CIS 7
Risk Acceptance
Accept the potential risk, continue operating with no controls, and absorb any damages that occur.
organizational firewall
An ________ has the following components: (1) external firewall facing the Internet (2) a demilitarized zone (DMZ) located between the two firewalls; the DMZ contains company servers that typically handle Web page requests and e-mail. (3) an internal firewall that faces the company network
Piracy
Copying a software program without making payment to the owner.
Patent
Document that grants the holder exclusive rights on an invention or process for 20 years.
Audit
Examination of information systems, their inputs, outputs and processing.
Information systems auditing
Independent or unbiased observers task to ensure that information systems work properly.
Trade secret
Intellectual work, such as a business plan, that is a company secret and is not based on public information.
Risk limitation
Limit the risk by implementing controls that minimize the impact of threat.
Authentication
Major objective is proof of identity.
Authorization
Permission issued to individuals and groups to do certain activities with information resources, based on verified identity.
Physical controls
Physical protection of computer facilities and resources.
Intellectual property
Property created by individuals or corporations which is protected under trade secret, patent, and copyright laws.
Access controls
Restriction of unauthorized user access to computer resources; use biometrics and passwords controls for user identification.
Copyright.
Statutory grant that provides creators of intellectual property with ownership of the property for life of the creator plus 70 years.
exposure
The ______ of an information resources is the harm, loss or damage that can result if a threat compromises that resource.
Risk
The probability that a threat will impact an information resource.
Something the User Knows
These access controls include passwords and passphrases. A password is a private combination of characters that only the user should know. A passphrase is a series of characters that is longer than a password but can be memorized easily.
Something the User Has
These access controls include regular ID cards, smart cards, and tokens.
Something the User Does
These access controls include voice and signature recognition.
Human resources and MIS
These employees hold ALL the information
Risk transference
Transfer the risk by using other means to compensate for the loss, such as purchasing insurance.
Tunneling
encrypts each data packet that is sent and places each encrypted packet inside another packet.
Trojan horse
is a computer program that hides in another computer program and reveals its designated behavior only when it is activated.
Least privilege
is a principle that users be granted the privilege for some activity only if there is a justifiable need to grant this authorization.
Logic bomb
is a segment of computer code that is embedded inside an organization's existing computer programs and is designed to activate and perform a destructive action at a certain time or date.
Worm
is a segment of computer code that performs malicious actions and will spread by itself without requiring another computer program.
Virus
is a segment of computer code that performs malicious actions by attaching to another computer program.
Spamware
is alien software that is designed to use your computer as a launchpad for spammers.
Spam
is unsolicited e-mail.
Risk mitigation
is when the organization takes concrete actions against risk. It has two functions: (1) implement controls to prevent identified threats from occurring, and (2) developing a means of recovery should the threat become a reality.
Secure socket layer (SSL)
now called transport layer security (TLS), is an encryption standard used for secure transactions such as credit card purchases and online banking.
Information security
refers to all of the processes and policies designed to protect an organization's information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
Certificate authorities
which are trusted intermediaries between two organizations, issue digital certificates.
Privilege
A ______ is a collection of related computer system operations that can be performed by users of the system.
digital certificate
A _______ is an electronic document attached to a file certifying that the file is from the organization that it claims to be from and has not been modified from its original format.
threat
A _______ to an information resource is any danger to which a system may be exposed.
virtual private network
A _________ is a private network that uses a public network (usually the Internet) to connect users.
vulnerability
A system's ________ is the possibility that the system will suffer harm by a threat.
Something the User Is
Also known as biometrics, these access controls examine a user's innate physical characteristics.
untrusted network
An ___________, in general, is any network external to your organization. The Internet, by definition, is an _______.
Types of Auditors and Audits
Internal. Performed by corporate internal auditors. External. Reviews internal audit as well as the inputs, processing and outputs of information systems.
Risk analysis
To assess the value of each asset being protected, estimate the probability it might be compromised, and compare the probable costs of it being compromised with the cost of protecting it.
Risk management
To identify, control and minimize the impact of threats.
Communications (network) controls
To protect the movement of data across networks and include border security controls, authentication and authorization.
Cookies
are small amounts of information that Web sites store on your computer.
Spyware
collects personal information about users without their consent. Two types of spyware are keystroke loggers (keyloggers) and screen scrapers.
Competitive intelligence
consists of legal information-gathering techniques
Industrial espionage
crosses the legal boundary.
Auditing through the computer
means inputs, outputs and processing are checked.
Auditing with the computer
means using a combination of client data, auditor software, and client and auditor hardware.
Auditing around the computer
means verifying processing by checking for known outputs or specific inputs.
Employee monitoring systems
monitor employees' computers, e-mail activities, and Internet surfing activities.
Screen scrapers
record a continuous "movie" of what you do on a screen. The spyware video provides a nice overview of spyware and how to avoid it.
Keystroke loggers
record your keystrokes and your Web browsing history.