Unit 8
Unit 8
Unit 8
The most widely used information security frameworks and standards include:
The Payment Card Industry Data Security Standard (PCI DSS), which
establishes security requirements and security controls for the protection
of sensitive data associated with personal credit card and payment card
information
Frameworks and standards are systems that, when followed, help an entity to
consistently manage information security controls for all their systems, networks,
and devices, including configuration management, physical security, personnel
security, network security, and information security systems. They define what
constitutes good cybersecurity practices and provide a structure that entities can
use for managing their information security controls.
Information – Resource/Asset
Threats –
Internal – Employee, Physical, Virus , System /Network failure,
External – Competitors, Hackers, Virus, Natural calamities
Internal Control
Training
Passwords
User Termination
Access review
Authorization levels
Routine audit & maintenance
Software & antivirus updates
Physical access control
Audit Trails
External Control
Firewall Protection
Remote Dial-in control
Quality assurance and quality control are two aspects of quality management.
While some quality assurance and quality control activities are interrelated,
the two are defined differently. Typically, QA activities and responsibilities
cover virtually all of the quality system in one fashion or another, while QC is
a subset of the QA activities. Also, elements in the quality system might not
be specifically covered by QA/QC activities and responsibilities but may
involve QA and QC. Figure 1 shows ISO 9000 definitions from ISO 9000:2015:
Quality management systems - Fundamentals and Vocabulary.
Quality Assurance
Quality assurance can be defined as "part of quality management focused on
providing confidence that quality requirements will be fulfilled." The
confidence provided by quality assurance is twofold—internally to
management and externally to customers, government agencies, regulators,
certifiers, and third parties. An alternate definition is "all the planned and
systematic activities implemented within the quality system that can be
demonstrated to provide confidence that a product or service will fulfill
requirements for quality."
Quality Control
Quality control can be defined as "part of quality management focused on
fulfilling quality requirements." While quality assurance relates to how a
process is performed or how a product is made, quality control is more the
inspection aspect of quality management. An alternate definition is "the
operational techniques and activities used to fulfill requirements for quality."
Need of SQA:-
Customer don’t expect failure
Failures will have massive effects
Delivering good quality
Ethical Dimensions:-
Inappropriate use of technology & resources
Inefficiency
Record manipulations
Deletion /distortion of information
Unauthorized access to database
Fraudulent fund transfers
Unauthorized use of passwords, cards, PINs etc
Criminal hacking
Developing & transferring viruses
Unauthorized e-mail monitoring
Unauthorized surveillance
Privacy issues
Social Dimensions:-
Automation leading unemployment
New employments in IT area
Creating knowledge based society
New ways of wealth creation
Globalization
Removed social barriers
Self centered society
Types of IPR
Patent: Exclusive right granted for an invention, which is a product or a process that
provides a new way of doing something, or offers a new technical solution to a problem
Trademarks:
A trademark is a distinctive sign that identifies certain goods or services as
those produced or provided by a specific person or enterprise
one or a combination of words, letters, and numerals.
Copyrights:
Legal term describing rights given to creators for their literary and artistic
works. literary works such as novels, poems etc.
Trade Secret
Trade secrets are the secrets of a business. They are proprietary systems,
formulas, strategies, or other information that is confidential and is not meant
for unauthorized commercial use by others. This is a critical form of protection
that can help businesses to gain a competitive advantage.
What is cybercrime?
Cybercrime is criminal activity that either targets or uses a computer, a
computer network or a networked device.
Some cybercriminals are organized, use advanced techniques and are highly
technically skilled. Others are novice hackers.
Cybercrime that targets computers often involves viruses and other types of
malware.
Cybercrime that uses computers to commit other crimes may involve using
computers or networks to spread malware, illegal information or illegal images.
So, what exactly counts as cybercrime? And are there any well-known
examples?
When the WannaCry ransomware attack hit, 230,000 computers were affected
across 150 countries. Users were locked out of their files and sent a message
demanding that they pay a BitCoin ransom to regain access.
