Fire/Ignition Or Flood, Caused By Supply System Damage; Essays Examples
Information systems security
Lyon (2008) stated that potential physical threats include situations and actions, which can cause physical damage for computer system. They are divided into three groups: internal, external and human.
Unstable power supply, elevated humidity in the rooms housing the hardware;
Natural disaster (earthquake, landslide, fire, tsunami, inundation, volcanic eruption, contamination);
Theft/vandalism of infrastructure and hardware;
Errors of staff.
Listed physical threads consist of natural phenome non consequences, imperfection of system’s physical environment and human factor.
Talking about security for a small pharmacy that has recently opened within a shopping mall potential physical threats can include all of foregoing factors.
Potential logical threats include different damages or loss of system data and sensitive information, illegal monitoring of activities on computer systems.
Computer virus;
Espionage software (spyware);
Key loggers;
Advertisement software;
DoS/DDoS attach.
There are short definitions of each of logical threats (Adam Shostack, 2014).
Computer virus - type of malicious software that can create copies of itself and be implemented into the code of other programs, system memory, boot sectors, as well as distribute copies on a variety of communication channels with the aim of software and hardware systems disrupting, files removing, blocking of users operations or the computer hardware systems destruction.
Spyware – software that can be surreptitiously installed on your computer to collect information about its configuration, user, user activity without his consent.
Key logger - software (module) or hardware device that records every key pressed on a computer keyboard.
Adware - malicious software, which automatically renders advertisements in order to generate revenue for its author.
(Distributed) Denial-of-service attack - attack on a computer system with intent to make a computer resource unavailable to users.
Phishing - type of Internet fraud, the purpose of which is to gain access to sensitive user data - login and password. This is achieved by carrying out mass mailings of e-mails on behalf of popular brands, as well as personal messages within the various services, for example, on behalf of banks or within social networks.
What is the impact of all this physical and logical threats on information security of pharmacy?
Smoke from fires can cause pollution in computer technology. Smoke from the fire building containing chemicals that combine on printed circuit boards to form corrosive environments. The accumulation of dust in computers. Cleaners may damage the equipment. Biological, chemical or nuclear agents. Access to the affected areas or equipment can be prevented for a long period of time. Backing up files and system are not available. No equipment Uninterruptible Power Supply. No business continuity plans and procedures for recovery of information and information assets. Location: in an area susceptible to fires, urban fires, flammable or related areas. The lack of fire detection devices. Failure in the water tank or cooling capacity for air conditioning, the rooftop of the building. The water used to extinguish the fire in the vicinity. May cause damage to the cables leading to the loss of power and damage to the equipment, documents and magnetic media leads to data loss.
Threats associated with the deliberate destruction or manipulation of data, information, software or hardware. Potential sources include disgruntled employees or contractors, hackers, service people, activists, customers, suppliers, extortionists, criminals or terrorists. Intentional threats may lead to consequences, including financial loss; loss of public confidence, image, credibility and / or reputation; incorrect or wrong decisions are made and / or time consuming; legal obligations and duty of care breakdown; injury or loss of life; inconvenience to the public; violation of service level agreements; violation of statutory or regulatory duty; inability to perform critical or statutory objectives. The attacker uses software to "listen" to all traffic passing through the internal or external network. Wireless networks are particularly vulnerable. Anyone with sufficient knowledge and access can provide system unusable if they know what they are doing. They can also extend the damage to the equipment and communication lines of the user or the computer that had been deceived as to the identity of the person they are talking to may be subject to confidential information when doing business through a network or the Internet, both sides must agree that a particular transaction took place. Proper safeguards necessary to ensure the integrity and authenticity of all transactions. These guarantees have to make sure that both sides were protected, and that the transaction can’t be rejected. Insiders have knowledge that provides them with opportunities to cause maximum disruption to sabotage agency information systems. Examples include destroying equipment and infrastructure, changing the data incoming erroneous data deletion software, planting logic bombs, delete data, planting a virus. How are masked except fraud committed by another person. This practice is misleading and misdirecting the person so as to achieve information through social interaction. Failure connection can be caused by accidental damage to network cables, loss of network equipment such as routers or servers, software malfunction, loss of computer environment as a result of fire or damage water to the building, or the loss of basic services such as telecommunications or power.
Physical threats:
Administrative –disaster recovery and technical training;
Preventive – fire extinguishers;
Detective - smoke and fire detectors, closed-circuit television monitors, sensors and alarms;
Corrective - backup data restoral;
Administrative - disaster recovery and technical training;
Preventive - humidity sensors, backup power, backup files and documentation;
Detective – voltage and water sensors;
Corrective – backup data restoral;
Natural diseases don’t have any preventive measures.
Detective - smoke and fire detectors, closed-circuit television monitors, sensors and alarms;
Corrective - backup data restoral;
Administrative - security policy and procedures;
Preventive - motion detectors, closed-circuit television monitors, sensors and alarms, security guards, fences, biometric access controls;
Detective - closed-circuit television monitors, sensors and alarms;
Corrective - backup data restoral;
Administrative – user registration for computer access, security policy and procedures, security awareness and technical training;
Preventive - backup files and documentation, badge systems;
Detective – audit trails, intrusion-detection expert system;
Corrective - backup data restoral;
Logical threats:
Administrative – security policies and procedures;
Preventive – site selection, anti-virus software, passwords, backup files and documentation;
Detective – security reviews and audits;
Corrective - backup data restoral, technical repairs;
Administrative - security policies and procedures;
Preventive - site selection, locks and keys passwords;
Detective – intrusion-detective expert systems;
Corrective - backup data restoral, technical repairs;
Administrative - security policies and procedures;
Preventive – encryption;
Detective - intrusion-detective expert systems;
Corrective - backup data restoral, technical repairs;
Administrative - security policies and procedures;
Preventive – dial-up access and callback systems;
Detective - intrusion-detective expert systems, audit trails;
Corrective - backup data restoral, technical repairs;
Administrative - security policies and procedures;
Preventive - dial-up access and callback systems;
Detective - intrusion-detective expert systems;
Corrective - backup data restoral, technical repairs;
There are some strategies for addressing the risk: risk mitigation, risk assignment, risk acceptance, or risk avoidance.
