Discussion IT for Management: On-Demand Strategies for Performance, Growth, and Sustainability Twelfth Edition Turban, Pollard, Wood Chapter 5 Data Privac

Click here to Order a Custom answer to this Question from our writers. It’s fast and plagiarism-free.

IT for Management: On-Demand Strategies for Performance, Growth, and Sustainability

Twelfth Edition

Turban, Pollard, Wood

Chapter 5

Data Privacy and Cyber Security

Learning Objectives (1 of 5)

2

Copyright ©2021 John Wiley & Sons, Inc.

Data Privacy Concerns and Regulations

Extent and Cost of Cyberattacks and Cyberthreats

Cyberattack Targets and Consequences

Defending Against Cyberattacks and Managing Risk

Regulatory Controls, Frameworks and Models

Data Privacy Concerns and Regulations

Data privacy is the right to self-determine what information about you is made accessible, to whom, when, and for what use or purpose

It centers around the following four main concerns:

How data are shared with third parties

How data are collected and stored

How data are used

How data are regulated

3

Copyright ©2021 John Wiley & Sons, Inc.

3

Confused, Concerned, and Out of Control

Copyright ©2021 John Wiley & Sons, Inc.

4

Copyright ©2021 John Wiley & Sons, Inc.

5

Privacy paradox is the disconnect between how important people say their online privacy is versus how they actually behave in real life.

U.S. Consumer Protection Data Privacy Regulations

U.S. Federal consumer protection data privacy regulations currently in place include:

Health Insurance Portability and Accountability Act (HIPAA)

Gramm-Leach-Bliley Act

Privacy Protection Act of 1980

Driver’s Privacy Protection Act (DPPA)

Fair Credit Reporting Act

All 50 U.S. states have adopted data breach notification laws. At least 35 states and Puerto Rico have data disposal laws and 25 states have enacted data privacy laws

6

Copyright ©2021 John Wiley & Sons, Inc.

European Union’s General Data Protection Rules (GDPR)

The GDPR is an EU-wide consumer Bill of Rights enacted in May 2018.

It empowers EU consumers by forcing retailers, marketers, and others to explicitly tell consumers how they are collecting, using, and storing consumers’ personal data.

Companies that violate the GDPR face a maximum fine of $23 million (€20 million) or 4% of their annual global turnover, whichever is larger.

7

Copyright ©2021 John Wiley & Sons, Inc.

The EU-U.S. Privacy Shield

The EU does not consider the data privacy laws currently in place in the United States to be adequate, so U.S. businesses must work around this requirement by adhering to the EU-U.S. Privacy Shield.

The EU-U.S. and Swiss-U.S. Privacy Shields are designed to provide companies on both sides of the Atlantic with a mechanism to comply with GDPR data protection requirements.

8

Copyright ©2021 John Wiley & Sons, Inc.

Data Privacy Concerns and Regulations: Questions

What are the four main concerns of data privacy?

Why is it important for you to know how your online data is handled?

What is the name of the phenomenon where users are concerned about data privacy, but their behaviors contradict these concerns?

Who has responsibility for data privacy laws at the U.S. federal level?

Name three U.S. consumer protection data privacy regulations.

What is the name of the new California data protection law?

Is an EU citizen who does not live in the EU protected under the GDPR?

Why is the United States not considered part of the GDPR?

What is the name of the mechanism that brings the United States under the jurisdiction of the GDPR?

9

Copyright ©2021 John Wiley & Sons, Inc.

9

Learning Objectives (2 of 5)

10

Copyright ©2021 John Wiley & Sons, Inc.

Data Privacy Concerns and Regulations

Extent and Cost of Cyberattacks and Cyberthreats

Cyberattack Targets and Consequences

Defending Against Cyberattacks and Managing Risk

Regulatory Controls, Frameworks and Models

Cyberattacks and Cyberthreat Terminology (1 of 2)

Cyberattack is an actual attempt to expose, alter, disable, destroy, steal, or gain unauthorized access to a computer system, infrastructure, network, or any other smart device.