Phishing
A famous example of a phishing scam from 2018 was one which took place
over the World Cup. According to reports by Inc, the World Cup phishing scam
involved emails that were sent to football fans.
These spam emails tried to entice fans with fake free trips to Moscow, where
the World Cup was being hosted. People who opened and clicked on the links
contained in these emails had their personal data stolen.
Cybercriminals who are carrying out cyberextortion may use the threat of a
DDoS attack to demand money. Alternatively, a DDoS may be used as a
distraction tactic while other type of cybercrime takes place.
Keeping your software and operating system up to date ensures that you benefit
from the latest security patches to protect your computer.
Anti-virus software allows you to scan, detect and remove threats before they
become a problem. Having this protection in place helps to protect your
computer and your data from cybercrime, giving you piece of mind.
If you use anti-virus software, make sure you keep it updated to get the best
level of protection.
A classic way that computers get infected by malware attacks and other forms
of cybercrime is via email attachments in spam emails. Never open an
attachment from a sender you do not know.
Never give out personal data over the phone or via email unless you are
completely sure the line or email is secure. Make certain that you are speaking
to the person you think you are.
If you get asked for data from a company who has called you, hang up. Call
them back using the number on their official website to ensure you are speaking
to them and not a cybercriminal.
Ideally, use a different phone because cybercriminals can hold the line open.
When you think you’ve re-dialed, they can pretend to be from the bank or other
organization that you think you’re speaking to.
Keep an eye on the URLs you are clicking on. Do they look legitimate? Avoid
clicking on links with unfamiliar or spammy looking URLs.
Keep an eye on your bank statements and query any unfamiliar transactions
with the bank. The bank can investigate whether they are fraudulent.
Cyber Law
Information Technology is changing rapidly and gaining popularity in most of
our aspects of lives. Computer plays an important role in today’s era, but that
also includes the people involving in the commission of crimes using computers.
Our law enforcement must become more educated in the cyber sector just to be
able to keep up with all these types of criminal elements. One of the major
difficulties is about educating people on cyber laws and security practices, such
as handling sensitive data, records, and transactions, and implementing robust
security technology, such as firewalls, anti-virus software, intrusion detection
tools, and authentication services on the computer systems. Therefore, this blog
will work to explain a significant section of cyber security which is Cyber Law.
Cyber law, also known as cyber crime law, is legislation focused on the
acceptable behavioral use of technology including computer hardware and
software, the internet, and networks. Cyber law helps protect users from
harm by enabling the investigation and prosecution of online criminal
activity. It applies to the actions of individuals, groups, the public,
government, and private organizations.
Cyber law is like any other legal rule or policy that should be followed in our
day to day life to stay out of any kind of trouble. These laws are formed by
keeping several issues into consideration such as our society, morals, computer
ethics, etc. The only difference is that cyber law is applied to the internet and
internet-related technologies only. Cyber law is formed to maintain discipline
and justice in the cyber world. This area in the legal system is introduced
because the crime related to computers and other technology was increasing
rapidly. These types of crimes were not falling under the category of any
existing legal category therefore a separate section was formed named Cyber
Law.
Cyber law provides legal protections to people using the internet including both
businesses and regular citizens. It is important for anyone using the internet to be
aware of the cyber laws of their country and local area so that, they know what
activity is legal online and what is not. Also, if anything happens with them
online, they know how they can act regarding that matter accordingly.
These laws cover many areas & activities occurring online and serve a variety of
purposes. Some laws are formed to protect to defend people online from
malicious activities, some laws explain the policies if using computers and the
internet in a company. All these wide categories fall under the cyber laws. Some
of the wide range areas encompassing the cyber laws are:
Scam/ Treachery
Cyber laws exist to protect people from online frauds and scams, these laws
prevent any financial crimes and identity theft that happen online.
Copyrighting Issues
The Internet is the source of multiple types of content, but it is not right to copy
the hard work of any other person. There are strict policies in cyber laws against
copyright that protects the creative work of companies and individuals.
Online platforms like social media are the best platform to speak your mind
freely but there is a thin line between the liberation of using the right to speak
and defaming someone online. Cyber laws address issues like online insults,
racism, gender targets to protect a person’s reputation.
