Busy. Please wait.
or

show password
Forgot Password?

Don't have an account?  Sign up 
or

Username is available taken
show password

why


Make sure to remember your password. If you forget it there is no way for StudyStack to send you a reset link. You would need to create a new account.
We do not share your email address with others. It is only used to allow you to reset your password. For details read our Privacy Policy and Terms of Service.


Already a StudyStack user? Log In

Reset Password
Enter the associated with your account, and we'll email you a link to reset your password.

Remove ads
Don't know
Know
remaining cards
Save
0:01
To flip the current card, click it or press the Spacebar key.  To move the current card to one of the three colored boxes, click on the box.  You may also press the UP ARROW key to move the card to the "Know" box, the DOWN ARROW key to move the card to the "Don't know" box, or the RIGHT ARROW key to move the card to the Remaining box.  You may also click on the card displayed in any of the three boxes to bring that card back to the center.

Pass complete!

"Know" box contains:
Time elapsed:
Retries:
restart all cards




share
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.

  Normal Size     Small Size show me how

CIS CH10

CIS zCH10 Ethics, Privacy, and Security

TermDefinition
ethics a system of moral principles that human beings use to judge right & wrong & to develop rules of conduct
natural laws & rights an ethical system that judges the morality of an action based on how well it adheres to broadly accepted rules, regardless of the action's actual consequences.
utilitarianism an ethical system that judges whether an act is right or wrong by considering the consequences of the action, weighing its positive effects against its harmful ones.
ethical issues most important for managing information systems touch especially on storage, transmission, & use of digitized data
intellectual property (IP) Intangible assets such as music, written works, software, art, designs, movies, creative ideas, discoveries, inventions, & other expressions of the human mind that may be legally protected by means of copyrights or patents
digital rights management (DRM) technologies that software developers, publishers, media companies, & other intellectual property owners use to control access to their digital content
information privacy the protection of data about individuals
proxy an intermediary server that receives and analyzes requests from clients and then directs them to their destinations; sometimes used to protect privacy
information security a term that encompasses the protection of an organization's information assets against misuse, disclosure, unauthorized access, or destruction.
computer virus malicious software program that can damage files or other programs. Can also reproduce itself and spread via email, IM, FTP, or other means
spyware software that monitors a user's activity on the computer & Internet, often installed w/o user's knowledge. May use Internet connection to send data collected to 3rd parties
keylogger monitoring software that records a user's keystrokes.
worm self-replicating program that sends copies to other nodes on a computer network & may contain malicious code intended to cause damage.
trojan horse seemingly useful, or at least harmless, program that installs malicious code to allow remote access to the computer, as for a botnet
malware malicious software designed to attack computer systems
botnet combination of the terms robot and network referring to a collection of computers that have been compromised by malware & used to attack other computers
distributed denial of service (DDoS) An attack in which computers in a botnet are directed to flood a single website server w/ rapid-fire page requests, causing it to slow down or crash..
phishing An attempt to steal pw's or other sensitive info by persuading the victim, often in an email, to enter the information into a fraudulent website that masquerades as the as the authentic version.
risk matrix lists org's vulnerabilities, w/ ratings that assess each one in terms of likelihood & impact on business operations, reputation, & other areas
steps in incident response plan ID the threat, contain the damage, determine the cause, recover the systems, evaluate lessons learned.
steps in incident response plan: ID the threat communicate w/ crisis mgmt team
steps in incident response plan: Contain the damage stay calm, restrict systems access, take systems offline
steps in incident response plan: Determine the cause investigate the logs, preserve evidence
steps in incident response plan: Recover the systems restore from media, known to be good, get org up and running
steps in incident response plan: evaluate lessons learned prosecute offender, improve systems, reevaluate risk matrix
account mgmt administrative controls org requires appropriate approvals for requests to establish accounts, monitors for atypical usage of information system accounts.
account mgmt technical controls info system automatically disables acct after predetermined period of time, info system automatically logs any acct creations - modifications - or termination actions
access controls administrative controls org defines info to be encrypted or stored offline in secure location, org defines privileged commands for which dual authorization is enforced
