This document discusses managing system security in organizations. It covers security threats like human error, environmental hazards, computer failures, cybercrime and intentional threats. It describes methods to defend against these risks, including preventive control systems, detection of security issues, recovery from attacks, and correction of vulnerabilities. The document also discusses IT auditing to evaluate security controls and ensure compliance.
2. The Learning Outcomes At the end of this session you should be able to: the vulnerability of IS and the possible damage from malfunctions EXAMINE the major methods in defending information systems DESCRIBE the security issues of the Web and E-Commerce DISCUSS DESCRIBE security auditing
25. Human errors In the design of hardware and information systems Programming, testing, authorization These errors contribute to the vast majority of control and security related problems. Environmental hazards Earthquakes, hurricanes, floods, lightning strikes etc. Fire, defective air-conditioning, radio-active fallout, water-cooling systems failures. Smoke, heat and water damage resulting from the other environmental hazards. 5 Risks in Information Systems “Human errors, environmental hazards, computer system failures, cyber crime & intentional threats”
31. insiders who are authorized to use the computer system but are misusing their authorization.5 Risks in Information Systems “Human errors, environmental hazards, computer system failures, cyber crime & intentional threats”
42. Shift supervisor and the extra overtime5 Risks in Information Systems “Human errors, environmental hazards, computer system failures, cyber crime & intentional threats”
56. Fraud and crimes related to the use of the internet5 Risks in Information Systems “Human errors, environmental hazards, computer system failures, cyber crime & intentional threats”
57. The following are the major objectives of defense strategies: Prevention & deterrence To prevent future attacks Detection For early detection Recovery Fixing damaged IS Correction To eliminate problem Objectives of Defense Strategies
69. IT Auditing Auditors attempt to answer questions such as: Are there sufficient controls in the system? Which areas are not covered by controls? Which controls are not necessary? Are the controls implemented properly? Are the controls effective; do they check the output of the system?
70. IT Auditing Is there a clear separation of duties of employees? Are there procedures to ensure compliance with the controls? Are there procedures to ensure reporting and corrective actions in case of violations of controls?
71. How is Auditing Executed? IT auditing procedures can be classified into three categories: Auditing around the computer - verifying processing by checking for known outputs using specific inputs. Auditing through the computer - inputs, outputs, and processing are checked. Auditing with the computer - using a combination of client data, auditor software, and client and auditor hardware.
72. THINGS TO TAKE NOTE OFF 5 risks in information systems Security threats Defense strategies against threats What are preventive control systems? IT Audit
74. IT’S TIME FOR SOME DISCUSSIONS! Describe prevention, deterrence, detection, recovery, and correction. Discuss the terms controls, threats, vulnerability, and backup. What is the difference between authorized and authenticated users? Describe auditing of information systems.
75. IT’S TIME FOR ANIN-CLASS ACTIVITY! Get into groups of 5-6 members Identify 3 risks that your Information System is susceptible to Provide solutions to the risks identified
76. Coming soon… next class ManagementInformation Systemsin Organizations DISASTER RECOVERY PLAN What is a disaster recovery plan? How does it minimize risk?