Académique Documents
Professionnel Documents
Culture Documents
IS controls:
IS controls are composed of general and application controls. General controls
govern the design, security and use of computer programs and the security of
data files in general throughout the organisations information technology
infrastructure. Software controls monitor the use of software, whilst hardware
controls ensure that the hardware is secured and almost flawless.
Application controls are specific controls unique to each computerised
application, both automated and manual. For instance: input controls check data
for accuracy and completeness, processing controls establish that data are
accurate and completed when updated and output controls ensure that the
results of computer processing is accurate and complete.
Risk assessment and Security policy:
Risk assessment is the level of risk to the firm if a specific activity is not properly
controlled and not all risks can be anticipated and measured. Security policies
consist of statements ranking information risks, identifying acceptable security
goals and mechanisms for achieving these goals. The acceptance use policy
defines acceptable uses of the firms information resources and computing
equipment, whilst identity management identify valid users of a system and
controls their access to resources.
Disaster recovery and business continuity planning and auditing:
Disaster recovery: plans for the restoration of computing and communications
after they have been disrupted. It involves back up systems and recovery
services.
Business continuity planning: focuses on how the company can restore business
operations after a disaster strikes.
MIS auditing examines the firms overall security environment as well as controls
governing individual information systems. Security audits review technologies,
procedures, training and personnel.
Technologies and tools for protecting information resources:
Identity management and authentication:
Identity management keeps track of its sets of users and their system privileges
whilst authentication is the ability to know that a person is who he or she claims
to be. Authentication can be in the form of passwords, tokens, smartcards and
biometric authentication (eye scans, finger prints, voice).
Firewalls, intrusion detection systems and antivirus software:
Firewalls prevent unauthorised users from accessing private networks. They act
as a gatekeeper who examines each users credentials before access into a
network.
Intrusion detection systems are full time monitoring tools placed at the most
vulnerable points of corporate networks to detect and deter intruders continually.
They comprise of scanning software, which looks for patterns of computer attacks
(bad passwords) and monitoring software, which examines events as they are
happening.
Antivirus software: prevents, detects and removes malware. Effective only to
already known malware and must be updated continually to be effective.
Encryption and Public Key Infrastructure:
Encryption is the process of transforming plain text or data into cipher text that
cannot be read by anyone other than the sender and intended receiver.
There are two methods of encryption:
Secure Stockets Layer (SSL) enables the client and server computers to
manage encryption and decryption activities as they communicate with
each other
Secure hypertext transfer protocol (S-HTTP) limited to individual
messages
2 alternative methods of encryption:
Symmetric key encryption: the sender and receiver establish a secure
Internet session by creating a single encryption key and sending it to the
receiver so both share the same key.
Public encryption: uses 2 keys: one shared and one private. Data
encrypted with one key can only be decrypted using the other key.
Digital certificates are data files used to establish the identity of users and
electronic assets for protection of online transactions.
Security issues for cloud computing and the mobile digital platform:
Cloud computing is highly distributed as they reside in large remote data centres
and server farms that supply business services and data management for
multiple corporate clients. They are often used due to their low costs and all
cloud providers use encryption to secure the data they handle whilst the data is
being transmitted.
Mobile device management tools will be needed to authorise all devices in use so
that it maintains accurate inventory records on all mobile devices, users and
applications, to control updates to applications and to erase lost or stolen devices
so they cannot be compromised. All mobile device users should be required to
use the password feature found in every smartphone or strictly have employees
use company issued smartphones.
are three types of testing that can be conducted: unit testing (testing each
program separately in the system), system testing (tests the functioning of the
system as a whole) and acceptance testing (certification for final use).
5. Conversion: This is the process of converting the old system into the new
system. (exam prep..)
6. Production and Maintenance: Production describes the installation and
complete conversion of the new system. Both users and specialists evaluate if
the system is meeting its intended objectives. This is followed by maintenance to
improve its efficiency and operations.