-
Categories of Computer Crimes
Breach of data security: Information stored on network or computers is altered by attackers. Breach of operations security: Attackers take advantage of vulnerabilities within daily procedures to access or alter information through methods like password sniffing. Breach of personnel security: Sensitive company information is gained from an employee by attackers Breach of communication security: Information…
-
Laws related to privacy
Freedom of Information Act, 5 U.S.C. §552, as amended Guidance on Integrity Sharing of personal data – protecting personal privacy, OMB Memorandum, M-01-05 Gramm-Leach-Bliley Act of 1999
-
Laws related to Information Security
18 U.S.C. § 1029. Fraud and related activity in connection with access devices 18 U.S.C. § 2701 et seq. Stored Wire and electronic communications and transactional records access 18 U.S.C. § 3121 et seq. Recoding of dialing, routing, addressing and signaling information.
-
Security Training
Security job skills training SSCP exam A series of university courses in general information security Security awareness training A series of newsletters, with general information security Business-unit walk-through
-
Computer fallacies
Fallacy vs. Principle Fallacy Principle Information wants to be free People are in control of what information is released or shared Laws are clear about the legality of all actions Users should take responsibility for their action Hacking is OK as long as it doesn’t hurt anybody It is unethical to access information without having…
-
Risk Response Types
Risk avoidance: shutdown of servers when there is suspicion of virus infection Risk transfer: hardware insurance to theft, loss and fire damage Risk acceptance: let employees receive private emails in company accounts Risk mitigation: implement multi-factor authentication to protect trade-secrets
-
Stages of Risk Assessment Process
Risk Determination quantify the probability of attack, it’s impact, and the adequacy of current or planned controls. Control recommendations considers the effectiveness, performance impacts, safety and reliability of control options. Likelihood determination considers the capability and motivation of threat sources in terms of vulnerability. Results documentation presents the threat and vulnerability pairings with associated cost-benefit data.…
-
Types of Risk Assessment
Qualitative The financial officer’s estimate that password scanning attacks are highly probable. The IT manager’s opinion on what impact a flood would have on the server room. Quantitative The cost to the company for being offline for one day / it’s servers being offline for one day. The expected, total number of DDoS attacks per…
-
Importance of Risk Management
Risk Management is important, because it: enables identification and protection of all critical assets helps ensure legal compliance
-
Risk assessment process
Threat identification is the review of technical and technical events that may damage a system System characterization is the review of system and data criticality and sensitivity Control analysis is the review of current and planned countermeasures against security requirements checklists. Vulnerability identification is the review of system security procedures, design, implementation, or internal controls…