...100 ... The purpose of the present research project was to gain a holistic understanding 2. What is the purpose of an asset classification? a. Asset classifications identify and characterize similar assets, gathering them into groups, and making the assets easier to find. 3. For the scenario you picked, give three (3) examples of customer privacy data elements. 4. Why is your organization’s website classification minor but its e-commerce server considered critical for your scenario? a. Because there is customer’s credit card information stored on the servers 5. Why would you classify customer privacy data and intellectual property assets as critical? a. These are things that can be damaging to not just an organization but to individuals as well. 6. What are some examples of security controls for recent compliance law requirements? a. Biometrics, Tokens, Smart cards 7. How can a Data Classification Standard help with asset classification? a. You can properly classify what might normally be a low priority a high risk classification because of the data that’s on it. 8. How can you minimize leakage of customer privacy data through the public Internet? a. One way is to encrypt the sensitive data with at least 256 bit encryption key. Another way is to label whatever the sent information is as something not out of the ordinary 9. Given the importance of the Master SQL database that houses customer privacy data and intellectual property assets, what security controls and security...
Words: 482 - Pages: 2
...Whether your organization already has a classification policy, or is just defining one now, it’s best to start simple. Many organizations use three categories: A category such as “Public” to indicate non-sensitive information An “Internal” category for information that should stay within the organization A category such as Confidential or Restricted for information that is particularly sensitive. The classification level assigned to data will guide data owners, data custodians, business and technical project teams, and any others who may obtain or store data, in the security protections and access authorization mechanisms appropriate for that data. Such categorization encourages the discussion and subsequent full understanding of the nature of the data being displayed or manipulated. Data is classified as one of the following: Public (low level of sensitivity) Access to “Public” institutional data may be granted to any requester. Public data is not considered confidential. Examples of Public data include published directory information and academic course descriptions. The integrity of Public data must be protected, and the appropriate owner must authorize replication of the data. Even when data is considered Public, it cannot be released (copied or replicated) without appropriate approvals. Sensitive (moderate level of sensitivity) Access to “Sensitive” data must be requested from, and authorized by, the Data Owner who is responsible for the data. Data may be accessed...
Words: 800 - Pages: 4
...Frequency: 5 1.1.2.1 Debriefing Agenda 5 1.1.2.2 Daily Debriefing Time/Location: 5 1.2 Scope of Work 5 1.2.1 In Scope 5 1.2.1.1 Objective 5 1.2.2 Out of Scope 6 Section 2: Logistics 6 2.1 Personnel 6 2.1.1 Authorized Personnel 6 Table 1 - Authorized Personnel 6 2.1.2 Notification 6 2.2.1 Penetration Testing Schedule 7 2.3 Site Classification 7 2.4 Shunning 8 Section 3: Data Collection 8 3.1 Data Collection Policy 8 3.1.1 Data Classification 8 3.2 Data Confidentiality Policy 9 3.3 Client Observation 10 Section 4: Target System/Network 10 References 11 Executive Summary Rules of Engagement Section 1: Introduction Billions of dollars are spent each year by governments and industry to secure computer networks from the prying eyes of an attacker (Allsopp, 2009). “Penetration testing, also known as ethical hacking, is a set of activities carried out to find holes in the security of environments, networks, systems, and applications, enabling organizations to fix these issues before attackers find them” (Andress, n.d.). Network, computer and application security is of the upmost of importance to Deer Lagoon games. 1.1 Purpose Deer Lagoon Games is an industry pioneer of PC gaming engine design. Their award winning designs provide the game engines used by more than half of the highest rated games released in the last five years. Today, the company features a comprehensive suite of game engines...
Words: 1904 - Pages: 8
...-The purpose of information system security is to develop security controls to prevent security weaknesses from being exploited by threat agents. -A threat agent is an entity who is responsible for or who materially contributes to the loss or theft of data. Threat agents may be internal or external to an organization. -Unintentional agents—Unintentional threat agents are employees, contractors, or other insiders who have no motivation to jeopardize information, but who are untrained or negligent in their handling of sensitive information. An example of an unintentional internal threat agent would be someone in the mailroom who accidentally mailed employee pay information to the wrong addresses. -Malicious agents—Malicious internal threat agents are current or former employees, contractors, or other insiders who are motivated to compromise security because of unhappiness with company policies, organizational processes, financial difficulties, or personnel actions. In many cases, the malicious internal threat agent is disgruntled, already fired, or soon to be fired from his or her position. An example of a malicious internal threat agent would be an employee who decided to sabotage systems or data just before a round of layoffs. -Criminal enterprises—Criminal enterprises are groups of skilled technicians who can identify and exploit weaknesses in the systems that store, process, or transmit valuable financial information. -State-sponsored agents—State-sponsored external threat...
