Security & control in management information system
SECURITY AND CONTROL IN INFORMATION SYSTEMS
• Security concepts covers a wide array of activities, includes products and processes to prevent unauthorized access, modification and deletion of information knowledge, data and facts.• Information Systems Concerns:1. Unintentional threats • Human error – in design or use of system • Environmental hazards – acts of God and other • Computer system failures – faulty products2. Intentional threats • Systems are subject to a wide variety of hazards from criminal attacks
GOALS OF INFORMATION SECURITY1) Prevention• Prevent computer or information violations from occurring. - Simple incidents are losing a password, or leaving a terminal logged on overnight2) Detection• Detection includes identifying the assets under attack, how it occurred and by whom.3) Response• Refers to developing strategies and techniques to deal with an attack or loss.
RISK TO IS : 1. Risk to Application and Dataa) Computer crime• The unauthorized use, access, modification, and destruction of hardware, software, data, or network resources.• The unauthorized release of information• The unauthorized copying of software• Denying an end user access to his or her own hardware, software, data, or network resourcesb) Hacking• Hacking is the obsessive use of computers, or the unauthorized access and use of networked computer systems.• Illegal hackers (also called crackers) frequently assault the Internet and other networks to steal or damage data and programs.• Hackers can monitor e-mail, web server access, or file transfers to extract passwords or steal network files, or to plant data that will cause a system to welcome intruders.• Use remote services that allow one computer on a network to execute programs on another computer to gain privileged access within a network.
RISK TO IS : 1. Risk to Application and Datac) Cyber-Theft- Many computer crimes involve the theft of money.- Involve unauthorized network entry and fraudulent alternation of computer databases to cover the tracks of the employees involved.d) Unauthorized Use at Work- This may range from doing private consulting or personal finances, or playing video games to unauthorized use of the Internet on company networks.e) Software Piracy- Unauthorized copying of software or software piracy is a major form of software theft because software is intellectual property, which is protected by copyright law and user licensing agreements.
RISK TO IS : 1. Risk to Application and Dataf) Piracy of Intellectual Property• Software is not the only intellectual property subject to computer-based piracy. Other forms of copyrighted material, such as music, videos, images, articles, books, and other written works.g) Computer Viruses and Worms• Virus - is a program code that cannot work without being inserted into another program. Worm - is a distinct program that can run unaided. They typically enter a computer system through illegal or borrowed copies of software or through network links to other computer systems.
RISK TO IS : 1. Risk to Hardwarea) Natural Disaster• Disasters that pose a risk to IS include fires, floods, hurricanes, which can destroy hardware, software and can causing total @ partial paralysis of systems @ communications lines.b) Blackout & Brownout• Blackout – loses of electrical power.• Brownout – the voltage of power decreases @ short interruptions in the flow of power.• Vandalism - occur when human beings deliberately destroy computer systems.
Major Types of Defense Strategies1. Encryption Encryption characteristics include:• Passwords, messages, files, and other data can be transmitted in scrambled form and unscrambled by computer systems for authorized users only.• Encryption involves using special mathematical algorithms, or keys, to transform digital data into a scrambled code before they are transmitted, and to decode the data when they are received.2. Authentication• Authentication is a critical part of a security system. It is part of the process referred to as Identification and authentication (I&A). Identification process starts when a user ID or Logon name is typed into a sign on screen. Authentication methods are based on one or more of three factors. 1) password or PIN. 2) smart card or an identification device. 3) fingerprints or retinal pattern.
Major Types of Defense Strategies3. Firewalls• Firewall computers and software is another important method for control and security on the Internet and other networks. A network firewall can be a communications processor, typically a router, or a dedicated server, along with firewall software.4. E-Mail Monitoring• Internet and other online e-mail systems are one of the favourite avenues of attack by hackers for spreading computer viruses or breaking into networked computers.5. Virus Defenses (Antivirus Software)• Antivirus software scan’s the computers memory, disks and all email. It uses a virus definition file that is updated regularly.
5 Major Characteristics of Firewall• A firewall serves as a “gatekeeper” computer system• A firewall computer screens all network traffic for proper passwords and other security.• only allows authorized transmissions in and out of the network.• Firewalls have become an essential component of organizations connecting to the Internet.• Firewalls can deter, but not completely prevent, unauthorized access (hacking) into computer networks.
Major Types of Defense Strategies6. Backup Files• Backup files, which are duplicate files of data or programs, are another important security measure.• Files can be protected by file retention measures that involve storing copies of files from previous periods.• Several generations of files can be kept for control purposes.7. Security Monitors• System security monitors are programs that monitor the use of computer systems and networks and protect them from unauthorized use, fraud, and destruction.
Major Types of Defense Strategies8. Biometric ControlsUses physical characteristics to identify the user.• Voice verification• Fingerprints• Hand geometry• Signature dynamics• Retina scanning• Face recognition• Genetic pattern analysis5. Disaster Recovery• Hurricanes, earthquakes, fires, floods, criminal and terrorist acts, and human error can all severely damage an organizations computing resources. Many organizations, like airlines and banks can be crippled by losing even a few hours of computing power.
Business Recovery Plan• Business recovery plan – concern on the disaster recovery has spread beyond banks, insurance companies and data centers. It the traditional recovery fanatics.
9 Steps of the Development a Business Recovery Plan1. Obtain management’s commitment to the plan Top management must be convinced of the potential damages that paralysis of information systems may cause.2. Establish a planning committee Coordinator establishes a planning committee comprising representative from all business unit that are dependent on computer-based ISs.3. Perform risk assessment and impact analysis The committee assesses which operations would be hurt by disasters and how long the organization could continue to operate without damaged resources.4. Prioritize recovery needs The disaster recovery coordinator ranks each IS application according to its effect on an organization’s ability to achieve its mission.
9 Steps of the Development a Business Recovery Plan5. Select a recovery plan Recovery plan alternatives are evaluated by considering advantages and disadvantages in terms of risk reduction, cost and the speed.6. Select vendors Vendor’s ability to provide telecommunications alternatives, experience and capacity to support current applications.7. Develop and implement the plan The plan includes organizational and vendor responsibilities and the sequence of events that will take place.8. Test the plan Walk through with each business unit, simulations as if a real disaster had occurred and deliberate interruption of the system and implementation of the plan.9. Continually test and evaluate Must be aware of the plan al the times.
General Controls to Minimize Errors and Disasters of Information Systems– Software controls—monitors the use of system software and prevents unauthorized access of software programs, system software, and computer programs.– Hardware controls—ensure that computer hardware is physically secure and functioning properly.– Computer operations controls—oversee the work of the computer department to ensure that programmed procedures are consistently and correctly applied.– Data security controls—ensures that valuable business data files are not subjected to unauthorized access, change, or destruction.– Implementation controls—audit the systems development process at various points to ensure that the process is properly controlled and managed.– Administrative controls—formalized standards, rules, procedures, and control disciplines to ensure that the organization’s controls are properly executed and enforced.
Security Management Steps to Protect Computer System Resources