INFORMATION SYSTEM CH 10 Pg.

345
Roland Giovanni H.
0000-000-8260
7. What are the 2 types of threats to information security ? What
are examples of each type of thread ?
1. Human Threats
Accidental misuses, loss, or destruction by employees, consultants,
vendors or suppliers or actions by disgruntled employees, insider
theft, sabotage, terrorism, hackers, spam.
2. Environmental Threats
Caused by natural actions. Examples fire, floods, earthquakes,
hurricanes, industrial accidents, war, power failures, arson.
8. What are information security vulnerabilities? How do
organizations assess vulnerability ?
Information security vulnerabilities are weaknesses that expose an
organization to risk. An organizations risk assessment must examine its
vulnerabilities to determine how effective its existing security measures
are. Once vulnerabilities have been analyzed, the organization can
evaluate controls that fill in security gaps and protect against specific
threats. Vulnerability depends partly on how likely any particular event
may be . For example a major earthquake in Mexico City rates as highly
likely, but hurricanes in that region are very rare. Even very unlikely
events might pose serious risks, however when their impact would be
immense if they occured. Risks also differ depending on the threat. A
major information leak would compromise confidentiality for example
while a power outage would affect availability by bringing down the
systems.
9. What are examples of administrative
organizations implement to improve security ?

controls

that

Account management category : The organization requires

appropriate approvals for requests to establish accounts, the
organization monitors for atypical usage of information system
accounts.
Acces controls category : The organization defines the information
to be encrypted or stored offline in a secure location, the
organization defines the privileged commands for which dual
authorization is to be enforced.

Information flow category : The organization defines the security

policy that determines what events require human review
Separation of duties category : The organization separates duties of
individuals as necessary to prevent malevolent activity without
collusion

10. What are examples of technical controls that organizations

implement to improve security ?

Account management category : The information system

automatically disables accounts after a time period defined by the
organization, the information system automatically logs any account
creations, modifications or termination actions.
Acces controls category : The information system enforces approved
authorizations for access to the system, the information system
prevents access to any security-relevant information contained
within the system
Information flow category : The information system enforces the
organizations policy about human review
Separation of duties category : The information system enforces
separation of duties through access control.

11. Why is human behavior often the weakest link for information
ethics, information privacy, and information security? What are
examples of strategies that organizations can implement to
counteract the weaknesses in human behavior and decision
making that have a negative impact on information security and
privacy?
One weak spot is simply the human desire to help others. People routinely
pass virus-laden hoaxes along to friends and neighbors, trying to be
helpful. An employee who swipes his/her ID badge to open a secure door
and then courteously holds it open for the person behind maybe falling for
a common social engineering trick to bypass physical security. The
pressure to be helpful is even greater if the followers holding packages or
using crutches. Respect for authority is another common human tendency
that intruders exploit, relying on uniforms, titles or just verbal hints that
the cimpany president wants something done. Human also are certainly
not immune to greed and scammers tap this human frailty routinely to
persuade people to turn over confidential information/money. Ironically
another highly effective bit of social engineering relies on the human
desire to avoid malware for example fake anti-virus. How to counter it ?
Organizations should have robust security awareness programs to help
educate and continually remind people aout risks that lax security
presents. The program should cover the organizations own policies and

procedures, as well applicable laws and regulations about how information

should be handled to ensure compliance. Organization also can do a
training to their employee that provide tools such as encryption and help
people to spot areas in which breaches might occur. Finally, it should
reinforce the principle that the organization has an ethical responsibility to
maintain information security.
1. According to Wikipedia.org, digital rights management is used
by organizations such as Sony, Amazon, Apple, Microsoft, AOL
and the BBC. Whats digital rights management? Why do
organizations use technology to protect intellectual capital?
Describe a typical DRM application that can be used to manage
access to digital content. Are there disadvantages using DRM ?
Digital rights management (DRM) is a systematic approach to copyright
protection for digital media. The purpose of DRM is to prevent
unauthorized redistribution of digital media and restrict the ways
consumers can copy content they've purchased. Because the technology
is always improving every years so we have to protect intellectual capital
from an example, piracy (It containts downloading a music/any files that
protected from internet) . A typical DRM application is password-protected
or you can download it with a limited time for example you can use Adobe
Acrobat to protect a PDF file. Any disadvantages using DRM is consumers
would find it extremely not flexible with the use of DRM on video or music
downloaded or streaming, so files that are protected by DRM can not be
played on other devices. Sometimes, there is a need to convert a music or
video file to another format. Well, DRM restricts it. So the files can only be
used as original form without being able to be changed