Term
|
Definition
1. Confidentiality 2. Privacy 3. Processing integrity 4. Availabilty 5. Security |
|
|
Term
|
Definition
Sensitive information is protected from unauthorized disclosure |
|
|
Term
|
Definition
Personal information about customers collected through e-commerce is collected, used, and maintained in an appropriate manner
|
|
|
Term
|
Definition
Data is processed - Accurately
- Completely
- In a timely manner
- with proper authorization
|
|
|
Term
|
Definition
The system is available to meet operational and contractual obligations
|
|
|
Term
|
Definition
Access to the system and its data is controlled
|
|
|
Term
Major types of preventative controls |
|
Definition
1. Authentication controls - passwords, tokens, biometrics 2. Authorization controls - access control matrices and compatability test
3. Training 4. Physical access controls - locks, guards, biometric devices 5. Remote access controls - IP packet filtering by border routers
6. Host and application hardening procedures - Firewalls, anti virus software, etc
7. Encryption |
|
|
Term
|
Definition
Authorization and authentication controls represent the organization's policies governing access to the system and limits the actions that can be performed by authorized users. |
|
|
Term
Actual system use must be examined to assess compliance through: |
|
Definition
- Log analysis (like computer lab) - Intrusion detection systems - Managerial reports - Periodically testing the effectiveness of existing security procedures |
|
|
Term
Three key components that satisft the preceding criteria are: |
|
Definition
- Establishment of computer emergency response team - Designation of a specific individual with organization-wide responsibility for security - an organized path management system (download a fix online) |
|
|
Term
|
Definition
The process of transforming normal text, called plaintext, into unreadable gibberish. Decription reverses this process. To encrypt or decrypt, both a key and an algorithm are needed |
|
|
Term
Two types of encryption systems
|
|
Definition
- symmetric key encryption systems: use same key to emcrypt and decrypt - both parties must know the secret key
- A different key needs to be created for each party with whom the entity engages in encrypted transactions
- Since both sides are using the same key, no way to prove who created a document
|
|
|
Term
Asymmetric encryption systems |
|
Definition
Use two keys - The public key is publicly available
- the private key is kept secret and known only to the owner of the pair of keys
- Either can be used to encrypt
- Which ever is used to encrypt, the other must be used to decrypt
- Much slower than symmetric
|
|
|
Term
|
Definition
- Symmetric to encode most commercial documents like PO and invoices - Asymmetric to safely send the symmetric key to the recipeient for use in decrypting - sender uses recipients public key to encrypt symmetric key
- recipient uses the private key to decrpyt the symmetric key
|
|
|
Term
|
Definition
Hashing takes plaintext of any length and transforms it into a short code called a "hash" - Differs from encryption because encryption always produces ciphertext similar in length to plaintext, but hashing produces a hash of a fixed short length
- Encryption is reversible, but hashing is irreversible
|
|
|
Term
|
Definition
1 hashing of the commercial data and 2 encryption of the hash, are used to make a digital signature - the document is first hashed - the hash is then encrypted, using the senders private key, to create a digital signature - A digital signature is info encrypted with the creators private key |
|
|
Term
5 categories of integrity controls |
|
Definition
- source data controls - data entry controls - processing controls - data transmission controls - output controls |
|
|
Term
|
Definition
If the data entered into a system is inaccurate or incomplete, the output will be too Companies must establish control procedures to ensure that all source documents are authorized, accurate, complete, properly accounted for, and entered into the systems or sent to their intended destination in a timely manner |
|
|