Please enable JavaScript.
Coggle requires JavaScript to display documents.
Chapter 5 Protecting information resources (2) - Coggle Diagram
Chapter 5
Protecting information resources (2)
Logical access controls
Designed to protect systems fro unauthorized access in order to preserve data integrity
2 types:
-Terminal resource security
Software that erases the screen and signs user off automatically after specified length of inactivity
-Passwords
Combination of numbers, characters and symbols that is entered to allow access to a system
Data encryption
Recipient needs a decryption key to decipher the data into a readable format
Converts data (plaintext) to a scrambled form (ciphertext) that cannot be read by others
2 Types:
-Asymmetric encryption (2 keys)
Public key known to everyone and private key known only to recipient
-Symmetrical encryption (1 key)
The same key is used to encrypt and decrypt the message
Computer emergency response team
Public awareness campaign
Research on internet security vulnerabilities
Team that deals with network intruders and attacks swiftly and effectively
Research on ways to improve security systems
Business continuity planning
Document all changes made to hardware and software
Get a comprehensive insurance policy for computers and network facilities
Identify vendors of all software and hardware used in the organisation and update contract details regularly
Set up alternative sites to use in case of disaster
Test disaster recovery plan
Investigate the use of rented third party facilities
Staff members should be trained for disasters
Check sprinkler systems, fire extinguishers and halon gas systems
Review information from Emergency response team
Keep backups in off-site storage and periodically test data recovery procedures
Review security and fire standards for computer facilities
Keep a copy of the recovery plan off site
Back up all files
Simulate disasters to assess response time and recovery procedures
Security plan
Limit computer access to authorized personnel only
Compare communication logs with communication billing periodically. Log should list all outgoing calls
Exit programs and systems promptly, and never leave logged-on workstations unattended
Install antivirus programs and update regularly
Keep sensitive data, software and printouts in secure locations
Install only licensed software purchased from reputable vendors
Revoke terminated employees' passwords and ID badges immediately
Make sure fire protection systems and alarms are up to date and test regularly
Raise employees' awareness of security problems
Check environment factors (temp, humidity)
Post security policy in a visible place
Use physical security measures
Set up security committee with representatives of all departments
Install firewalls and intrusion detection systems
Disaster recovery
Notify all affected people
Set up a help desk to assist affected people
Restore phone lines and communication system
Notify affected people that recovery is underway
Contact insurance company
Document all actions taken to regain normality; revise plan if needed
Put together a management crisis team to oversee the recovery plan
Data communication controls
Virtual private network
Data is encrypted before it is sent through the tunnel
Examples of uses:
-Remote users have a secure connection to organisation's network
-Security for extranets where a network is set up between organisation and an
external party (supplier)
-Anonymity in critical situations (whistle blowing lines)
Provides a secure tunnel through the internet for transmitting data via a private network
E-commerce security
Key issues:
-Confidentiality - data not known to others
-Authentication - you are who you claim to be
-Integrity - data's contents not changed during transmission
-Nonrepudiation of origin - sender cannot deny sending data
Nonrepudiation of receipt - recipient cannot deny receiving data