Information management unit 4 security,control and reporting

Information
Management
Unit 4: Security, control
and reporting
PREPARED AND PRESENTED BY,
GANESHA PANDIAN N

Content
• Security
• Testing
• Error deduction
• Controls
• IS vulnerability
• Disaster Management
• Computer crimes
• Securing the web
• Intranet and wireless
networks
• Software audit
• Ethics in IT
• User interface and reporting
2MSM-MBA Even Semester 2020

Introduction
• Information system have become ubiquitous in
the organizational world
• Information system often contain data that are
sensitive, personal and private about people and
must be protected from inquiring and
unauthorized eyes
• Providing security –major concern for managers

Objectives of Information security
1. To control the loss of assets
2. To ensure the integrity and reliability of
data
3. To improve the efficiency or effectiveness
of IS application

What is risk? (Information
Management)
• Various dangers to information systems and
the people, hardware, software, data and
other assets
• Dangers include natural disasters, thieves,
industrial spies, disgruntled employees,
computer viruses, accidents and poorly
trained or naïve employees
MSM-MBA Even Semester 2020 5

Risks, threats and vulnerabilities
• Potential risk refers to potential monetary losses,
whether those losses are direct or indirect
• EDP auditors use the term “Threat”.They refer to
people, actions, events or other situations that
could trigger losses
• Vulnerabilities – they mean flaws, problems or
other conditions that make a system, open to
threats

Assessing risks
• Risk – uncertainties (event); EDP auditors estimate potential loss in
several ways
• Method – probability of occurrence of loss (risk assessment)
• 2 basic questions asked? – 1. if loss. How an organization would
respond
2. cost of response be?
• The manager – should access-potential loss – from the lack of
availability or existence of a data file, key information, system, people,
In- house developed software and other information systems assets

Control measures
• Controls – countermeasures to threats
• Tools that are used to counter risks from people,
actions, events or situations – can threaten IS
• Prevent – the threat of unauthorized access to
sensitive data
• Controls – used to identify, prevent and reduce risk
and to recover from actual losses.

• Classifies in many ways as follows:
1. Physical control – controls that use physical
protection measures (e.g.) locking that door of
computer facilities
2. Electronic controls – electronic measures to
identify or prevent threats (e.g.) Intruder
detection, Id’s, password, biometric protection
Contd…

3. Software controls – program code controls used in IS
applications to identify, prevent or recover from
errors, unauthorized access and other threats
(e.g.) Programming code (encryption and decryption)
4. Management controls – result from setting,
implementing, and enforcing policies and procedures
(e.g.) need to take back up or archive their data at
regular intervals

Common threats to information
management
• - number of threats are common to computer
system and need the special attention from manager
1. Natural disasters – such as fire, floods, water
damages, earth quakes, landslides , hurricanes,
winds and storm damages
Security plans – 1. disaster prevention 2. disaster
containment 3. disaster recovery
Contd…

2. Employee errors – carelessness or poor employee
training may cause threat to information system.
(e.g.) incorrect entry of data, formatting of hard
disk accidentally instead of pen drive, not
checking for logical
3. Computer crime, fraud and abuse – computer
crime is hard to find at the time of occurrence
Contd…

People or employee working inside organization may
be malicious
- Cause damage by gaining access to computer
facilities, systems, software and data to commit a
variety of computer crimes.
3. Computer crimes – stealing data, damaging or
vandalizing illegally or committing fraud
Contd…

4. Industrial Espionage – the theft of an organizational
data by competitors – “Industrial Espionage” or
“Economic Espionage”
5. Hacking – Sometimes called “Cracking – because the
person cracks the log-in codes and sequences of system.
- unauthorized entry by a person into computer system
or network
Hackers – who illegally gain access to the computer
systems
Contd…

6.Toll fraud – toll charges are cheated
7. ComputerViruses – real threat to computer systems
A computer virus is a hidden program that inserts itself into
a computer system and starts attack it.
programs to detect the viruses – called as “Antivirus
programs”
8. Hardware theft andVandalism – theft of hardware's (hard
disk, CD’s like storage devices) or damages caused by
vandalism
Contd…

