8.

2
a) E
- Previously, companies may not have had strict rules for how they store or protect
electronic data. This could have led to situations where patient information was easily
accessible by unauthorized people, or financial data was vulnerable to hacking.
- New regulations mandate data protection: The government is now setting stricter
rules on how companies handle electronic records. This forces them to take security
more seriously to avoid legal trouble.
Example: A hospital might have previously stored patient X-rays on a server without
strong password protection. HIPAA compliance would require them to implement
stricter access controls and encryption to safeguard patient privacy.
- Healthcare (HIPAA):
Requirement: Hospitals, clinics, and other healthcare providers must securely store
patient data for at least 6 years.
Example: A doctor's office may need to implement software that encrypts patient
records and restricts access only to authorized personnel.
- Financial Services (Gramm-Leach-Bliley Act):
Requirement: Banks, investment firms, and other financial institutions must ensure
the security of customer financial data.
Example: A bank might need to invest in stronger firewalls and employee training
programs to prevent unauthorized access to customer accounts.
- Publicly Traded Companies (Sarbanes-Oxley Act):
Requirement: Public companies must have strong internal controls to ensure the
accuracy of their financial records. This includes electronic data used for financial
reporting.
Example: A publicly traded company may need to implement a system that tracks
and logs changes made to financial data to ensure its integrity and prevent
manipulation.
b) Evidence
- Digital evidence is crucial in legal cases: Legal matters increasingly rely on electronic
data like emails, files, and online transactions as evidence.
- Companies must manage electronic records effectively: To respond to lawsuits,
businesses need well-organized and accessible electronic documents. They must
also avoid improper deletion to comply with legal requirements and minimize legal
risks.
- Electronic document retention policies are essential: These policies ensure proper
organization, accessibility, and disposal of electronic records, considering potential
use in legal investigations.
- Computer forensics plays a key role in legal proceedings: This specialized field
recovers, analyzes, and presents digital evidence in court. It involves retrieving
deleted data, securely handling evidence, and extracting relevant information.
8.3
a) S
- General Controls: These apply broadly across the entire computer system
infrastructure, affecting all applications. They focus on the overall security and design
of the system.
 - Application Controls: These are specific to each individual computer program or
application used within the company (e.g., payroll system, order processing system).
They ensure accurate and complete data processing for each specific task.
- Why are these controls important?
+ They catch mistakes before they cause problems.
+ They keep data safe from unauthorized access.
+ They ensure information processed by the system is reliable.
+ They help the computer system run smoothly.
b) Risk assessment
- A risk assessment is like a security check-up for your computer system. It helps you
identify:
+ What needs protection (your valuable information assets).
+ How vulnerable this information is (weak points in your system's security).
=> informed decisions about the best security controls to implement.
- Important:
+ Save Money: Focus security spending on areas with the highest risk and
potential loss.
Example: It wouldn't make sense to spend a lot of money on a fancy security
lock for a storage room that only contains old office supplies (low risk, low
potential loss).
+ Improve Security: Focus on the most critical areas to minimize the chances
of a security breach.
- How:
Imagine you have an online ordering system that processes thousands of
orders daily. A risk assessment would consider factors like:
+ Value of Information Assets: How important is the data stored in the system
(customer information, order details, etc.)?
+ Points of Vulnerability: Are there weaknesses in the system that could be
exploited (e.g., hacking attempts, power outages)?
+ Frequency of Problems: How likely are these vulnerabilities to be
encountered (e.g., daily power outages vs. occasional hacking attempts)?
+ Potential for Damage: How much damage could a security breach cause
(financial losses, reputational damage)?
- Making Security Decisions Based on Risk:
The risk assessment will show you which areas pose the greatest risk. Here's how
you might use this information in the example above:

+ Power Outages: The assessment shows a high risk of power outages causing
data loss. You might invest in a backup system to ensure orders are not lost
during a power cut.
+ User Errors: The assessment shows a high risk of user errors causing
problems. You might implement additional training for employees on how to
use the system correctly.
+ Embezzlement: The assessment shows a lower risk of employee theft. You
might focus on preventive measures like strong passwords and access
controls, but not spend a huge amount on additional security for this area.
c) Policy
 Once you’ve identified the weak spots in your computer system's defenses (from the
risk assessment), you need a plan to protect your valuable information. This plan is
called a security policy.

- What Does a Security Policy Do?

+ Ranks Information Risks: It prioritizes which types of information need the

most protection (e.g., customer data vs. general company documents).
+ Sets Security Goals: It outlines what you want to achieve with your security
measures (e.g., prevent data breaches, ensure data privacy).
+ Defines Security Measures: It details the tools and procedures used to
achieve these goals (e.g., access controls, encryption).
- Other policies:
+ Acceptable Use Policy (AUP): This policy outlines the rules for using
company computers, phones, and internet access.
It defines what employees can and cannot do (e.g., downloading personal
software, visiting certain websites).
It also outlines consequences for breaking the rules.
+ Access Control Policies: These determine who can access specific
information within the company.
Example: Regular employees might only be able to see basic information
about other employees, while HR managers might see everything (depending
on their job duties).
d) Disaster
- running a business and facing a major disruption, like a natural disaster or power
outage. This could shut down your computer systems and halt your entire operation.
To prepare for such events, companies need two key plans:
+ Disaster Recovery Planning:
Focuses on getting your computer systems and communication services back
up and running after a disaster.
Deals with technical issues like: Backing up important data regularly.; Having
a backup computer system or using a disaster recovery service.
Example: A company might have a backup data center in another location to
take over if their main data center is affected by a disaster.
+ Business Continuity Planning:
Focuses on how your business will continue to operate even if the computer
systems are down.
Identifies critical business processes that must keep functioning (e.g.,
processing customer orders, handling payroll).
Develops action plans for how to maintain these critical functions without the
computer systems.
Example: A company might have a manual system for processing orders in
case their computer system goes down
+ Working Together:
Business managers and IT specialists need to collaborate on both plans.
They need to identify the most critical systems and business processes for
the company (through a business impact analysis).
 This helps determine how long the business can survive without its systems
and which functions need to be restored first.
e) Audit
- Companies need regular audits to determine if their information security
measures are working effectively.
- This audit is like a checkup for your computer systems, examining security,
controls, and overall functionality.
- Outcome: report that details any weaknesses found in your system's controls.
This report will estimate how likely it is that these weaknesses could be
exploited and what the potential consequences might be (financial losses,
reputational damage, etc.)
=> sent to company's management team

8.5 TOOLS & TECHNOLOGIES