Professional Documents
Culture Documents
System Security- It is the protection of computer facilities, equipment, programs and data from destruction of
environment hazards (fires, floods, tornadoes, earthquakes and any other natural disasters- INFREQUENTLY BUT WITH
A HIGHER COST PER OCCURRENCE), by equipment, software or human error or by computer abuse.
COMPUTER ABUSE- Violation of computer system to perform (FREQUENCY IS DIFFICULT TO DETERMINE AND COST PER
INCIDENT CAN VARY WIDELY)
a. Prevent failures in system security- by limiting access to the equipment, program and data and by other steps to
reduce the likelihood of security failures.
b. Detect failures in system security
c. Provide for recovery from failures in system security
Security Management- ensures that the controls will provide the maximum security benefit. It increases the likelihood
that controls will work in the event of a failure in system security.
1. Establish security objectives- to protect computer facilities, equipment, programs and data from the
environmental hazards.
2. Evaluate security risks- for likelihood and cost of occurrence
3. Develop a security plan- that will provide an acceptable level of security at a reasonable cost. The plan should
describe all controls and identify the purpose of their inclusions in the plan. It should be reviewed and approved
prior to implementation.
4. Assign responsibilities- for system security.
5. Test system security- to determine whether they prevent or detect security failures or provide recovery from
security failures. It provides assurance that responsibilities are fully assigned, procedures are understood and
follow and control devices function properly.
6. Evaluate system security- it should be used to evaluate the effectiveness of controls in meeting system security
objectives.
Facilities Security Controls- It is designed to protect computer buildings and equipment from physical damage (can
disrupt processing and cause damage to or loss of vital data, programs and documentation)
a. Location Controls- Computer center should be remote from environmental, technological and social hazards.
b. Construction Controls- Proper construction (requires physical isolation- separate building for the computer
center or by location in a secure part of the building.) of the computer facilities can reduce the risk of damage
from security or environmental hazards.
Security risks can be reduced by adequate construction standards.
Walls and doors should be strong.
If possible avoid window, if provided should contain bulletproof glass.
Safe and vaults should be used for storage and documentation.
Power and communication lines should be adequately protected.
Building design should avoid security weaknesses.
Environmental risks can be reduced by the use of fire and water standards.
Fire- includes fire-resistant walls, floors, ceilings and doors
Common or exterior walls have at least one-hour fire rating.
Vaults and safes have at least four-hour fire rating.
Air condition and heating ducts have fire dampers.
Sprinkler or flooding systems can minimize fire damage. Disadvantage: may cause water damage to
equipment.
Carbon dioxide flooding systems avoid water damage form sprinklers, but the gas may be dangerous to
personnel.
Halon gas fire extinguishment- It avoids water damage, but has little danger to personnel.
c. Access Controls- It is necessary to prevent unauthorized access, and to enforce segregation of duties.
Library Controls-to restrict access to data files, computer programs and documentation. These controls are provided by
a librarian function and by physical safeguards over file usage.
Library Function- It provides a physical control over file usage and quality. It should be performed by a full-time
librarian.
a. Internal header and Trailer labels- These labels can be read by the system software to ensure that the correct
file is being used for processing, that files are read in their entirety, and that no records have been lost or added.
b. External labels- These labels provide visible confirmation to the operator that the correct files are being used.
c. Protective rings- “No ring, no write”.
d. Read-Only Switch- It permits the operator to turn off the writing capability of the disk drive.
On-line Access Controls- It used terminals that are usually located outside the computer room.
a. Physical security of terminals- Access to the terminals should be restricted by the terminal room (computer
room) access controls and by the use of physical terminal locks (with entry by key, card, badge or some other
identification method).
b. Authorization controls- To restrict access to the system to authorized terminals and to users who perform only
authorized activities.
Authorized terminals- The authorization scheme should prevent illicit terminals from accessing the
system and should restrict each authorized terminal to programs and data files normally used by the
terminal.
Authorized users- The authorization scheme should identify the programs and files that each user is
permitted to access.
Implementation of the Authorization Scheme- by the use of one of several procedures.
Authorization tables and Locks on data records
c. Identification Controls- This is accomplished by a method of identifying the terminal and the user so that the
access can be granted based on authorization scheme.
Terminal identification- Ensures that the computer is linked to an authorized terminal.
User identification- can be accomplished by physiology (voiceprints, handprints and thumbprints), by a
special “key” or password (key to unlock the terminal, a magnetic-stripe card, or an optionally encoded
badge).
d. Data Communication Access Control- Controls that reduce the danger from wiretapping include fragmentation,
intermixing and encryption.
Fragmentation- is the communication of a message of one fragment at a time.
Message intermixing- is the communication of several messages simultaneously.
Encryption- provides an additional level of security over data transmission. The original data can only be
discovered by the person or device that knows the key that decodes the data. The encoding of data can
be accomplished by the use of an algorithm (one or more operations on the data that disguise their
information content). The decoding of encoded data is accomplished by the use of key (series of
operations necessary to reverse the encoding and reveal the original data)
Detection Devices- are electronic or mechanical devices that detect fire or unauthorized access. Their purpose is to
provide an opportunity for intervention to minimize damage or loss.
Fire Detection Devices-to alert personnel to take action to protect equipment and files to put out the fire. These are
heat-sensitive (usually fusible links built into the water nozzles of sprinkler system) or smoke-sensitive (are able to
detect electric fires much more quickly than heat-sensitive device).
a. Microswitches- used to detect the presence of an intruder by breaking or completing an electric circuit.
b. Beams- can be directed across computer room entrances or other high security areas.
c. Ultrasonic and radar detectors- designed to protect movement within the computer facilities.
d. Microphones- can detect sound in the computer facilities.