatory. CONCAT clause -- SELECT CustomerID, CONCAT(firstName, ' ', lastname) AS CustomerName FROM Customer

g) Know the parts of the "Prevention Checklist" in the class slides. Know what each means, and how each protects your computer.

Network Layer: Firewall Virtual Private Network (VPN) Deny hacks / phishing / fraud Data Layer: Operating System Updates, Backup Practices, Physical Protection, Disconnect Your Device, Insurance Application Layer: Password Vault, AntiVirus Software, AntiSpyware Software, Browser Filters, Download Practices

Modification right-

Only the copyright owner may modify the work

Public display right-

Only the owner can display the work

Public performance right-

Only the owner can perform the work (unless payment or permission is granted)

j) Know the five feasibility studies in the Planning Phase, and what the main goal of each is.

Organizational: Will / can the organization use the system? Technical: Is the technology available and easy enough to use? Schedule: Can we get the systems into production soon enough? Economic: Is the proposed system affordable and worth the investment? Legal: Does this proposed project violate any laws or regulations?

Distribution right-

Owner decided how/where/when the work is distributed

Patents-

Ownership of an invention (i.e. Microsoft "double clicking")

g) When we talk about "personal information", what are examples of that?

Personal Subjects: Health conditions, finances, lifestyle, purchases, sex, religion, politics Where you live, what you do, who you do it with, when you do it, what you say, where you are now

Trademarks-

Phrase, symbol, or design that distinguishes the source of products or services (i.e. Apple)

MILESTONES:

Points in time at which a task will be done.

f) Know the second 5 guiding principles of information ethics (ie, #6 - #10 as presented on the slide entitled "Guiding Principles of Info Ethics")

Principle of honesty: do not deceive others. Principle of lawfulness: do not violate the law. Principle of autonomy: acknowledge a person's freedom over his/her actions or physical body. Principle of justice: acknowledge a person's right to due process, fair compensation for harm done, and fair distribution of benefits. Rights: acknowledge a person's rights to life, information, privacy, free expression, and safety.

a) What is a project? What is a process? Know the difference.

Project: Temporary with a definite start and end, Has a unique purpose, not ongoing, Clear outcome & deliverables, Requires resources, often from different areas, Involves uncertainty and change, Must balance scope, time and cost, Usually new and novel effort, Must have a sponsor or customer. * It is NOT an ongoing process. PROCESS: Processes are on going, they have no clear end.

Copyright-

Protected assets Non Digital assets Digital assets

What are the 3 ways companies acquire information systems? Subscribe:

RENT/SUBSCRIBE (Cloud) •Similar advantages and disadvantages of COTS systems •Advantage: Company can "pay as they grow" rather than capital investment in equipment and staff •Disadvantage: Company might lose some flexibility in customizing their processes

b) Know these words from project management: scope, scope creep, milestones, PERT chart (and task sequencing), Gantt chart (and calendar time).

SCOPE: what the project will include. (Also by definition, what the project will NOT include.)

For example, if I give you this SQL statement, you should be able to tell me if it's correct or incorrect. If it's incorrect, what's the problem? In this case, you would say "This is incorrect. The correct operator is WHERE, not WHEN"

SELECT Cust_name, Cust_Address FROM CustomerData WHEN Credit_Rating > 10

Know what these SQL operators mean/do: SELECT

Select: The Select clause lists the columns that should show in the result of the query. They can be in whatever order you want.

PERT:

Shows task dependencies and time sequencing, Works off "ideal" time, not calendar or actual time, Useful to manage critical path

c) In the PERT chart, what do we mean by "critical path" and "slack"?

Shows task dependencies and time sequencing, Works off "ideal" time, not calendar or actual time, Useful to manage critical path

GANTT:

Shows who owns and executes each task, Works off a calendar and actual time, Useful to match against the real-time calendar to monitor project progress

b) What has been the impact of poor ethics (e.g., perceptions of corruption) on the ability of countries to gain foreign direct investment? What's the take away about how the world views ethical or high integrity behavior?

Take Away: Less corrupt countries get more foreign investment Different countries maintain different standards of ethics and law, ethical and high integrity views are different around the world

Phishing Virus:

The "fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers."

Reproduction right-

The right to decide how (and who can) the product is copied

e) What is the difference between values, morals, ethics, and laws? Be able to look at some statements and choose whether it is a value, moral, ethic, or law as we discussed in class (not in general).

Value: Beliefs of what is important and worthwhile. Each individual has their own values based on family, peers, culture, social class, religion, gender, etc. Morals: Codes of conduct governing behavior based on values. They can be held at an individual, group or society level. Example: "treat others as you would like to be treated" Ethics: A field of study that examines the moral basis of human behavior and attempts to determine the best course of action in the face of conflicting choices. Law: rules of behavior, enforced by consequences for violating those rules. "Values create laws, laws don't usually create values."

HOW THEY RELATE TO EACHOTHER Value: Moral: Ethics: Law:

Value: individuals deserve to live freely Moral: you should respect individual's right to make decisions for themselves Ethics: you are ethical when you let others make decisions for themselves, you are unethical when you make decisions for them against their wishes. Law: USA Bill of Rights, First Amendment

i) In building systems, most companies use either the Waterfall or Agile model. Know the differences as we discussed in class, and why you - as a manager - might choose one over the other.

Waterfall Model: Linear Sequential, Not best for feedback and learning, Easy for most to understand, Speedier if you totally know what you want at the end Agile System: Iterative, specifically designed for feedback and learning, harder for most to understand, good for end results which are novel/innovative

SCOPE CREEP:

When scope grows without budget and schedule also growing

Know what these SQL operators mean/do: WHERE

Where: The Where clause contains the selection conditions the query uses to decide which data to include in the query result. Specifically, the query looks at the table in the From clause and then applies the selection condition from the Where clause to each row in the table. If a row satisfies the condition in the Where clause, then the row is selected for the result. If not, the row is simply omitted from the result.

Ransomware:

a type of malicious software designed to block access to a computer system until a sum of money is paid.

l) What is the difference between "on premises" computing and "cloud" computing?

•On Premises: Hardware and software resides on company property, the company owns it, and the company must manage (installation, production, upgrades, retirement) •Ex: Biff's Boards owns all network servers, web servers, data servers, laptops, desktops, printers, devices, etc. and manages them all to run their enterprise systems. •Cloud: Hardware and software resides on a partner's property, and all transactions and processes occur between the company's front end devices and the partner's cloud services. •Ex: Biff's Boards owns laptops, desktops, and devices but uses the Internet to connect to "their" servers which are housed at their partners' facilities. •Cloud Services Vendors: Amazon Web Services (AWS), Oracle, Salesforce, Google, many more