The document discusses information system security controls and risks. It outlines 7 criteria that information systems should meet, including effectiveness, efficiency, confidentiality and integrity. It also describes different business risks to information systems like strategic risk, security risk and legal risk. Finally, it discusses various security measures that can be implemented like policies, firewalls, passwords and encryption to protect information systems and mitigate risks.

1. Information System and
Security Control
Anthony D.J. Matutino

2. 7 CRITERIA TO BE MET BY
INFORMATION SYSTEM
 Effectiveness
 Efficiency
 Confidentiality
 Integrity
 Availability
 Compliance
 Reliability

3. BUSINESS RISK INVOLVING
INFORMATION SYSTEM
 Strategic Risk
 Security Risk
 Legal Risk
 Reputational Risk

4. STRATEGIC RISK
 Strategic assessment and risk analysis
 Integration within strategic goal
 Selection and management of
technological infrastructure
 Comprehensive process for managing
outsourcing relationships with third party
providers

5. SECURITY RISK
 Customer security practices
 Authentication of customers
 Non-repudiation and accountability of
transactions
 Segregation of duties
 Authorization controls within the systems,
databases and applications
 Internal or external fraud

6. SECURITY RISK
 Audit trails for transactions
 Confidentiality of data during transactions
 Third-party security risk

7. LEGAL RISK
 Disclosures of information to customers
 Privacy
 Compliance to laws, rules and statements
of the regulators
 Exposure to foreign jurisdictions

8. REPUTATIONAL RISK
 Service level delivery
 Level of customer care
 Business continuity and contingency
planning

9. ACCESS LAYERS

10. SECURITY MEASURES
 Policies
 Firewalls
 Password
 Penetration testing and test software
 Intrusion Detection and Prevention System
 Encryption

11. SECURITY MEASURES
 Digital Signatures
 Virtual Private Network
 Anti-virus Program
 Anti-spyware program
 Logging and monitoring

12. INTERNET SERVICE AS A MEANS
OF INFORMATION SYSTEM
 E-mail
 World Wide Web (WWW)
 File Transfer Protocol (FTP)
 News
 Telnet/remote interactive access
 Internet Relay Chat (IRC)/Instant
Messaging

13. E-MAIL THREATS
THREATS RECOMMENDATION
 Sender – No one can  Use of digital
be sure that the sender signatures
of an e-mail is the real
sender.

14. E-MAIL THREATS
THREATS RECOMMENDATION
 Messages in plain  Encrypt the message
test – It is possible
that the message can
be intercepted, read
and change the
message..

15. E-MAIL THREATS
THREATS RECOMMENDATION
 There are no  Certificate of posting
guarantees of secure function
delivery

16. E-MAIL THREATS
THREATS RECOMMENDATION
 Large attachments  Set a limit on how
can clog the e-mail large the attachments
system and/or server are that e-mail is
allowed to receive
and make guidelines
for downloading,
archiving and deletion
of e-mails.

17. E-MAIL THREATS
THREATS RECOMMENDATION
 Spam (unwanted e-  Set filter to
mails) remove/separate
spams from legitimate
messages.

18. WORLD WIDE WEB
THREATS RECOMMENDATION
 Information quality  Reader should be
cautious and as much
as possible, try to
verify the information.

19. WORLD WIDE WEB
THREATS RECOMMENDATION
 Tracks  Firewall
 Browser  Set your computer to
 Plug-ins clear history
 Cookies  Use InPrivate
browsing

20. FILE TRANSFER PROTOCOL
THREATS RECOMMENDATION
 File Transfer Protocol  Proper configuration
has basically no can only minimize the
security. risk
 Scan all incoming
files

21. NEWS
THREATS RECOMMENDATION
 Reputation risk – the  It is possible to block
news/blog can be access to news. This
regarded as is a matter of
organization’s official organizational policy
view.

22. TELNET
THREATS RECOMMENDATION
 Username and  One-time or frequent
password are usually password change and
sent in plain text. It is other encryptions
simple for intruders to should be used
read user information
and use it for
unauthorized access.

23. INTERNET RELAY CHAT
THREATS RECOMMENDATION
 Most IRCs bypass the  IRCs with external
anti-virus softwares access should be
avoided. If it is
necessary to
download a file, avoid
direct execution of
files.

24. COMMON SIGNS OF VIRUS
 Unusual message appear on your screen
 Decreased system performance
 Missing data
 Inability to access your hard drives
 Settings are automatically changed

26. Chrome - Incognito

27. IE – InPrivate Browsing

28. Firefox – Private Browsing

29. Always test policy on a test
computer before applying it to
any other computers

30. Videos
 Basic PC Security
 Anti-virus and other malware
 Anti-spyware

31. SUMMARY