click below
click below
Normal Size Small Size show me how
CIS CH10
CIS zCH10 Ethics, Privacy, and Security
Term | Definition |
---|---|
ethics | a system of moral principles that human beings use to judge right & wrong & to develop rules of conduct |
natural laws & rights | an ethical system that judges the morality of an action based on how well it adheres to broadly accepted rules, regardless of the action's actual consequences. |
utilitarianism | an ethical system that judges whether an act is right or wrong by considering the consequences of the action, weighing its positive effects against its harmful ones. |
ethical issues most important for managing information systems touch especially on | storage, transmission, & use of digitized data |
intellectual property (IP) | Intangible assets such as music, written works, software, art, designs, movies, creative ideas, discoveries, inventions, & other expressions of the human mind that may be legally protected by means of copyrights or patents |
digital rights management (DRM) | technologies that software developers, publishers, media companies, & other intellectual property owners use to control access to their digital content |
information privacy | the protection of data about individuals |
proxy | an intermediary server that receives and analyzes requests from clients and then directs them to their destinations; sometimes used to protect privacy |
information security | a term that encompasses the protection of an organization's information assets against misuse, disclosure, unauthorized access, or destruction. |
computer virus | malicious software program that can damage files or other programs. Can also reproduce itself and spread via email, IM, FTP, or other means |
spyware | software that monitors a user's activity on the computer & Internet, often installed w/o user's knowledge. May use Internet connection to send data collected to 3rd parties |
keylogger | monitoring software that records a user's keystrokes. |
worm | self-replicating program that sends copies to other nodes on a computer network & may contain malicious code intended to cause damage. |
trojan horse | seemingly useful, or at least harmless, program that installs malicious code to allow remote access to the computer, as for a botnet |
malware | malicious software designed to attack computer systems |
botnet | combination of the terms robot and network referring to a collection of computers that have been compromised by malware & used to attack other computers |
distributed denial of service (DDoS) | An attack in which computers in a botnet are directed to flood a single website server w/ rapid-fire page requests, causing it to slow down or crash.. |
phishing | An attempt to steal pw's or other sensitive info by persuading the victim, often in an email, to enter the information into a fraudulent website that masquerades as the as the authentic version. |
risk matrix | lists org's vulnerabilities, w/ ratings that assess each one in terms of likelihood & impact on business operations, reputation, & other areas |
steps in incident response plan | ID the threat, contain the damage, determine the cause, recover the systems, evaluate lessons learned. |
steps in incident response plan: ID the threat | communicate w/ crisis mgmt team |
steps in incident response plan: Contain the damage | stay calm, restrict systems access, take systems offline |
steps in incident response plan: Determine the cause | investigate the logs, preserve evidence |
steps in incident response plan: Recover the systems | restore from media, known to be good, get org up and running |
steps in incident response plan: evaluate lessons learned | prosecute offender, improve systems, reevaluate risk matrix |
account mgmt administrative controls | org requires appropriate approvals for requests to establish accounts, monitors for atypical usage of information system accounts. |
account mgmt technical controls | info system automatically disables acct after predetermined period of time, info system automatically logs any acct creations - modifications - or termination actions |
access controls administrative controls | org defines info to be encrypted or stored offline in secure location, org defines privileged commands for which dual authorization is enforced |
access controls technical controls | info system enforces approved authorizations for access to system, info system prevents access to any security-relevant info contained w/in system |
information flow administrative controls | org defines security policy that determines what events require human review |
information flow technical controls | info system enforces the organization's policy about human review |
separation of duties administrative controls | org separates duties of individuals as necessary to prevent malevolent activity without collusion |
separation of duties technical controls | info system enforces separation of duties through access controls |
incidence response plan | a plan that an org uses to categorize a security threat, determine the cause, preserve any evidence, & also get the systems back online so the org can resume biz |
multifactor authentication | a combo of 2 or more authentications a user must pass to access an information system, such as a fingerprint scan combined w/ a password |
encryption | technique that scrambles data using mathematical formulas, so that it cannot be read w/o applying the key to decrypt it. |
public key encryption | a security measure that uses a pair of keys, one to encrypt the data and the other to decrypt it. One key is public, widely shared w/ everyone, but the other is private, known only to the recipient |
firewall | a defensive technical control that inspects incoming & outgoing traffic & either blocks or permits it according to rules the organization establishes. The firewall can be a hardware device or a software program |
single sign-on | gateway service that permits users to log in once w/ a single user ID & pw to gain access to multiple software applications |
social engineering | art of manipulating ppl into breaking normal information security procedures or divulging confidential information |
Privacy Act of 1974 | establishes requirements that govern how personally identifiable info on individuals is collected, used, & disseminated by federal agencies |
Health Insurance Portability and Accountability Act (HIPAA) | Includes provisions to protect the privacy and security of individually identifiable health information. |
Family Educational Rights and Privacy Act (FERPA) | Establishes privacy rights over educational records. Ex: Federally funded educational institutions must provide students w/ access to their own educational records & some control over their disclosure. |
CAN-SPAM Act | Prohibits businesses from sending misleading or deceptive commercial emails, but denies recipients any legal recourse on their own. The act also requires companies to maintain a do-not-spam list. |
Gramm-Leach-Bliley Act | Stipulates how financial institutions are required to protect the privacy of consumers' personal financial info & notify them of their privacy policies annually |
Driver's Privacy Protection Act of 1994 | Limits the disclosure of personally identifiable info that is maintained by state departments of motor vehicles |
State Security Breach Notification Laws | Require org's to notify state residents if sensitive data are released. The wording varies by state. |
European Union's Data Protection Directive | Establishes privacy as a fundamental human right for EU citizens. The law is more restrictive than US laws. For ex, it requires companies to provide "opt out" choices b4 transferring personal data to 3rd parties. |
Four pillars of information security | technology, processes, people, data |
Types of information security threats | malware & botnets, distributed denial of service (DDoS), phishing, information leakage |
Administrative security controls | Include all processes, policies, & plans the organization creates to enhance info security & ensure it can recover when danger strikes |
Technical security controls | Technologies avail to protect info assets to help w/ deterring attacks, preventing attacks, detecting that an attack occurred. |
Technical security controls examples | authentication strategies, encryption, intrusion prevention & detection systems, firewalls, blocking spam. |
Ethics | system of moral principles used to judge right from wrong, focusing on natural laws and rights |
Utilitarianism | emphasizes the consequences of actions |
information security ensures the protection of an organization's | information assets against misuse, disclosure, unauthorized access, or destruction. |
organizations use risk management to | identify assets needing protection, identify the threats, assess vulnerabilities, & determine the impact of each risk. |
Threats arise from both human & environmental sources and include | accidental events, intentional attacks from insiders or external criminals, fires, floods, power failures, & more. |
Distributed denial of service and phishing attacks are common threats that result in | significant downtime and leakage of sensitive information |
administrative controls encompass the | policies, procedures, and plans the organization creates & enforces to protect information assets & respond to incidents when they occur |
technical controls are implemented by the info systems and include | strategies such as encryption and user authentication |
Intrusion prevention & detection systems | block traffic & activity based on the rules the org develops & alert mgrs if suspicious activity occurs. |