1. Provide an IT example that relates to the ethical issues for the ideas of privacy, accuracy, property, and accessibility.
Privacy Issues: involves collectin, storing and disseminating information about individuals. E.g Electronic surveillance.
Accuracy Issues: involves the authenticity, fidelity, and accuracy of information that is collected and processed.
Property Issues: involvet he ownership and value of infomration.
Accessibility Issues: who should have access to the information and whether they should have to pay for the access.
2. What are the 5 general types of IT threats? Provide an example for each one.
· Unintentional Acts: those with no malicious intent, are of three types: human errors (most serious), deviations in the quality of service by service providers, and environmental hazards. E.g. Higher-level employees have access to corporate data, HR have access to sensitive personal information about employees.
· Natural Disasters: Floods, earthquakes, hurricanes, lightening and fire can cause loss of systems and data.
· Technical Failure: include problems with hardware and software. E.g. crash of a hard disk drive. Software errors are bugs – in computer programs.
· Management Failures: a lack of funding for information and security efforts and lack of interest in those efforts. Will cause the information security of the organisation to suffer.
· Deliberate Acts: trespass, software attacks, theft of equipment or information, sabotage or vandalism, cyber terrorism.
3. Describe/discuss three types of software attack and a problem that may result from them.
· Virus: segment of computer code that performs malicious actions by attaching to another computer program.
· Worm: segment of computer a=code that performs malicious actions that will replicate, or spread by itself (without requiring another computer program).
·Password/ Dictionary Attack: attacks that try combinations of letters and numbers that are most likely to succeed, such as all words from a dictionary.
· Unintentional Acts: those with no malicious intent, are of three types: human errors (most serious), deviations in the quality of service by service providers, and environmental hazards. E.g. Higher-level employees have access to corporate data, HR have access to sensitive personal information about employees.
· Natural Disasters: Floods, earthquakes, hurricanes, lightening and fire can cause loss of systems and data.
· Technical Failure: include problems with hardware and software. E.g. crash of a hard disk drive. Software errors are bugs – in computer programs.
· Management Failures: a lack of funding for information and security efforts and lack of interest in those efforts. Will cause the information security of the organisation to suffer.
· Deliberate Acts: trespass, software attacks, theft of equipment or information, sabotage or vandalism, cyber terrorism.
3. Describe/discuss three types of software attack and a problem that may result from them.
· Virus: segment of computer code that performs malicious actions by attaching to another computer program.
· Worm: segment of computer a=code that performs malicious actions that will replicate, or spread by itself (without requiring another computer program).
·Password/ Dictionary Attack: attacks that try combinations of letters and numbers that are most likely to succeed, such as all words from a dictionary.
4. Describe the four major types of security controls in relation to protecting information systems.
· Physical Controls: prevent unauthorized individuals from gaining access to a company’s facilities. E.g. walls, fencing, locks, badges, guards and alarm systems.
· Access Controls: restrict unauthorized individuals from using information resources. These controls involve two major functions: authentication (determines the identity of the person requiring access) and authorization (which actions, rights or privileges the person has, based on verified identity). Organisation use many methods to identify authorized personnel: something the user is, something the user has, something the user does, and something the user knows.
· Communication controls: secure the movement of data across networks. Communication controls consist of firewalls (prevents specific info from moving between un-trusted networks), intrusion-detection systems (detect all types of malicious network traffic and computer usage that cannot be detected by firewall), encryption (converting a original message into a form that cannot be read by anyone except the intended receiver), and virtual private networking (VPN – a private network that uses the internet (public network) to connect users).
· Application Controls: security counter-measures that protect specific applications. Categories: input (edit input data for errors before it I processed), processing (match employee time cards with a master payroll file and report missing or duplicate time cards. Also balance the total number of transactions processed with the total number of transactions input or output) and output controls (documentation specifying that authorized recipients have received their reports, paychecks or other critical documents).
· Physical Controls: prevent unauthorized individuals from gaining access to a company’s facilities. E.g. walls, fencing, locks, badges, guards and alarm systems.
· Access Controls: restrict unauthorized individuals from using information resources. These controls involve two major functions: authentication (determines the identity of the person requiring access) and authorization (which actions, rights or privileges the person has, based on verified identity). Organisation use many methods to identify authorized personnel: something the user is, something the user has, something the user does, and something the user knows.
· Communication controls: secure the movement of data across networks. Communication controls consist of firewalls (prevents specific info from moving between un-trusted networks), intrusion-detection systems (detect all types of malicious network traffic and computer usage that cannot be detected by firewall), encryption (converting a original message into a form that cannot be read by anyone except the intended receiver), and virtual private networking (VPN – a private network that uses the internet (public network) to connect users).
· Application Controls: security counter-measures that protect specific applications. Categories: input (edit input data for errors before it I processed), processing (match employee time cards with a master payroll file and report missing or duplicate time cards. Also balance the total number of transactions processed with the total number of transactions input or output) and output controls (documentation specifying that authorized recipients have received their reports, paychecks or other critical documents).
5. What is information system auditing?
An examination of information systems, their inputs, outputs and processing. Installing controls is necessary but not sufficient to provide adequate security.
6. What is the difference between authentication and authorization and why are they important to e-Commerce/give an example of their relevance to e-Commerce.
· Authentication is a process that determines the identity of the person requiring access.
· Authorization is a process that determines which actions, rights or privileges the person has, based on verified identity.
They are important because they are a form of security to protect the organisation.
· Authentication is a process that determines the identity of the person requiring access.
· Authorization is a process that determines which actions, rights or privileges the person has, based on verified identity.
They are important because they are a form of security to protect the organisation.
