An information security management system (ISMS) is a set of policies concerned with information security management or IT related risks. Unauthorized data disclosure can occur by human error when someone inadvertently releases data in violation of a policy. Employees who place restricted data on Web sites that can be reached by search engines may mistakenly publish proprietary or restricted data over the Web. Pretexting, also called email spoofing, occurs when someone deceives by pretending to be someone else. A common scam involves a telephone caller who pretends to be from a credit card company and claims to be checking the validity of credit card numbers. Phishing is a similar technique for obtaining unauthorized data that uses pretexting via email. The phisher pretends to be a legitimate company and sends an email requesting confidential data. Spoofing is another term for someone pretending to be someone else. IP spoofing occurs when an intruder uses another site’s IP address as if it were that other site. Sniffing is a technique for intercepting computer communications. Drive-by sniffers simply take computers with wireless connections through an area and search for unprotected wireless networks. Even protected wireless networks are vulnerable. Other forms of computer crime include breaking into networks to steal data such as customer lists, product inventory data, employee data, and other proprietary and confidential data. Faulty service includes problems that result because of incorrect system operation. Faulty service could include incorrect data modification, as previously described. It also could include systems that work incorrectly, by sending the wrong goods to the customer or the ordered goods to the wrong customer, incorrectly billing customers, or sending the wrong information to employees. Faulty service can also result from mistakes made during the recovery from natural disasters. Senders use a key to encrypt a plaintext message and then send the encrypted message to a recipient, who then uses a key to decrypt the message. With symmetric encryption, both parties use the same key. With asymmetric encryption, the parties use two keys, one that is public and one that is private. Secure Socket Layer (SSL) is a protocol that uses both asymmetric and symmetric encryption. With SSL, asymmetric encryption transmits a symmetric key. Both parties then use that key for symmetric encryption for the balance of that session. SSL version 1.0 had problems, most of which were removed in version 3.0, which is the version Microsoft endorsed. A later version, with more problems fixed, was renamed Transport Layer Security (TLS). Digital signatures ensure that plaintext messages are received without alterations. Data safeguards are measures used to protect databases and other organizational data. Business requirements may necessitate opening information systems to nonemployee personnel-temporary personnel, vendors, partner personnel (employees of business partners), and the public. In the case of temporary, vendor, and partner personnel, the contracts that govern the activity should call for security measures appropriate to the sensitivity of the data and IS resource involved. Companies should require vendors and partners to perform appropriate screening and security training.
No comments:
Post a Comment