9. Software piracy – the software
publishers association (SPA) holds
that “any reproduction of a copyright
program is theft”
software piracy levies a much higher
toll
Contd…

10. Privacy violations – (Privacy – defined as the
capacity of individual or organizations to control
information
privacy means rights of individuals or
organizations have the ability to access, examine
and correct the data.
- causes huge damage by unwanted people access
a sensitive data or information
Contd…

11. Program bugs – defects in
programming code.Vendor provide
“patches” to the bugs in software
programs
- cause serious problem to the system
by causing sudden irreversible crashes

Protecting Information Systems
• “prevention is better than cure”
- Need to identify the potential risks and consider the use
of controls for the information systems
1. Securing Information system facilities:
Facilities for information system include the building
and rooms –furniture, hardware, software and
documents.
Contd…

- need to consider employing controls to prevent,
reduce or eliminate the threats or reduce loss.
- Should take physical security measures even in
the crisis situations.
Disaster recovery plan – the set of alternative
backups and storage triggered on the event of
unexpected disasters
Contd…

3. Securing communication system:
Communication systems provide many benefits for users
such as the ability to share data and printers
Encryption- major tool for protecting information systems –
process of exceeding data.
E-Commerce safety - the customers’ sensitive financial
information such as credit card and debit card is under the
risk of theft and misuse by criminals. So the encryption
needed
Contd…

Firewalls – when a organization connects to
external networks, the connectivity
increases the risk that an organization’s
internal information system will be
accessed by potential intruders or invaders
to reduce these risks from external sources
– “Firewalls” used
Contd…

• Network auditing software - can identity and
prevent many types of problems in local or
wide area networks
• The software is usually of 2 types: activity
logs, which record all log in attempt, failed or
successful and network scanning software –
looks for flaws or holes in network security

Securing Database Information
system
• Massive amounts of organizational data re stored
today in electronic databases on computer systems
• Consider the importance of the financial
accounting database information stores in very
sensitive
• When database data – restricted called “Trusted
systems”

Securing information system
applications
• Important method of preventing security problems is to
acquire secure applications or to build them from the
ground up.
The make or buy decision: to consider for design options
• Pros and cons – for decision making
• The decision making can be done by taking various
factors into consideration:
Contd…

1. Testing software – evaluate before making
purchase
2. Appropriateness – is it necessary to carry on the
business processes
3. Stability – shouldn’t contains bugs and crash
4. Security features – features should satisfy
company requirements
5. Access and update security – frequent updation
and adding more features.
Contd…

6. Input controls: ensure the accuracy of data
7. Process controls: ensure the proper
functioning
8. Output Controls: protecting and storing of
data output
Securing the information – important to
prevent the potential harms

Disaster Management
• Disaster Management planning (DMP) – plan of
action to recover from the impact on the
information systems
• Collapsed or dysfunctional – need to recover
• Specifies the procedure the procedure of recovery
action when disaster occurs
Contd…

DMP process
Step 1: • Identify Critical Business Processes
Step 2:
• Assess the Business risk – Probability, risk exposure
Step 3:
• Impact of damage of target entity
Step 4:
• Identify the life saving data, files, software, applications, packages, hardware, servers and databases
Step 5:
• Segregate the need in 2 classes
Step 6:
• Prepare a plan of bridging
Step 7
• Ensure all risks are suitably covered by appropriate insurance policies
Step 8:
• Authority, rights of decision and action in the event of disaster
Step 9:
• Test DMR plan once a year

Advantages:
1. Forecasting
2. Provide response
measures
3. Provide recovery
measures
4. Provide sense of
ownership
5. Empowers people
Disadvantages:
1. Reluctance to expose
vulnerabilities
2. Unavailability of
resources
3. Improper public
awareness

Testing
• Successful test – one finds error
• The output of the test run should match the
expected results
Objectives of testing:
1.To ensure the proper functioning of systems
2.To ensure user’s requirement; system meet
3.To verify the proper use of control
4.To verify the inputs and outputs correct
5.To make sure the errors not crept in.