Cyber threat is the method used to commit a cyberattack that seeks to damage data, steal sensitive data, or disrupt digital life in general.

Cyber security is the discipline dedicated to protecting information and systems used to process and store it from attack, damage, or unauthorized access.

11

Copyright ©2021 John Wiley & Sons, Inc.

Cyberattacks and Cyberthreat Terminology (2 of 2)

Data breach is the successful retrieval of sensitive information by an unauthorized individual, group, or software system.

Vulnerability is a gap in IT security defenses of a network, system, or application that can be exploited by a cyber threat to gain unauthorized access.

Attack vector is a path or means by which a computer criminal can gain access to a computer or network server in order to deliver a malicious outcome.

12

Copyright ©2021 John Wiley & Sons, Inc.

Copyright ©2021 John Wiley & Sons, Inc.

13

Copyright ©2021 John Wiley & Sons, Inc.

14

Unintentional Cyber Threats

The causes for these unintentional cyber threats fall into three major categories:

Human error can occur in the design of the hardware or information system; during programming, testing, or data entry; neglecting to change default passwords or failing to manage patches

Environmental hazards include volcanoes, earthquakes, blizzards, floods, power failures or strong fluctuations, fires, defective heating, ventilation and HVAC systems, explosions, radioactive fallout, and water-cooling- system failures.

Computer systems failures can occur as the result of poor manufacturing, defective materials, or poor maintenance.

15

Copyright ©2021 John Wiley & Sons, Inc.

Intentional Cyber Threats

Intentional security breaches are overt and direct actions designed to disrupt a system and include data theft such as inappropriate use of data; theft of computer time; theft of equipment and/or software; deliberate manipulation in handling, entering, programming, processing, or transferring data; sabotage; malicious damage to computer resources; destruction from malware and similar attacks; and miscellaneous computer abuses and Internet fraud

16

Copyright ©2021 John Wiley & Sons, Inc.

Intentional Cyber threats: Hacking

Hacking is broadly defined as intentionally accessing a computer without authorization or exceeding authorized access. There are three types of hackers.

Hacktivist: is short for hacker-activist, or someone who performs hacking to promote awareness, or otherwise support a social, political, economic, or other cause.

Copyright ©2021 John Wiley & Sons, Inc.

17

Intentional Cyber Threats: Social Engineering

A hacker’s clever use of deception or manipulation of people’s tendency to trust, be helpful, or simply follow their curiosity on social media.

In a phishing attack, the attacker sends an e-mail to gain the victim’s trust by evoking a sense of curiosity, urgency or fear, to steal confidential information. This is done by the attacker posing as a known person or legitimate organization.

18

Copyright ©2021 John Wiley & Sons, Inc.

Intentional Cyberthreats: Spear Phishing

Spear phishers often target select groups of people with something in common

Trick user into opening an infected email

Emails sent that look like the real thing

Confidential information extracted through seemingly legitimate website requests for passwords, user IDs, PINs, account numbers, and so on.

19

Copyright ©2021 John Wiley & Sons, Inc.

Intentional Cyber threats: Malware

Types of intrusive software:

Cookie

Spamware

Adware

Spyware

Types of hostile malware:

Zero-Day

Backdoor

Rootkit

Boot Record Infector

File Infector

Keylogger

Virus

Worm

Trojan

RATS

20

Copyright ©2021 John Wiley & Sons, Inc.

Refers to various levels of intrusive or malicious software that can run undetected in the background on an IS or personal computer.

Intentional Cyber threats: Botnets

The term botnet is derived from the words robot and network.

Cyber criminals use trojan viruses to breach the security of several user computers, take control of each computer and organize all of the infected machines into a network of “bots” they can remotely control for malicious purposes.

Botnets are typically used to send spam and phishing e-mails and launch DDoS attacks.

21

Copyright ©2021 John Wiley & Sons, Inc.

Intentional Cyber threats: Ransomware and Cryptojacking

Ransomware is designed to block access to a computer system until a sum of money has been paid. Ransomware works by first infiltrating a computer with malware and then encrypting all the files on the disk.

