Management Information Systems ( Security and Control.pptx

INFORMATION
SYSTEMS SECURITY
AND MANAGEMENT

Learning objectives
• After this discussion you should be able to:
– understand and assess potential threats to a computer-based
information system;
– propose an overall strategy for ensuring the security of a
computer-based information system;
– Explain why information systems need special protection
from destruction, error, and abuse
– Assess the business value of security and control
– Evaluate elements of an organizational and managerial
framework for security and control

Management issues
• From a managerial perspective, this discussion addresses the
following areas:
– An understanding of approaches towards information
systems security will help managers develop and implement
an overall strategy for security.
– An understanding of the threats to information systems will
help in predicting and anticipating acts such as denial of
service attacks.
– Knowledge of specific techniques for protecting information
systems will help in the development of effective
countermeasures.
– As organizations turn to the Internet for business purposes, it
becomes important to understand some of the new threats
that must be faced.

Related security concepts
• Authentication: a means to verify that an entity is who it
claims to be for decisions in support of confidentiality
and integrity
• Access Control: a means to enforce which entities have
access to information to support confidentiality and
integrity
• Authorization: a combination of authentication (who)
and access control
• Non-repudiation: integrity of the pair (information,
creator of information)
• Privacy: confidentiality of personal information
• Anonymity: confidentiality of identity

What are the common threats to IS

Common threats to information
• Accidents
• Natural disasters
• Sabotage (industrial and individual)
• Vandalism
• Theft
• Unauthorised use (hacking)
• Computer viruses

Figure 15.1 Breakdown of breaches of security reported by UK companies in 2004
Source: Information Security Breaches Survey 2004, DTI (www.dti.gov.uk)

Accidents
• Inaccurate data entry
• Attempts to carry out tasks beyond the
ability of the employee
• Failure to comply with procedures for the
use of organisational information systems.
• Failure to carry out backup procedures or
verify data backups.

Natural disasters
• All information systems are susceptible to damage
caused by natural phenomena, such as storms,
lightning strikes, floods and earthquakes.
• In Japan and the United States, for example, great care
is taken to protect critical information systems from
the effects of earthquakes.
• Although such hazards are of less concern in much of
Africa and Europe, properly designed systems will
make allowances for unexpected natural disasters.

Sabotage
• Deliberate deletion of data or applications
– Logic bomb: Sometimes also known as a time bomb, a logic
bomb is a destructive computer program that activates at a
certain time or in reaction to a specific event.
– Back door: A section of program code that allows a user to
circumvent security procedures in order to gain full access to
an information system.
– Data theft: This can involve stealing sensitive information
or making unauthorised changes to computer records.

Unauthorised use
• Hacker: Hackers are often described as individuals who
seek to break into systems as a test of their abilities. Few
hackers attempt to cause damage to systems they access and
few are interested in gaining any sort of financial profit.
• Cracker: A person who gains access to an information
system for malicious reasons is often termed a cracker rather
than a hacker. This is because some people draw a
distinction between ‘ethical’ hackers and malicious hackers.

Social engineering
• Social engineering: This involves tricking people into
providing information that can be used to gain access
to a computer system.
• As an example, someone might pose as a technician
during a telephone call and ask for information, such
as passwords or user names.

Computer virus
• Computer virus: This is a computer program that is
capable of self-replication, allowing it to spread from one
‘infected’ machine to another.
• The origin of the term computer virus is credited to Fred
Cohen, author of the 1984 book Computer Viruses:
Theories and Experiments. However, ‘natural’ computer
viruses were reported as early as 1974 and papers
describing mathematical models of the theory of
epidemics were published in the early 1950s.

Trojans and worms
• Worm: A small program that moves through a
computer system randomly changing or overwriting
pieces of data as it moves.
• Trojan: A Trojan presents itself as a legitimate
program in order to gain access to a computer system.
Trojans are often used as delivery systems for
computer viruses.

Spyware and adware
• Spyware: Describes a category of software intended
to collect and transmit confidential information
without the knowledge or consent of a computer user.
• Adware: Describes a type of software that contains
spyware intended to monitor a user’s online activities,
usually so that advertising can be targeted more
accurately.

Internet-related threats 1
• Denial of service (DoS): This is a form of attack on company information
systems that involves flooding the company's Internet servers with huge
amounts of traffic. Such attacks effectively halt all of the company's Internet
activities until the problem is dealt with.
• Brand abuse: This describes a wide range of activities, ranging from the sale
of counterfeit goods (e.g. software applications) to exploiting a well-known
brand name for commercial gain.
• Cybersquatting: The act of registering an Internet domain with the intention
of selling it for profit to an interested party. As an example, the name of a
celebrity might be registered and then offered for sale at an extremely high
price.
• Cyberstalking: This refers to the use of the Internet as a means of harassing
another individual. A related activity is known as corporate stalking, where an
organisation uses its resources to harass individuals or business competitors.
• Cyberterrorism: This describes attacks made on information systems that are
motivated by political or religious beliefs.

Internet-related threats 2
• Online stock fraud: Most online stock fraud involves
posting false information to the Internet in order to
increase or decrease the values of stocks.
• Phishing: A relatively new development, phishing
involves attempting to gather confidential information
through fake e-mail messages and web sites.

