Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Look up keyword
Like this
6Activity
0 of .
Results for:
No results containing your search query
P. 1
bt0059

bt0059

Ratings: (0)|Views: 342|Likes:
Published by Aditya Anand

More info:

Published by: Aditya Anand on Mar 23, 2011
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as DOCX, PDF, TXT or read online from Scribd
See more
See less

07/30/2013

pdf

text

original

 
B.Sc. IT  Semester 6
Assignment set  1
Information System Security
(BT0059)
1. Write about:
y
 
P
otential Risks to Information Systems
y
 
F
actors to be addressed for making information systems more secureAns:
 
P
otential Risks to Information System
 Data and information in any information system is at risk from:
Human error:
e.g. entering incorrect transactions; failing to spot and correct errors; processingthe wrong information; accidentally deleting data
Technical errors:
e.g. hardware that fails or software that crashes during transaction processing
Accidents and disasters:
e.g. floods, fire
F
raud:
deliberate attempts to corrupt or amend previously legitimate data and information
Commercial espionage:
e.g. competitors deliberately gaining access to commercially-sensitivedata (e.g. customer details; pricing and profit margin data, designs)
Malicious damage:
where an employee or other person deliberately sets out to destroy ordamage data and systems (e.g. hackers, creators of viruses)
F
actors to be addressed for making information systems more secure
There is no such thing as failsafe security for information systems. When designing securitycontrols, a business needs to address the following factors;
P
revention:
What can be done to prevent security accidents, errors and breaches? Physicalsecurity controls are a key part of prevention techniques, as are controls designing to ensurethe integrity of data
Detection:
Spotting when things have gone wrong is crucial; detection needs to be done assoon as possible - particularly if the information is commercially sensitive. Detection controlsare often combined with prevention controls (e.g. a log of all attempts to achieve unauthorizedaccess to a network).
Deterrence:
deterrence controls are about discouraging potential security breaches.
 
Data recovery:
If something goes wrong (e.g. data is corrupted or hardware breaks down) it isimportant to be able to recover lost data and information.
2. Write about the following phases with respect to System development Life Cycle
y
 
Initiation
P
hase
y
 
Development / Acquisition
P
haseAns: Initiation
P
hase
A
ll information technology (IT) projects have a starting point, what is commonly referred to asthe initiation phase. During the initiation phase, the organization establishes the need for aparticular system and documents for its purpose. The information to be processed, transmitted,or stored is typically evaluated as well as who is required to access such information and how(in high-level terms). In addition, it is often determined whether the project will be anindependent information system or a component of an already-defined system.
A
preliminaryrisk assessment is typically conducted in this phase, and security planning documents areinitiated (system security plan).
Figure 2.1: System Development Life Cycle
 
O
nce these tasks have been completed and a need has been recognized for a new or enhancedIT product or service, several processes must take place before the project is approved, toinclude clearly defining project goals and defining high-level information security requirements.Typically, during this phase, the organization defines high-level information security policyrequirements as well as the enterprise security system architecture.
Development/Acquisition
P
hase
During this phase, the system is designed, purchased, programmed, developed, or otherwiseconstructed. This phase often consists of other defined cycles, such as the system developmentcycle or the acquisition cycle.During the first part of the development/acquisition phase, the organization shouldsimultaneously define the systems security and functional requirements. These requirementscan be expressed as technical features (e.g., access control), assurances (e.g., backgroundchecks for system developers), or operational practices (e.g., awareness and training). Duringthe last part of this phase, the organization should perform developmental testing of thetechnical and security features/functions to ensure that they perform as intended prior tolaunching the implementation and integration phase.
3. Write about:
y
 
Metric Types
y
 
Metrics Development and Implementation ApproachAns:Metric Types -
M
etrics are tools that support decision making. Like experience, externalmandates, and strategies, metrics are one element of a managers toolkit for making andsubstantiating decisions.
M
etrics are used to answer three basic questions: 
Am I implementing the tasks for which I am responsible? 
 Consider the example of a programmanager with responsibility for 250 information systems.
A
mong other things, that manager isresponsible for the security certification and accreditation of those systems.
A
commonly usedimplementation metric for security certification and accreditation is the percentage of systemsaccredited. 
How efficiently or effectively am I accomplishing those tasks? 
 Such metrics often answermore complex questions after an activity is fully implemented. For example, federal lawrequires that security certification and accreditation take place following a major systemchange.
O
ne might measure the efficiency of a security certification and accreditation programby determining the time lag between each major system change and that systems renewedaccreditation.
O
r one might measure the effectiveness of a security certification and

Activity (6)

You've already reviewed this. Edit your review.
1 thousand reads
1 hundred reads
Amarjittij Singha added this note
SUPERB
Mithilesh Kumar liked this

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->