Textbook Notes (290,000)
CA (170,000)
SFU (6,000)
BUS (1,000)
BUS 237 (200)
Chapter 12

BUS 237 Chapter Notes - Chapter 12: Forklift, Computer Hardware, Database Administrator


Department
Business Administration
Course Code
BUS 237
Professor
Zorana Svedic
Chapter
12

This preview shows pages 1-2. to view the full 8 pages of the document.
BUS 237 CHAPTER- 12 MANAGING INFORMATION SECURITY AND PRIVACY
What is Identity Theft?
I idetit theft, ital ifoatio suh as a peso’s ae, addess, date of ith,
soial isuae ue, ad othe’s aide ae ae auied to oplete
impersonation
With this ifoatio, the idetit thief a take oe a iti’s fiaial aouts;
open new bank accounts; transfer bank balances; apply for loans, credit cards, and
other services
This kind of theft involves stealing, misrepresenting, or hijacking the identity of
another person or business and provides an effective way to commit other crimes
What is PIPEDA?
Personal Information Protection and Electronic Documents Act
The At is iteded to alae a idiidual’s ight to the privacy of his or her
personal information, which organizations need to collect, use, or share for business
purposes.
The Privacy Commissioner of Canada oversees this Act.
PIPEDA governs how data are collected and used. One of the most critical elements
in PIPEDA is the principle that individuals have the right to know what type of
information an organization collects about them and how that information is going
to be used.
PIPEDA suggests that organizations should not be able to use the information
collected for any purpose other than what the organization agreed to use it for.
PIPEDA suggests that it is the duty of an organization to protect the information they
collect. To ensure this, PIPEDA provides an individual with the right to know who in
the organization is responsible for securing the information.
When organizations collect information, PIPEDA ensures that they do so only by fair
means and that their terms and policies are clearly expressed so that people
understand them before using the services of the organizations.
PIPEDA does not facilitate individuals suing organizations. If issues arise that cannot
be resolved between an individual and an organization, they should file a complaint
with the office of the privacy commissioner of Canada. The commission reviews case
and produces a report stating its conclusions.
PIPEDA has been used to reduce the risk and safeguard the rights of individuals.
WHAT TYPE OF SECURITY THREATS DO ORGANIZATIONS HAVE TO FACE?
3 sources of security threats:
1. Human errors and mistakes
Accidental problems caused by employees and other outside the organization
Poorly written programs
Poorly designed procedures
find more resources at oneclass.com
find more resources at oneclass.com

Only pages 1-2 are available for preview. Some parts have been intentionally blurred.

example: an employee driving a forklift through the wall of a computer room
Physical accidents
2. Malicious human activity
Intentional destruction of data
Destroying system components
Hackers
Virus and worm writers
Criminals
Terrorists
example: spam millions of unwanted emails
3. Natural events and disasters
Fires, floods, hurricanes, earthquakes, tsunamis, avalanches,
tornados, and other acts of nature
Initial losses of capability and service
Plus, losses from recovery actions
Five types of security problems are:
1. Unauthorized data disclosure
2. Incorrect data modification
3. Faulty service
4. Denial of service
5. Loss of infrastructure
I. Unauthorized data disclosure:
Unauthorized data disclosure can occur by human error when someone
inadvertently releases data in violation of policy. In Canada, this type of
disclosure is covered by PIPEDA.
Proprietary and personal data can also be released maliciously.
Pretexting: occurs when someone deceives by pretending to be someone
else. A common scam involves a telephone caller who pretends to be from a
credit card company and claims to be checking the validity of card numbers.
Phishing: It uses pretexting via email. The phisher pretends to be a legitimate
company and sends email requesting confidential data, such as account
numbers, social insurance numbers, etc.
Spoofing: another term for someone pretending to be someone or
somewhere else. IP Spoofing ous he a itude uses aothe site’s IP
address as if it were that other site. Also called email spoofing.
Sniffing: It is a technique for intercepting computer communications. With
wired networks, sniffing requires a physical connection to the internet. With
wireless networks, no such connection is required- drive by sniffers simply
take computers with wireless connections through an area and search for
unprotected wireless networks. They can monitor and intercept wireless
traffic as well. Example: spyware and adware.
find more resources at oneclass.com
find more resources at oneclass.com
You're Reading a Preview

Unlock to view full version

Only pages 1-2 are available for preview. Some parts have been intentionally blurred.

II. Incorrect data modification:
Eaples ilude ioetl ieasig a ustoe’s disout o ioetl
odifig a eploee’s sala, plaig ioet ifoatio suh as pie hages
o a opa’s esite.
Incorrect data modification can occur through human error when employees follow
procedures incorrectly or when procedures have been incorrectly designed. For
proper internal control on systems that process financial data or that control
inventories of assets, such as products and equipment, companies should ensure
separation of duties and authorities and have multiple checks and balances in place.
Another type of incorrect data modification caused by human error is system errors.
Hacking occurs when a person gains unauthorized access to a computer system.
Although, some people hack for the sheer joy of doing it, other hackers invade
systems for the malicious purpose of stealing or modifying data. One major
difference between computer crime and other types is that when data are stolen the
original data are still there and there may be no trace of the crime. Computer
criminals invade computer networks to obtain critical data or manipulate the system
for financial gain.
III. Faulty service:
Includes problems that result because of incorrect system operation. Faulty service
could include incorrect data modification.
It could also include systems that work incorrectly by sending the wrong goods to
the customer or incorrectly billing customers, etc.
Humans can inadvertently cause faulty service by making procedural mistakes.
System developers can write programs incorrectly or make errors during installation.
IV. Denial of service:
Results from human error in following procedures or lack of procedures. Example:
employees can inadvertently shut down a web server, etc.
These attacks are often launched maliciously. A malicious hacker can flood a web
server with millions of bogus or fraudulent service requests that so occupy the
server that it cannot service legitimate requests.
V. Loss of Infrastructure:
Human accidents can cause loss of infrastructure. Example: a bulldozer cutting fibre-
optic cables, etc.
Theft and terrorist events also cause loss of infrastructure. Terrorist events can also
cause loss of physical plants or equipment. Natural disasters present a huge risk for
infrastructure loss.
This does not include viruses, or worms because these are techniques for causing
some of these problems.
ELEMENTS OF A SECURITY PROGRAM:
Senior management:
find more resources at oneclass.com
find more resources at oneclass.com
You're Reading a Preview

Unlock to view full version