access controls technical controls info system enforces approved authorizations for access to system, info system prevents access to any security-relevant info contained w/in system
information flow administrative controls org defines security policy that determines what events require human review
information flow technical controls info system enforces the organization's policy about human review
separation of duties administrative controls org separates duties of individuals as necessary to prevent malevolent activity without collusion
separation of duties technical controls info system enforces separation of duties through access controls
incidence response plan a plan that an org uses to categorize a security threat, determine the cause, preserve any evidence, & also get the systems back online so the org can resume biz
multifactor authentication a combo of 2 or more authentications a user must pass to access an information system, such as a fingerprint scan combined w/ a password
encryption technique that scrambles data using mathematical formulas, so that it cannot be read w/o applying the key to decrypt it.
public key encryption a security measure that uses a pair of keys, one to encrypt the data and the other to decrypt it. One key is public, widely shared w/ everyone, but the other is private, known only to the recipient
firewall a defensive technical control that inspects incoming & outgoing traffic & either blocks or permits it according to rules the organization establishes. The firewall can be a hardware device or a software program
single sign-on gateway service that permits users to log in once w/ a single user ID & pw to gain access to multiple software applications
social engineering art of manipulating ppl into breaking normal information security procedures or divulging confidential information
Privacy Act of 1974 establishes requirements that govern how personally identifiable info on individuals is collected, used, & disseminated by federal agencies
Health Insurance Portability and Accountability Act (HIPAA) Includes provisions to protect the privacy and security of individually identifiable health information.
Family Educational Rights and Privacy Act (FERPA) Establishes privacy rights over educational records. Ex: Federally funded educational institutions must provide students w/ access to their own educational records & some control over their disclosure.
CAN-SPAM Act Prohibits businesses from sending misleading or deceptive commercial emails, but denies recipients any legal recourse on their own. The act also requires companies to maintain a do-not-spam list.
Gramm-Leach-Bliley Act Stipulates how financial institutions are required to protect the privacy of consumers' personal financial info & notify them of their privacy policies annually
Driver's Privacy Protection Act of 1994 Limits the disclosure of personally identifiable info that is maintained by state departments of motor vehicles
State Security Breach Notification Laws Require org's to notify state residents if sensitive data are released. The wording varies by state.
European Union's Data Protection Directive Establishes privacy as a fundamental human right for EU citizens. The law is more restrictive than US laws. For ex, it requires companies to provide "opt out" choices b4 transferring personal data to 3rd parties.
Four pillars of information security technology, processes, people, data
Types of information security threats malware & botnets, distributed denial of service (DDoS), phishing, information leakage
Administrative security controls Include all processes, policies, & plans the organization creates to enhance info security & ensure it can recover when danger strikes
Technical security controls Technologies avail to protect info assets to help w/ deterring attacks, preventing attacks, detecting that an attack occurred.
Technical security controls examples authentication strategies, encryption, intrusion prevention & detection systems, firewalls, blocking spam.
Ethics system of moral principles used to judge right from wrong, focusing on natural laws and rights
Utilitarianism emphasizes the consequences of actions
information security ensures the protection of an organization's information assets against misuse, disclosure, unauthorized access, or destruction.
organizations use risk management to identify assets needing protection, identify the threats, assess vulnerabilities, & determine the impact of each risk.
Threats arise from both human & environmental sources and include accidental events, intentional attacks from insiders or external criminals, fires, floods, power failures, & more.
Distributed denial of service and phishing attacks are common threats that result in significant downtime and leakage of sensitive information
administrative controls encompass the policies, procedures, and plans the organization creates & enforces to protect information assets & respond to incidents when they occur
technical controls are implemented by the info systems and include strategies such as encryption and user authentication
Intrusion prevention & detection systems block traffic & activity based on the rules the org develops & alert mgrs if suspicious activity occurs.
Created by: kld0519