Cryptojacking is a ransomware-like scheme to use other people’s devices without their consent or knowledge to secretly syphon off cryptocurrency at the victim’s expense.

SQL Injection is one of the most dangerous vulnerabilities of a network app since attackers can use SQL injection to bypass application security measures. The intent is to execute SQL code inside an app or Web page for personal gain or simply to be destructive.

22

Copyright ©2021 John Wiley & Sons, Inc.

Intentional Cyber threats: Man-in-the-middle (MitM)

MitM attacks occur when cyber criminals insert themselves between two-parties in a transaction with the intention of stealing data.

Copyright ©2021 John Wiley & Sons, Inc.

23

Intentional Cyber threats: Denial of Service Attacks

Copyright ©2021 John Wiley & Sons, Inc.

24

Intentional Cyber threats: Insider Threats

Internal threats and misuse of privileges threats are a major challenge largely due to the many ways an employee or contractor can carry out malicious activities

Data tampering is a common means of cyberattack

Refers to an attack during which someone enters false or fraudulent data into a computer, or changes/deletes existing data

Data tampering is extremely serious because it may not be detected; the method often used by insiders and fraudsters

25

Copyright ©2021 John Wiley & Sons, Inc.

Cyber Threats: Intentional/Unintentional

Physical theft or loss is the threat of an information asset going missing, whether through negligence or malice

Miscellaneous errors: The main concern related to this source of cyberthreat is a shortage of capacity that prevents information from being available where and when needed.

26

Copyright ©2021 John Wiley & Sons, Inc.

Copyright ©2021 John Wiley & Sons, Inc.

27

Copyright ©2021 John Wiley & Sons, Inc.

28

High Profile and Under the Radar Attacks

Advanced Persistent Threats (APT)

Launched by attacker through phishing to again access to enterprise’s network

Designed for long-term espionage

Profit-motivated cybercriminals often operate in stealth mode to continue long-term activities

Hackers and hacktivists, commonly with personal agendas, carry out high-profile attacks to further their causes.

Anonymous and LulzSec are two hacker groups who have committed daring data breaches, data compromises, data leaks, thefts, threats, and privacy invasions.

29

Copyright ©2021 John Wiley & Sons, Inc.

How Much Does a Cyberattack Really Cost an Organization?

In 2019 the global average total cost of a data breach was $3.92 million.

The average size of a data breach was 25,575 records, the cost per record lost was $150 and it took an average of 279 days for companies to identify and contain a breach.

Companies in the United States reported the highest average cost of a breach at $8.19 million and health care had the highest industry average cost of $6.45 million.

30

Copyright ©2021 John Wiley & Sons, Inc.

Extent and Cost of Cyberattacks and Cyberthreats: Questions

Define and give an example of an intentional threat and an unintentional threat.

Why might management not treat cyberthreats as a top priority?

Describe the differences between distributed denial-of-service (DDoS), telephony denial-of-service (TDoS), and permanent denial-of-service (PDoS).

List and define three types of malware.

What are the risks caused by data tampering?

Define what a trojan is and explain why it is dangerous.

Why are MitM attacks on the rise? How might companies guard against MitM attacks?

What is cryptojacking? How can you protect yourself from being a victim of cryptojacking?

31

Copyright ©2021 John Wiley & Sons, Inc.

31

Learning Objectives (3 of 5)

32

Copyright ©2021 John Wiley & Sons, Inc.

Data Privacy Concerns and Regulations

Extent and Cost of Cyberattacks and Cyberthreats

Cyberattack Targets and Consequences

Defending Against Cyberattacks and Managing Risk

Regulatory Controls, Frameworks and Models

Cyberattack Targets and Consequences

Managers make the mistake of underestimating IT vulnerabilities and threats and appear detached from the value of confidential data (even high-tech companies).

Targets for cyberattacks include weak passwords; critical infrastructure; theft of IP; identity theft; shadow IT; bring your own device (BYOD) and social media.