Words: 2248 - Pages: 9
...Asset Identification & Asset Classification 1. What is the purpose of identifying IT assets and inventory? i. To help identify areas of potential risks. 2. What is the purpose of an asset classification? ii. To evaluate the health of the company by examining how well each of the company’s assets are performing. 3. For the scenario you picked, give three (3) examples of customer privacy data elements. (HIPAA) iii. Names iv. Medical records v. Health plan beneficiary numbers 4. Why is your organization’s website classification minor nut its e-commerce server considered critical for your scenario? vi. Because it presents a smaller threat while the e-commerce server is more valuable to the organization. 5. Why would you classify customer privacy data and intellectual property assets as critical? vii. They are valuable assets to the organization and possess value to the organization. 6. What are some examples of security controls for recent compliance law requirements? viii. Sarbanes-Oxley Act – To certify the accuracy of financial information. ix. Children’s Online Privacy Protection Act – Information from children under the age of 13. 7. How can a Data Classification Standard help with asset classification? x. Classifying data helps prevent vulnerability to sensitive data. 8. How can you minimize leakage of customer privacy data through the public internet? xi. Gramm-Leach-Bliley...
Words: 295 - Pages: 2
...Guidance on Information Classification Asset identification This is a list of some types of assets. The list is not exhaustive. Physical assets • • • computer and communications equipment (owned by MIS) magnetic media (owned by Manager) power supplies and plant, such as air-conditioning units (owned by MIS) Software assets (owned by MIS) • • • • application software system software development tools utilities Information assets (owned by Manager or MIS) ‘Information’ means information held by the Company on its own behalf and that entrusted to it by others. The following are examples of the media which may contain or comprise information assets. • • • • • • • • • • databases and data files system documentation user manuals training material operational or support procedures continuity plans and fallback arrangements back-up media on-line magnetic media off-line magnetic media paper Services • • computing and communications services (owned by MIS) heating, lighting and power (owned by Manager or Building Services Manager) 1 17/01/03 First•Base Technologies Town Hall Chambers High Street Shoreham-by-Sea West Sussex BN43 5DD UK Tel: +44 (01273 454 525 Fax: +44 (0)1273 454 526 info@firstbase.co.uk Guidance on Information Classification Categories for classifying document security Category 1 : Routine (non-confidential) documents Description: All documents of a routine nature. Effects of disclosure: No measurable damage to the company or a department...
Words: 2760 - Pages: 12
...Information security means protecting information and information systems from unauthorized access, use, disclosure, modification or destruction. Since the early days of writing, heads of state and military commanders understood that it was necessary to provide some mechanism to protect the confidentiality of written correspondence and to have some means of detecting tampering. For over twenty years, information security has held confidentiality, integrity and availability as the core principles of information security. Confidentiality is the term used to prevent the disclosure of information to unauthorized individuals or systems. Confidentiality is necessary (but not sufficient) for maintaining the privacy of the people whose personal information a system holds. In information security, integrity means that data cannot be modified without authorization. When Management chooses to mitigate a risk, they will do so by implementing one or more of three different types of controls. Administrative controls form the framework for running the business and managing people. Logical controls (also called technical controls) use software and data to monitor and control access to information and computing systems. Physical controls monitor and control the environment of the work place and computing facilities. Information security uses cryptography to transform usable information into a form that renders it unusable by anyone other than an authorized user; this process is called encryption ...