Harassment is a violation of both civil and criminal laws. This crime is a major
issue in cyberspace. The legal system has some strict laws to prohibit these
despicable crimes.
Data Protection
People using the internet risk their privacy while being online and often rely on
cyber laws and policies to protect their secrets. Also, companies should maintain
the confidentiality of data of their users.
Cyber laws decide different forms of punishment depending on the type of law
you broke, who you offended, where you violated the law, and where you live.
These crimes may endanger the confidentiality and financial security of a nation
therefore these problems should be addressed lawfully.
Other essential skills for those seeking careers related to cybersecurity and cyber law
include competency with security tools and knowledge of security analysis, project
management, and data analytics.
Security Tools: Security tools help organizations prevent and defend against
cyber crime, enabling a quick recovery from damages related to a cyber attack.
For example, a security information management tool can enhance visibility
across a network’s infrastructure, while providing details of specific cyber
incidents.
Security Analysis: Understanding how security tools fit into the cyber risk
management strategy of an organization is essential. In addition to addressing
known threats, identifying and analyzing risks is important to minimize successful
cyber attacks.
Data Analytics: While security tools provide vital data to identify and mitigate
cyber threats, data without insight delivers little benefit. Data analytics help
security professionals to decipher collected data to identify new and emerging
threats and determine effective countermeasures.
System Security
System security refers to protecting the system from theft, unauthorized access and
modifications, and accidental or unintentional damage. In computerized systems,
security involves protecting all the parts of computer system which includes data,
software, and hardware. Systems security includes system privacy and system
integrity.
System privacy deals with protecting individuals systems from being
accessed and used without the permission/knowledge of the concerned
individuals.
System integrity is concerned with the quality and reliability of raw as well
as processed data in the system.
System Audit
It is an investigation to review the performance of an operational system. The
objectives of conducting a system audit are as follows −
To compare actual and planned performance.
To verify that the stated objectives of system are still valid in current
environment.
To evaluate the achievement of stated objectives.
To ensure the reliability of computer based financial and other information.
To ensure all records included while processing.
To ensure protection from frauds.
Audit of Computer System Usage
Data processing auditors audits the usage of computer system in order to control it.
The auditor need control data which is obtained by computer system itself.
The role of auditor begins at the initial stage of system development so that
resulting system is secure. It describes an idea of utilization of system that can be
recorded which helps in load planning and deciding on hardware and software
specifications. It gives an indication of wise use of the computer system and
possible misuse of the system.
Audit Trial
An audit trial or audit log is a security record which is comprised of who has
accessed a computer system and what operations are performed during a given
period of time. Audit trials are used to do detailed tracing of how data on the system
has changed.
It provides documentary evidence of various control techniques that a transaction is
subject to during its processing. Audit trials do not exist independently. They are
carried out as a part of accounting for recovering lost transactions.
Audit Methods
Auditing can be done in two different ways −
Audit Considerations
Audit considerations examine the results of the analysis by using both the narratives
and models to identify the problems caused due to misplaced functions, split
processes or functions, broken data flows, missing data, redundant or incomplete
processing, and non addressed automation opportunities.
The activities under this phase are as follows −
Control Measures
There are variety of control measures which can be broadly classified as follows −
Backup
Password system.
Encrypting sensitive data/programs.
Training employees on data care/handling and security.
Antivirus software and Firewall protection while connected to internet.
Risk Analysis
A risk is the possibility of losing something of value. Risk analysis starts with
planning for secure system by identifying the vulnerability of system and impact of
this. The plan is then made to manage the risk and cope with disaster. It is done to
accesses the probability of possible disaster and their cost.
Risk analysis is a teamwork of experts with different backgrounds like chemicals,
human error, and process equipment.
The following steps are to be followed while conducting risk analysis −
Identification of all the components of computer system.
Identification of all the threats and hazards that each of the components
faces.
Quantify risks i.e. assessment of loss in the case threats become reality.
As the risks or threats are changing and the potential loss are also changing,
management of risk should be performed on periodic basis by senior managers.