Types of Testing
1. Unit testing – method by which individual units of
source codes are tested
2. Integration testing – systematic technique for
constructing the program structure
- to ensure that this modules combine together
correctly to achieve a product that meets its
specification
Contd…

3.Validation testing - validation succeeds
when software functions as expected.
(2 types of alpha testing – software tested
by customer under supervision of
developer)
Beta testing – software tested by customer
without the supervision of developer.
Contd…

4. System testing – behavior of whole
system/ product is tested
- development of project or product
5. Acceptance testing – to establish
confidence in the system
- most often focused on a validation type
testing

Error Detection
- Software errors are unavoidable and they are
easily penetrate into programs
- Error detection techniques are the techniques of
software development, software quality
assurance (SQA), software verification, validation
and testing
- To locate anomalies in software products

Classes of Error detection techniques
1. Static analysis:
- code walkthrough
- code inspection
2. Dynamic analysis:
while in execution or process
3. Formal analysis:
mathematical technique

Error Detection in phases of life cycle
1. Requirements – analysis of what is needed?
2. Design – Well design for requirements specified
3. Implementation – made possible in reality
4. Test – involves different types of testing – ensure proper
functioning
5. Installation and checkout – placing in the right area and validate
it
6. Operation and maintenance – working of system and check it
for future too.

Securing the web, intranets and
wireless networks
• Need of protecting the internet
Internet Security standards:
TCP/IP(Transmission control protocol/Internet protocol)
standards
Internet means that security must be addressed deliberately
and aggressively in internet standards
1. Point to point tunneling protocol
2. core four standards (IP,TCP, user diagram protocol and
internet control message)

Types of Internet Security
• 1 st layer – network layer security (Border
security)
1. Virus scanning
2. Firewalls
3. Intrusion
4. Virtual Private networks (VPN)
5. Denial of service protection
Contd…

2nd layer – proof of identity (Authentication)
1. Username/Password
2. Password synchronization
3. Public key
4.Tokens
5. Biometrics
6. Single sign-on
Contd…

• 3rd layer – permission based on identity
(Authorization)
1. User/group permissions
2. Enterprise directories
3. Enterprise user administration
4. Rules based access control

Border Security Tools
1. Firewall – A firewall is a system or group of systems, that
enforces an access control policy between two networks
2. Virus control – penetration of harmful and malicious
viruses can be prevented by “Anti-virus
program”/”Antivirus software”.
3. Intrusion detection- Intrusion is an illegal part act of
entering, seizing or taking possession of another’s
property
Contd…

• An Intrusion Detection System (IDS) –
software and/or hardware designed to
detect unwanted attempts at
accessing, manipulating and/or
disabling of computer systems mainly
through a network

Functions of Intrusion Detection
1. Network Intrusion detection system (NIDS) – is an
independent platform which identifies intrusions
by examining network traffic and monitors
multiple hosts
2. Protocol based Intrusion detection system (PIDS) –
it consists of a system or agent that would
typically sit at the front end of a server, monitoring
and analyzing the communication protocol
between connected device and the server
Contd…

3. Application protocol based intrusion detection system (APIDS):
Consists of a system or agent that would typically sit within
a group of servers, monitoring and analyzing the communication
on application specific protocols
4. Host-based intrusion detection system (HIDS):
Consists of an agent on a host which identifies intrusion by
analyzing system calls, application logs, file system modifications.
5. Hybrid Intrusion detection system:
Combines two or more approaches
Contd…

• Denial of service (DOS): preventing denial of service
attacks on the internet network
• Virtual private network (VPN): uses a public network to
connect remote sites or users together
• Authentication: Authentication is the process by which the
identity of an entity is established
• Authorization: process of determining the user’s level of
access – whether a user has a right to perform certain
actions

Authorization models
1. Passwords : login credentials created and used
General guidelines for passwords:
1. Should not be name, place or easily guessed
2. Should be 6 to 8 characters at least
3. Should contain mixture of letters, numbers and special
characters
4. Change the “Password” frequently
5. Do not use same password for all accounts
Contd…

2.Tokens: can be a software or hardware
- prevent against from the passive attacks and instant reply
attacks
3. Single sign-on
Single sign-on programs allow a user to authenticate one time
and there after be able to access additional network resources
and systems
4. Encryption
Way to protect data and other computer network resources
especially on the internets, intranets and extranets.