33

Copyright ©2021 John Wiley & Sons, Inc.

Weak Passwords and Critical Infrastructure

Weak Passwords: The capture and misuse of credentials, such as user’s IDs and passwords, is one of the foundation skills hackers use them execute numerous types of cyberthreats, such as phishing, leaving organizations open to data breaches

Critical infrastructure: Systems and assets, whether physical or virtual, so vital to a country that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters

Industroyer: A new form of malware developed to target critical infrastructure in the energy sector

34

Copyright ©2021 John Wiley & Sons, Inc.

Copyright ©2021 John Wiley & Sons, Inc.

35

35

Theft of Intellectual Property

Intellectual Property is a work or invention that is the result of creativity that has commercial value.

Includes copyrighted property such as a blueprint, manuscript or a design, and is protected by law from unauthorized use by others.

Intellectual property can represent more than 80% of a company’s value.

Losing customer data to hackers can be costly and embarrassing but losing intellectual property, commonly known as trade secrets, could threaten a company’s existence.

36

Copyright ©2021 John Wiley & Sons, Inc.

Identity Theft

Thefts where individuals’ Social Security and credit card numbers are stolen and used by thieves.

Made worse by electronic sharing and databases

Shadow IT (stealth IT) introduces security risks when unsupported hardware and software used by individuals or departments circumvent IT security measures that apply to approved technology

Copyright ©2021 John Wiley & Sons, Inc.

37

Bring Your Own Device (BYOD)

Bring Your Own Device (BYOD): employees providing their own (mobile) devices for business purposes to reduce expenses through cut purchase and maintenance costs.

Roughly 87% of U.S. organizations are using or planning to use BYOD

Cuts business costs by not having to purchase and maintain employees’ mobile devices

Security risk: mobile devices rarely have strong authentication, access controls, and encryption even though they connect to mission-critical data and cloud services. Could also be lost or stolen.

38

Copyright ©2021 John Wiley & Sons, Inc.

Social Media Attacks

Social networks and cloud computing increase vulnerabilities by providing a single point of failure and attack for organized criminal networks.

Facebook recently reported that it disabled almost 1.3 billion fake accounts

Twitter suspended 70 million accounts

LinkedIn openly admitted they have no reliable system for identifying and counting duplicate or fraudulent accounts.

39

Copyright ©2021 John Wiley & Sons, Inc.

Networks and Services Increase Exposure to Risk

Time-to-exploitation is the elapsed time between when vulnerability is discovered and when it is exploited

When new vulnerabilities are found in operating systems, applications, or wired and wireless networks, patches are released by the vendor or security organization

Patch is a software program that users download and install to fix a vulnerability.

40

Copyright ©2021 John Wiley & Sons, Inc.

Cyberattack Targets and Consequences: Questions

What is a critical infrastructure?

List three types of critical infrastructures.

How do social network and cloud computing increase vulnerability?

Why are patches and service packs needed?

Why is it important to protect IP?

How are the motives of hacktivists and APTs different?

Explain why data on laptops and computers need to be encrypted.

Explain how identity theft can occur.

41

Copyright ©2021 John Wiley & Sons, Inc.

41

Learning Objectives (4 of 5)

42

Copyright ©2021 John Wiley & Sons, Inc.

Data Privacy Concerns and Regulations

Extent and Cost of Cyberattacks and Cyberthreats

Cyberattack Targets and Consequences

Defending Against Cyberattacks and Managing Risk

Regulatory Controls, Frameworks and Models

Defending Against Cyberattacks
and Managing Risk

To effectively guard against cyberattacks, top management must sponsor and promote security initiatives and fund them as a top priority

The first step in a cyber security initiative is to choose a cyber defense strategy

Then adopt risk mitigation strategies specific to different types of assets and

Deploy robust security measures that are not just the responsibility of IT and top management, but the ongoing duty of everyone in an organization

43

Copyright ©2021 John Wiley & Sons, Inc.

Copyright ©2021 John Wiley & Sons, Inc.

