Employ multiple layers of controls to avoid having a single point of failure, for example, many
organizations use not only firewalls but also multiple authentication method, such as passwords,
tokens, and biometrics, to restrict access to their information systems. Misalnya di perusahaan
teknologi dimana ia sangat memprotect dalam teknologinya, atau perancang busana dimana disana
mempunyai ruangan yang khusus dimana hanya ada orang-orang yang terpilih untuk masuk kesana
3.
a. Among various preventive controls for information security, it is believed that “people”
component is the most important. Please explain your argument on this issue?
People is the most important because they are the actor that can do the preventive control
through creating a security-conscious culture and training.
b. Why does the company need to establish a security conscious culture?
Security conscious culture is when the employees comply with organizational policies and the top
management must not only communicate but must also lead by example. It is important because
there are so many information that employee can access and it is confidential for the company
and if they do not follow the company policies, such as writing down a password and affixing it to
a monitor, it can harm the company if the information spread.
c. Please explain the difference between authentication and authorization as part of preventive
controls.
Authentication is the process of verifying the identity of the person or device attempting to access
the system, meanwhile authorization is the process of restricting access of authenticated users to
specific portions of the system and limiting what actions they are permitted to perform.
4. It is stated that “Good change control often results in better operating performance”. Please explain
this statement and describe the characteristics of good change control.
Good change control often results in better operating performance because there are fewer problems
to fix. Companies with good change management and change control processes also experience lower
costs when security incidents do happen.
- Characteristics
a. Documentation of all change requests, identifying the nature of the change, its rationale, date of
the request, and outcome of the request.
b. Documented approval of all change requests by appropriate levels of management. It
c. is especially important that senior management review and approve major changes to processes
and systems in order to ensure that the proposed change is consistent with the organization’s
long-term strategic plans.
d. Testing of all changes in a separate system, not the one used for daily business processes. This
reduces the risk that “bugs” in modifications do not disrupt normal business.
e. Conversion controls to ensure that data is accurately and completely transferred from the old to
the new system. Internal auditors should review the conversion process.
f. Updating of all documentation (program instructions, system descriptions, procedures manuals,
etc.) to reflect the newly implemented changes.
g. A special process for timely review, approval, and documentation of “emergency changes” as
soon after the crisis as is practical. All emergency changes need to be logged to provide an audit
trail. A large number or marked increase in the number of emergency changes is a potential red
flag of other problems (poor configuration management procedures, lack of preventive
maintenance, or political “game-playing” to avoid the normal change control process).
h. Development and documentation of “backout” plans to facilitate reverting to previous
configurations if the new change creates unexpected problems.
i. Careful monitoring and review of user rights and privileges during the change process to
j. Ensure that proper segregation of duties is maintained.
2. It is stated that “Training is the most important control for protecting confidentiality”. Please explain
your argument on this issue.
Training is the most important control for protecting confidentiality. Explain!
Training is the most important control for protecting confidentiality, because employees sometimes
do not realize the importance of information they possess and reckless in handling the information.
Thus, they need to know how to protect it which can lead to the effectiveness of related controls.
3. What is identity theft? Please give example and describe things-to-do to prevent it.
Identity theft: the unauthorized use of someone’s personal information for the perpetrator’s benefit,
usually for economic gain.
Example: the perpetrator obtain loans or opens new credit cards in the victim’s name and loots the
victim’s bank accounts.
How to prevent:
- Shred all documents that contain personal information
- Securely store documents that contain sensitive personal and financial information
- Never send personal information in unencrypted email
- Beware of requests to verify personal information that the requesting party should
already possess
- Do not carry your social security card with you
- Resist requests to provide social security number to businesses
- Print only your initials and last name on checks
- Limit the amount of other information preprinted on checks
- Do not place outgoing mail containing personal information in your mailbox for pickup
- Do not carry more than a few blank checks
- Use special software to thoroughly clean any digital media prior to disposal
- Monitor credit reports regularly
- File a police report as soon as possible when your belongings being stolen
- Immediately cancel any stolen or lost credit cards
3. What are DRP and BCP? Please explain and highlight the differences.
DRP ( disaster recovery plan ) and BCP ( business continuity plan) are design to mitigate problems
when one or more files or databases become corrupted because of hardware, software, or human
error.
DRP outlines the procedures to restore an organization's IT function in the even that the data center
is destroyed by a natural disaster org act of terrorism.
BCP specifies how to resume not only IT operations, but all business process in the event that major
calamity destroys not only an organization's data center but also its main headquarters.
4. What are the effects of virtualization and cloud computing on availability controls?
Virtualization significantly reduces the time needed to recover from hardware problems.
Cloud computing reduces the risk that a single catastrophe could result in system downtime and the
loss of all data.
Case Study:
http://www.slate.com/articles/technology/safety_net/2015/02/venmo_security_it_s_not_as_strong_as
_the_company_wants_you_to_think.html
Question:
Instructions:
1. The group should prepare a presentation of maximum 5-8 minutes using the power point to
answer the above questions.
2. Refer to your understanding on Romney Chapters 8 and 9.