Mitigation - the risk level should be reduced by the implementation of measures and tools for monitoring and control, so that the residual risk could be re-evaluated as valid (implementation of information security).
Assignment - the risk is transferred to the side that can most effectively manage it.
Acceptance - decision to keep the risk, don’t taking further actions.
Avoidance - refusal of activity or condition that causes a particular risk. This may also include the impact on the source of the threat, which may change the conditions that cause the risk.
Srategy for addressing the risk of physical threats - risk mitigation (the systematic reduction of the impact of risk and the likelihood of its occurrence).
Daryl Mather, author of The Maintenance Scorecard, asserts that all security plans must be updated periodically to ensure that they continue to achieve the objectives of company (Tried and tested techniques for risk mitigation, 2012). Widespread mistakes occurred while updating the plans of corporate security occurs in buildings with multiple tenants. In these situations, there is an incompatibility between the base of the building management system and security system. The result may be redundant and compatible systems, which increase costs for all participants.
For example, there may be two systems of access security put in place, one for construction on its base, and the other to enter the tenant space. The best solution would be to have a single user interface that is implemented by entering a tenant security measures deployed at the base of the building.
Another common mistake made by fund managers, and tenants in improving security in corporate office that the two often deploy a large number of closed-circuit television (CCTV) cameras without personnel required to monitor the cameras 24/7. Number CCTV cameras placed must be balanced with the number of security officers. The average correlation is usually one person in 20 CCTV cameras.
Security cameras can be increased with the use of intrusion detection systems. They are increasingly used in logic or critical areas to detect tampering recording .System human intrusion detection should be a network and include, based on a needs assessment, movement, infrared, acoustic, thermal and vibration activated detectors and alarms, and as well as a control unit premises, dedicated members of the security response, and response procedures for security threats and protocols.
Shostack (2014) assures that to provide sufficient administrative support to properly enter, delete and restrict employees within the security system is a common mistake. Another is the lack of proper precautions for the security of remote access, including the installation of firewalls and encryption software to prevent access by unauthorized personnel and hackers.
Srategy for handling the risk of logical threats I’ve chosen is - risk acceptance.
While risk management is to control the losses and financial impact of hazardous events, risk aversion tends to avoid compromising the event completely.
While the complete elimination of all risks seldom, risk aversion strategy aims to divert as many threats as possible, to avoid costly and damaging effects of the devastating event. Methodology avoid the risk of trying to minimize the vulnerabilities that could pose a threat. Avoid risks and mitigation can be achieved through policies and procedures, training, and education and technology implementation.
Avoid is accomplished through:
• Usage of policy
• Usage of training and education
• Countering threats
• Overseeing the technical security and guarantees.
Principles of risk avoiding quality are increasingly are used in various aspects of pharmacy. They include the development, production, distribution, verification and review processes throughout the life cycle of drugs, medicines, biological and biotechnological products (including the use of raw materials, solvents, excipients, packaging and labeling materials in drugs biological and biotechnological products). Risk management is also used to assess the microbiological contamination with respect to pharmaceutical products and manufacturing cleanroom conditions.
Forms of avoiding the risk of depriving the company of additional sources of income formation, and thus adversely affect the pace of its economic development and efficient use of equity. Therefore, in the internal mechanisms of managing risks should be done to avoid them very carefully under the following basic conditions:
if the failure of one does not involve the risk of occurrence of other risk higher or one-digit level;
if the risk level is incomparable to the level of profitability of the operation on the scale of "profitability-risk";
if the loss of this type of risk exceeds the capacity of their compensation at the expense of own funds of the enterprise;
if the amount of income from operations, generating certain types of risk is immaterial, ie takes imperceptible weight in the formed positive cash flow of the enterprise;
if the operations are not characteristic of the company, are innovative and for them there is no information base needed to determine the level of risk and appropriate management decisions.
All stages of information security play a significant role in the work process of any company. The integrity of the information system may be compromised both physically and logically, but with the right choice of strategies and methods of protection hackers and malefactors won’t break it.
Reference list
Tipton, H. F. (2006). Access Control Principles and Objectives. Auerbach Publications: CRC Press LLC.
Killmeyer, J. (2006). Information security architecture. Florida, USA: Auerbach Publication Taylor&Francis Group.
Mather, D. ( 2012). Tried and tested techniques for risk mitigation. Retrieved from http://reliabilityweb.com.
Shostack, A. (2014). Threat Modeling: Designing for Security. New York, NY: Wiley.
Lyon, G.F. (2008). Security Engineering: A Guide to Building Dependable Distributed Systems. New York, NY: Wiley.
- APA
- MLA
- Harvard
- Vancouver
- Chicago
- ASA
- IEEE
- AMA