44

Cyber Defense Strategies

The primary objective of IT security management is to defend all the components of an information system.

To do this a company must gather strategic and tactical intelligence to develop a customized cybersecurity defense.

Strategic intelligence informs HOW an organization will defend itself.

Tactical intelligence informs WHAT an organization needs to do when it is attacked.

45

Copyright ©2021 John Wiley & Sons, Inc.

Copyright ©2021 John Wiley & Sons, Inc.

46

Managing Risk

Risk is a situation involving exposure to danger.

Risks mitigation is the action taken to reduce threats and ensure resiliency.

Copyright ©2021 John Wiley & Sons, Inc.

47

Securing Systems: Cyber Defense Tools

Antivirus Software: Anti-malware tools are designed to detect malicious codes and prevent users from downloading them

Intrusion Detection Systems (IDSs): An IDS scans for unusual or suspicious traffic.

Intrusion Prevention Systems (IPSs): An IPS is designed to take immediate action— such as blocking specific IP addresses—whenever a traffic-flow anomaly is detected.

IP Intelligence Services: IP intelligence service providers can help organizations significantly reduce malicious network activity

48

Copyright ©2021 John Wiley & Sons, Inc.

Protecting Against Malware Reinfection, Signatures, Mutations, and Variants

Attempts to remove the malware can fail and the malware may reinfect the host for two reasons:

Malware is captured in backups or archives

Malware infects removable media

Malware signature is a unique value that indicates the presence of malicious code.

Zero-day exploits—malware so new their signatures are not yet known

49

Copyright ©2021 John Wiley & Sons, Inc.

Protect Mobile Devices

Mobile biometrics, such as voice and fingerprint biometrics, can significantly improve the security of physical devices

Voice biometrics is an effective authentication solution across a wide range of consumer devices including smartphones, tablets, and TVs

Rogue application monitoring is used to detect and destroy malicious applications

Mobile kill switch or remote wipe capability as well as encryption are needed in the event of loss or theft of a device

Encryption is process of converting information or data into a code and is essential to prevent unauthorized access to sensitive information transmitted online

50

Copyright ©2021 John Wiley & Sons, Inc.

Becoming IT Resilient

IT resilience is the ability to protect data and apps from any planned or unplanned disruption to eliminate the risk of downtime to maintain a seamless customer experience.

Copyright ©2021 John Wiley & Sons, Inc.

51

Backup and Recovery

An effective IT resilience strategy should consist of four elements:

Availability—keep customers continuously connected to their data and apps.

Mobility—be able to move apps and workloads while keeping them fully protected.

Agility—maintain the freedom to choose your own cloud and be able to move to, from and between clouds.

Training—IT and non-IT employees must understand their roles in case of a disruption or disaster and been trained in how to respond.

52

Copyright ©2021 John Wiley & Sons, Inc.

Copyright ©2021 John Wiley & Sons, Inc.

53

Business Continuity Planning (1 of 3)

Business continuity refers to maintaining business functions or restoring them quickly when there has been a major disruption.

The plan covers business processes, assets, human resources, business partners, and more.

Each function in the business should have a feasible backup plan.

54

Copyright ©2021 John Wiley & Sons, Inc.

Business Continuity Planning (2 of 3)

To supplement and strengthen a business continuity plan the following strategies can be put in place to help reduce the impact of a disaster or disruption:

Direct individual employees to make regular off-site backups of their files that can be accessed remotely with a secure username and password

Deploy a cloud-based Email Continuity Solution to provide uninterrupted access to e-mail.

Make sure you have cross-device software compatibility so that business can continue on employee mobile devices.

Unify communications on a secure off-site cloud server that will keep operating in the event of a power outage, natural disaster or other disruptions.

55

Copyright ©2021 John Wiley & Sons, Inc.

Business Continuity Planning (3 of 3)

To supplement and strengthen a business continuity plan the following strategies can be put in place to help reduce the impact of a disaster or disruption (cont.):

Establish a service-level agreement with your provider that offers fast support, emergency backup and routing to alternative servers when necessary.