SYSTEM VULNERABILITY AND ABUSE
Why Systems Are Vulnerable
Management Information Systems
Security and Management
Contemporary Security Challenges and Vulnerabilities
Figure 10-1

Wi-Fi Security Challenges
Security and Management
Figure 10-2

Disaster
• Destroys computer hardware, programs, data
files, and other equipment
Security
• Prevents unauthorized access, alteration,
theft, or physical damage
Errors
• Cause computers to disrupt or destroy
organization’s record-keeping and operations
Concerns for System Builders and Users

Bugs
• Program code defects or errors
Maintenance Nightmare
• Maintenance costs high due to organizational
change, software complexity, and faulty
system analysis and design
System Quality Problems: Software and Data

Worldwide Damage from Digital Attacks
Security and Control
Figure 10-3

• Inadequate security and control may create serious
legal liability.
• Businesses must protect not only their own information
assets but also those of customers, employees, and
business partners. Failure to do so can lead to costly
litigation for data exposure or theft.
• A sound security and control framework that protects
business information assets can thus produce a high
return on investment.
BUSINESS VALUE OF SECURITY AND CONTROL

Security Incidents Continue to Rise
Figure 10-4
Source: CERT Coordination
Center, www.cert.org, accessed
July 6, 2004.

Legal and Regulatory Requirements for Electronic
Records Management
• Electronic Records Management (ERM): Policies,
procedures and tools for managing the retention,
destruction, and storage of electronic records

Data Security and Control Laws:
• The Health Insurance Portability and Accountability
Act (HIPAA)
• Sarbanes-Oxley Act of 2002

• Electronic Evidence: Computer data stored on disks
and drives, e-mail, instant messages, and e-
commerce transactions
• Computer Forensics: Scientific collection,
examination, authentication, preservation, and
analysis of computer data for use as evidence in a
court of law
Electronic Evidence and Computer Forensics

Controls
• Methods, policies, and procedures
• Ensures protection of organization’s assets
• Ensures accuracy and reliability of records,
and operational adherence to management
standards
CREATING A CONTROL ENVIRONMENT
Overview

General controls
• Establish framework for controlling design,
security, and use of computer programs
• Include software, hardware, computer
operations, data security, implementation,
and administrative controls
General Controls and Application Controls

Security Profiles for a Personnel System
Figure 14-4

• Unique to each computerized application
• Include input, processing, and output
controls
Management Information System
ESTABLISHING A MANAGEMENT FRAMEWORK FOR
SECURITY AND CONTROL
Application controls:

• Determines the level of risk to the firm if a specific
activity or process is not properly controlled
Risk Assessment:

Security Profiles for a Personnel System
Figure 10-5

• Downtime: Period of time in which a system is not
operational
• Fault-tolerant computer systems: Redundant
hardware, software, and power supply components to
provide continuous, uninterrupted service
• High-availability computing: Designing to maximize
application and system availability
Ensuring Business Continuity

• Load balancing: Distributes access requests across
multiple servers
• Mirroring: Backup server that duplicates processes on
primary server
• Recovery-oriented computing: Designing computing
systems to recover more rapidly from mishaps
(Continued)

• Disaster recovery planning: Plans for restoration of
computing and communications disrupted by an
event such as an earthquake, flood, or terrorist
attack
• Business continuity planning: Plans for handling
mission-critical functions if systems go down
(Continued)

• MIS audit: Identifies all of the controls that govern
individual information systems and assesses their
effectiveness
• Security audits: Review technologies, procedures,
documentation, training, and personnel
Auditing:

Sample Auditor’s List of Control Weaknesses
Figure 10-6

TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROL
Access Control
• Passwords
Authentication:
Access control: Consists of all the policies and
procedures a company uses to prevent improper access
to systems by unauthorized insiders and outsiders
• Tokens, smart cards
• Biometric authentication

• Firewalls: Hardware and software controlling flow of
incoming and outgoing network traffic
• Intrusion detection systems: Full-time monitoring
tools placed at the most vulnerable points of
corporate networks to detect and deter intruders
Firewalls, Intrusion Detection Systems, and
Antivirus Software

• Antivirus software: Software that checks computer
systems and drives for the presence of computer
viruses and can eliminate the virus from the infected
area
• Wi-Fi Protected Access specification
Firewalls, Intrusion Detection Systems, and
Antivirus Software (Continued)

A Corporate Firewall
Figure 10-7

• Public key encryption: Uses two different keys, one
private and one public. The keys are mathematically
related so that data encrypted with one key can be
decrypted using only the other key
• Message integrity: The ability to be certain that the
message being sent arrives at the proper destination
without being copied or changed
Encryption and Public Key Infrastructure

• Digital signature: A digital code attached to an
electronically transmitted message that is used to
verify the origin and contents of a message
• Digital certificates: Data files used to establish the
identity of users and electronic assets for protection
of online transactions
• Public Key Infrastructure (PKI): Use of public key
cryptography working with a certificate authority
(Continued)

• Secure Sockets Layer (SSL) and its successor
Transport Layer Security (TLS): protocols for secure
information transfer over the Internet; enable client
and server computer encryption and decryption
activities as they communicate during a secure Web
session.
• Secure Hypertext Transfer Protocol (S-HTTP): used for
encrypting data flowing over the Internet; limited to
Web documents, whereas SSL and TLS encrypt all
data being passed between client and server.
(Continued)

Public Key Encryption
Figure 10-8

Digital Certificates
Figure 10-9

MANAGEMENT OPPORTUNITIES, CHALLENGES AND SOLUTIONS
Management Opportunities:
Creation of secure, reliable Web sites and
systems that can support e-commerce and
e-business strategies

• Designing systems that are neither overcontrolled
nor undercontrolled
• Implementing an effective security policy
Management Challenges:

• Security and control must become a more visible
and explicit priority and area of information
systems investment.
• Support and commitment from top management is
required to show that security is indeed a corporate
priority and vital to all aspects of the business.
• Security and control should be the responsibility of
everyone in the organization.
Solution Guidelines:

Management Information Systems ( Security and Control.pptx

More Related Content

Similar to Management Information Systems ( Security and Control.pptx

More from NamugenyiBetty

Recently uploaded

Management Information Systems ( Security and Control.pptx

Editor's Notes