Software Audit
• Software audit – process of checking
each computer in the organization and
listing the software packages installed
• Investigation of the software installed or
the computers in an organization with
the purpose of ensuring that it is all legal
and authorized

Objectives of software audit
• Software audit – process of checking each
computer in the organization and listing the
software package installed
• Investigation of the software installed or the
computers in organization with the purpose
of ensuring that it is all legal an authorized

Objectives of software audit
1. Organization’s standards, process and systems
and/or plans – adequate to enable organization
to meet its policies, requirements and objectives
2. Comply with standards
3. Organization’s standards, process and systems
4. Resources include people and non human
resources

Audit roles and responsibilities
1. Client
2. Auditor Management
3. Auditors
4. Auditee management
5. Lead auditor
6. Escort

Types of software audit
1. Classification by participant – Internal
audit and External audit
2. Classification by action – System audit,
process audit and product audit
3. Special purpose audit – follow up and
desk audits

Software Audit process
Step 1: • Initiation
Step 2: • Planning
Step 3: • Preparation
Step 4: • Execution
Step 5: • Reporting
Step 6: • Corrective action and follow up

Ethics in IT
• Ethics is a study principles and practices which guides to
decide whether the action taken is morally right or wrong
• About values and human behavior
Ethical responsibility of business professionals:
1. Natural Law
2. Utilititarianism
3. Respect for person
4. Ethical values

Ethical guidelines
1. Obligation to management:
• Keep personal knowledge upto date and insure that
proper expertise is available when needed
• Share knowledge with others
• Not misuse of authority entrusted
• Not take advantage of lack of knowledge of others
• Not misrepresented or with hold information
Contd…

2. Obligation to members:
• Be honest in all professional relationships
• Take appropriate action in regard to any illegal or
unethical practices
• Attempt to share special knowledge
• Cooperate with others in achieving
• Don’t use the ignorance of other’s as favor understanding

Ethics to overcome vulnerability
1. Vulnerability Assessment:
It is a periodic process that works on a system to
identify, track and manage the repair of vulnerabilities
on the system
Vulnerability assessment does a health check of the
system
It is an essential security process and best practice for
well being of the system
Contd…

• Vulnerability scanning:
System and network scanning for
vulnerabilities is an automated process where
a scanning program send network traffic to all
or selected computers in the network and
expects to receive return traffic that will
indicate whether those computers have
known vulnerabilities

User Interface
• An interface - common boundary
between user and computer system
application
• User interface – (1) Input (2) process and
control (3) Output and maintenance (4)
testing

Types of Interface
1. Natural Language Interfaces
2. Question Answer Interfaces
3. Menu driven Interfaces
4. Form-fill interfaces
5. Command Language Interfaces
6. Graphical user Interface

Reporting
• Report is a business document that contains only
predefined data
• Passive document for reading or viewing data
• Good report design effort and attention in detail
• The ability to enable large numbers of people to easily
access real time enterprise information and transform
it into richly formatted reports

Reporting (Characteristics)
1. Reports should be attractive and easy to understand
2. Managers sometimes judge an entire project by the quality of
reports received
3. Reports must include information that user needs
4. Report with too little information is of no value
5. Too much information can make a report confusing and difficult
to understand
6. The essential goal when designing reports is to match the report
to the user’s specific information needs

Types of Reporting
1. Detail reports
2.Exception reports
3. Summary reports

Information management unit 4 security,control and reporting

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Information management unit 4 security,control and reporting

Similar to Information management unit 4 security,control and reporting (20)

More from Ganesha Pandian

More from Ganesha Pandian (20)

Recently uploaded

Recently uploaded (20)

Information management unit 4 security,control and reporting