Words: 4064 - Pages: 17
...Michigan Technological University Information Security Plan The Information Security Plan establishes and states the policies governing Michigan Tech’s IT standards and practices. These policies define the University’s objectives for managing operations and controlling activities. These top-level policies represent the plans or protocols for achieving and maintaining internal control over information systems as well as compliance with the requirements imposed on the University. INFORMATION SECURITY PLAN Approval by Information Security Board of Review Members Information Security Plan Rev: 3 – 10/13/2011 Page 1 Information Security Plan Table of Contents 1 2 3 4 5 6 7 8 EXECUTIVE SUMMARY ................................................................................................................. 4 PURPOSE............................................................................................................................................. 4 SCOPE .................................................................................................................................................. 5 DEFINITIONS ..................................................................................................................................... 5 IT GOVERNANCE COMMITMENTS & RESPONSIBILITIES .................................................. 6 UNIVERSITY POLICY STATEMENT .........................................................................................
Words: 10423 - Pages: 42
...Privacy Endangerment with the Use of Data Mining An emergent Information Technology (IT) issue that has been rising in the past few years has been data mining. Data mining is utilized to retrieve personal identifiable information provided by individuals through the use of Internet services such as: social media networks, email, and other networks that contain data bases full of personal information. If such data retrieval if not done careful, it can cause ethical issues for the companies that are involved. The ethical issues related to data mining are violation of privacy, confidentiality, and respect of persons’ rights. Issues that required the immediate attention regarding data mining are: What stops corporations from sharing personal identifiable information with other companies?; How effectively and ethically data mining is use by the government?; Is our privacy and confidentiality truly protected? Social network companies such as Facebook, Twitter, and Google provide users agreements upon joining their services. These agreements underline how the information provided by the user will be utilize by the company and it allows the user to understand how to protect their personal identifiable information while utilizing these social network sites. These companies pride themselves in protecting users’ personal information. However, what happens when the company or an unethical company employee violates these agreements? Personal identifiable information is then released...
Words: 1027 - Pages: 5
...IT Audit Seminar organized by National Audit Office, China 1 to 4 September 2004 Paper on “Formulation of IT Auditing Standards” By -- Ms.Puja S Mandol and Ms. Monika Verma Supreme Audit Institution of India Introduction The use of computers and computer based information systems have pervaded deep and wide in every modern day organization. An organization must exercise control over these computer based information systems because the cost of errors and irregularities that may arise in these systems can be high and can even challenge the very existence of the organization. An organizations ability to survive can be severely undermined through corruption or destruction of its database; decision making errors caused by poor-quality information systems; losses incurred through computer abuses; loss of computer assets and their control on how the computers are used within the organization. Therefore managements across the world have deployed specialized auditors to audit their information systems to find out gaps between declared policies and actual use and shortcomings in the information system design and usage. Information Systems Audit is the process of collecting and evaluating evidence to determine whether a computer system has been designed to maintain data integrity, safeguard assets, allows organizational goals to be achieved effectively and uses the resources efficiently. The IS Auditor should see that not only adequate internal controls exist...
Words: 6839 - Pages: 28
...Unit-4 (ICS -305) Information security Information security (ISec) describes activities that relate to the protection of information and information infrastructure assets against the risks of loss, misuse, disclosure or damage. Standards that are available to assist organizations implement the appropriate programs and controls to mitigate these risks are for example BS7799/ISO 17799, Information Technology Infrastructure Library and COBIT. Information security management (ISM) describes controls that an organization needs to implement to ensure that it is sensibly managing these risks. Security Challenges The risks to these assets can be calculated by analysis of the following issues: Threats to your assets. These are unwanted events that could cause the intentional or accidental loss, damage or misuse of the assets Vulnerabilities. How vulnerable (prone or weak) your assets are to attack Impact. The magnitude of the potential loss or the seriousness of the event. Security services Information Security Governance, Information Security Governance or ISG, is a subset discipline of Corporate Governance focused on information Security systems and their performance and risk management. Establish and maintain a framework to provide assurance that information security strategies are aligned with business objectives and consistent with applicable laws and regulations Develop the information security strategy in support of business strategy and...