Put processes in place to ensure that IT teams can act quickly without approvals in case of a disaster or disruption.

Make sure enough resources are allocated in the IT budget for adequate business continuity and disaster recovery services

56

Copyright ©2021 John Wiley & Sons, Inc.

Disaster Recovery Services

Set up a secure, off-site disaster recovery space. The three types of sites are:

Hot site: all the necessary equipment including office space, furniture, communications capabilities and computer equipment

Warm site: a fully equipped physical data center, but it has no customer data

Cold site: provides office space but requires the customer to provide and install the equipment needed to continue operations

57

Copyright ©2021 John Wiley & Sons, Inc.

Defending Against Cyberattacks and
Managing Risk: Questions

Explain why it is becoming more important for organizations to make cyber risk management a high priority?

Name three IT defense tools.

What is the purpose of rogue application monitoring?

Why is a mobile kill switch or remote wipe capability an important part of managing cyber risk?

Why does an organization need to have a business continuity plan?

Name the three essential cybersecurity defenses.

What is the difference between hot, warm, and cold sites?

When and why do companies impose do-not-carry rules?

58

Copyright ©2021 John Wiley & Sons, Inc.

Learning Objectives (5 of 5)

59

Copyright ©2021 John Wiley & Sons, Inc.

Data Privacy Concerns and Regulations

Extent and Cost of Cyberattacks and Cyberthreats

Cyberattack Targets and Consequences

Defending Against Cyberattacks and Managing Risk

Regulatory Controls, Frameworks and Models

Regulatory Controls, Frameworks, and Models

General defense controls are established to protect the system regardless of the specific application.

Application defense controls are safeguards that are intended to protect specific applications.

Copyright ©2021 John Wiley & Sons, Inc.

60

Physical controls

Physical controls protect physical computer facilities and resources. Appropriate physical security may include several physical controls such as:

Appropriate design of the data center (noncombustible and waterproof).

Shields against electromagnetic fields.

Emergency power shutoff and backup batteries.

Properly designed and maintained air-conditioning systems.

Motion detector alarms that detect physical intrusion.

Badges for authorized persons.

61

Copyright ©2021 John Wiley & Sons, Inc.

Access controls

Access controls dictates who is authorized to use an organization’s computing resources. Restricted access is achieved through a two-step process of

user authentication to identify different users on the network and

user authorization that grants or denies specific access permissions.

Data security controls are needed to protect sensitive data throughout the five stages of its lifecycle from creation to disposal.

Communications controls restrict access to devices on the network to endpoint devices that comply with the organization’s security policy and secure the flow of data across networks.

62

Copyright ©2021 John Wiley & Sons, Inc.

Administrative controls

Administrative controls deal with issuing guidelines and monitoring compliance with an organization’s security guidelines.

Examples of administrative controls are:

Appropriately select, train, and supervise employees, especially in accounting and information systems

Foster company loyalty

Require periodic modification of access controls, such as passwords

Perform periodic random audits of the system

63

Copyright ©2021 John Wiley & Sons, Inc.

Application Defense Controls

An application defense control is a security practice that blocks or restricts unauthorized apps from executing in ways that put data at risk.

Application controls include:

Completeness checks to ensure records processing from start to finish

Validity checks to ensure only valid data is input or processed

Authentication to identify users

Authorization to ensure appropriate permissions

Input controls to ensure data integrity of all data entered

64

Copyright ©2021 John Wiley & Sons, Inc.

Auditing Information Systems

Auditing is an additional layer of controls or safeguards.

Auditing a website is a good preventive measure to manage the legal risk.

Auditing e-commerce is also more complex since, in addition to t

Place your order now for a similar assignment and have exceptional work written by one of our experts, guaranteeing you an A result.

Need an Essay Written?

This sample is available to anyone. If you want a unique paper order it from one of our professional writers.

Get help with your academic paper right away

Quality & Timely Delivery

Free Editing & Plagiarism Check

Security, Privacy & Confidentiality