Words: 1808 - Pages: 8
...the report may be freely copied, unaltered, provided that the original source is acknowledged and copyright preserved. The translation of this report has received funding from the European Community's Seventh Framework Programme (FP7/2007-2013) under grant agreement n° 238875, rel ating to the project 'Multi-Gigabit European Research and Education Network and Associated Services (GN3)'. 2 Table of Contents EXECUTIVE SUMMARY INTRODUCTION 1 1.1 1.2 4 5 6 6 6 INFORMATION SECURITY POLICY Security goals Security strategy 2 3 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12 ROLES AND AREAS OF RESPONSIBILITY PRINCIPLES FOR INFORMATION SECURITY AT Risk management Information security policy Security organization Classification and control of assets Information security in connection with users of 's services Information security regarding physical conditions IT communications and operations management Access control Information systems acquisition, development and maintenance Information security incident management Continuity planning Compliance 8 10 10 11 11 12 13 14 17 21 22 23 24 25 4 4.1 4.2 GOVERNING DOCUMENTS...
Words: 6043 - Pages: 25
...Slides Notes Managerial Accounting: process of identifying, measuring, analyzing, interpreting and communicating info. Major activities of managers: planning, controlling, directing and motivating, decision making. PLANNING: Identify alternatives-----select best-----develop budgets Directing and Motivation * Employee work assignments * Routine problem solving * Conflict resolution * Effective communication * Controlling: * -ensure that plans are being followed. * -ie. Feedback between actual and budget is essential part of it. * * Strategy * -the focal point of a co’s strategy should be its target customers. * Customer Value propositions * Customer Intimacy Strategy * -understand and respond to customers needs * Operational Excellence Strategy * -deliver products and services faster, conveniently,lower price * Product Leadership Strategy * -higher quality goods * * Financial vs. Managerial Accounting * 1 users: external users vs. plan & control for internal use * 2 Time: Historical vs. Future * 3 objectivity and verifiability vs.relevance * 4 precision vs. timeliness * 5 subject companywide vs. segment * 6 rules GAAP/IFRS vs. not bound by any prescribed format * 7requirement mandatory for external reports vs. not mandatory * * Process Management * Four approach to improve * -lean production * -six...
Words: 545 - Pages: 3
...Color profile: Disabled Composite Default screen BaseTech / Principles of Computer Security: CompTIA Security+™ and Beyond / Wm. Arthur Conklin / 619-8 / Chapter 2 2 General Security Concepts “The only real security that a man can have in this world is a reserve of knowledge, experience and ability.” —HENRY FORD In this chapter, you will learn how to ■ Define basic terms associated with computer and information security ■ Identify the basic approaches to computer and information security ■ Distinguish among various methods to implement access controls ■ Describe methods used to verify the identity and authenticity of an individual ■ Describe methods used to conduct social engineering ■ Recognize some of the basic models used to implement security in operating systems 20 P:\010Comp\BaseTech\619-8\ch02.vp Wednesday, November 09, 2011 2:01:20 PM I n Chapter 1, you learned about some of the various threats that we, as security professionals, face on a daily basis. In this chapter, you start exploring the field of computer security. Color profile: Disabled Composite Default screen BaseTech / Principles of Computer Security: CompTIA Security+™ and Beyond / Wm. Arthur Conklin / 619-8 / Chapter 2 ■ Basic Security Terminology The term hacking has been used frequently in the media. A hacker was once considered an individual who understood the technical aspects of computer operating systems...
Words: 16889 - Pages: 68
...Pharmacology is the study of the physical, biological and chemical actions of drugs (Bryant & Knights, 2011). In the practice of medicine, drugs are used to diagnose, treat or prevent disease so for the registered nurse in a clinical setting, the knowledge of pharmacology plays a huge importance in their role of medication administration. Pharmacology knowledge allows the nurse to carry out safe medication administration, monitor medication actions, educate patients, and act legally and ethically within the pharmacological parameters. This knowledge is also vital for the nurse practititioner in their role of nurse prescribing. Pharmacology plays a huge part in these roles for the nurse. This essay below will elaborate on the importance of pharmacology for the five reasons of safe medication administration, monitoring of medication actions, patient education, legal and ethical aspects of pharmacology and the nurse practitioner. Firstly, safe medication administration. To administer drugs safely it is the nurse’s responsibility to have knowledge of the prescribed medications as well as their therapeutic and non therapeutic effects. Knowledge of the medications include, knowing its approved drug name and classification, correct dose and route of administration. A medication may have as many as three different names- a chemical name, a generic (proprietary) name and a trade name (Crisp & Taylor, 2011). A chemical name refers to the chemical makeup of a drug, a generic name is the drug name...
Words: 1344 - Pages: 6