This document discusses information systems security. It begins by defining information systems and noting their importance for strategic advantage and decision making. It then discusses the risks of inadequate security management and the need to ensure integrity and safety of systems. The document goes on to explain basic principles of information security like confidentiality, integrity, availability, and others. It also discusses threats like computer crimes, accidents, vulnerabilities and methods to minimize risks like developing systems correctly, user training, physical security controls, and auditing.
Unlock Your TikTok Potential: Free TikTok Likes with InstBlast
SECURITY AND CONTROL
1.
2. INTRODUCTION
• The term information covers the broad range
of storage and communication of
knowledge, such as, data. The term
information system describes the organized
collection, processing, transmission, and
spreading of information in accordance with
defined procedures, whether automated or
manual.
• Information system security is essential as
the organizations are becoming increasingly
dependent upon information systems (IS) for
strategic advantage, to enhance business
operations, and facilitate management
decision-making.
3. • The inadequate management concern for IS
security is worrisome given evidence that
significant IS security abuses do occur. Thus
the concept of IS security is responsible for
the integrity and safety of system resources
and activities.
4. Market Summary
• Summarize your market in the past, present,
and future.
– Review those changes in market share,
leadership, players, market shifts, costs,
pricing, or competition that provide the
opportunity for your company’s success.
5. BASIC PRINCIPLES OF
INFORMATION SYSTEMS SECURITY
CONFIDENTIALITY:
This principle is applied to information by
enforcing rules about who is allowed to know it.
Preserving personal privacy is one of the major
objectives of confidentiality. It prevents the
unauthorized disclosure of information and
restricts the data access to only those who are
authorized. But today the world is moving
towards less authoritative structures, more
informality, and fewer rules. Such developments
are creating an issue of concern for the principle
of confidentiality since the developments are
aimed at making information accessible to many,
not few.
6. BASIC PRINCIPLES OF INFORMATION
SYSTEMS SECURITY
INTEGRITY:
In any business organization having IS, the
values of data stored and manipulated, such as
maintaining the correct signs and symbols is an
important issue of concern. This issue is
referred to integrity within an organization
which is the prevention of the unauthorized
modification.
7. BASIC PRINCIPLES OF
INFORMATION SECURITY SYSTEMS
AVAILABILITY:
• Availability is referred to as accessibility of
information and in usable form when and
where it is required. Sometimes it is also
explained as the prevention of unauthorized
withholding of data or resources. Within any
organization today availability of resources
and data is an important issue of concern
since system failure is an organizational
security issue
8. BASIC PRINCIPLES OF INFORMATION
SECURITY SYSTEMS
• RESPONSIBILITY:
• Today in many businesses the members are
supposed to be having a clear understanding
of their responsibilities. They should be
aware of what their respective roles are. The
modern organizations need people who are
responsible and with a better knowledge of
their roles they have to perform in the
development of events in a particular sphere.
9. BASIC PRINCIPLESOF INFORMATION
SECURITY SYSTEMS
• TRUST:
• Today in organizations there have to be
mutual systems of trust. In organizations
which are geographically diffused(not
concentrated or localized) close supervision
is less viable and thus trust is more cohesive.
If there is more than one person involved in
a project they will discuss how to tackle a
task and allocate responsibilities before
going to their locations to communicate later
at a distance. But it is natural for a human
that at a certain point the trust established
among them will start becoming weaker and
thus another face to face meeting is required.
This is typical for a virtual organization of
the future-only up to a point.
10. BASIC PRINCIPLES OF INFORMATION
SECURITY SYSTEMS
• ETHICALITY:
• The members in any organization are
supposed to behave according to some
ethical practices. These are not related to
company rules rather they are ethical content
of informal norms and behavior. Rules apply
only in forecasted or predictable situations
but in many new and dynamic situations
there simply are no rules. Thus the
information should be used and the
administration of information security
should be executed in an ethical manner.
11. THREATS OF PROJECT FAILURES
• The project development phase passes
through number of stages during its lifetime,
which includes Initiation, Development,
implementation, Operations & maintenance
the failure phases. There may be different
reasons for of the project during these
project phases. The Initiation, Operations &
maintenance failures are not that much
serious as far as the project is concerned.
But the failures at development and
implementations phases are serious threats.
In the development failures, the system
never really runs successfully on the
computer. The reasons for these failures can
be that the system is not technically feasible.
In implementation failures, the system runs
on the computer but fails to attain the
hopeful benefits that the organization is
looking for.
12. THREATS OF ACCIDENTS AND
MALFUNCTIONS
• Many people think that information systems
work as they are design to work .Whenever
these assumptions are proven wrong, the
consequences can be disastrous
• There can be seven types of risks related to
accidents, which are as follows;
• Operate Error,
• Hardware Malfunctions,
• Software Bugs,
• Data Errors,
• Inadequate system performance etc.
13. THREATS OF COMPUTER CRIME
• Computer crime is the use of computerized
systems to perform illegal acts. It is further
divided into two main areas:
• Theft
• Sabotage and vandalism
14. THEFT
• Theft via computer can be divided into four
categories:
• Unauthorized use of access codes and
financial passwords.
• Theft by entering fraudulent transaction
data.
• Theft by stealing or modifying data.
• Theft by modifying software.
15. SABOTAGE AND VANDALISM
• Perpetrators of sabotage and vandalism try
to invade or damage system hardware,
software, or data. They may range from
hackers to disgruntled employees to spies.
• A number of programming techniques have
been used for sabotage and vandalism:
which are
• Trap door,
• Trojan horse,
• Logic bomb and
• Virus.
16. INFORMATION SYSTEMS RISKS
• There may be different risks associated with
the information systems security. They are:
Poor System Administration Practices,
• Lack of Sufficient Operational Policies,
• Poor Physical Security System,
• Key Person Dependency,
• Loss of Critical Document Data or Software,
• Data Disclosure,
• Functional Lockout,
• Poor Password Practices,
• Spoofing,
• Clear Text Transmission of Critical Data &
Single Point of Failure.
17. VULNERABILITY
• Vulnerability is the unwanted system
property that makes it possible for the threat
to result in damage. Vulnerability can exist
inside the system, or in its close
surroundings.
18. Methods for Minimizing Risks:
• 1. Build the system correctly in the first place
• 2. Train users about security issues
• 3. Once the system is in operation, maintain physical security
• 4. Given that it is physically secure, prevent unauthorized
access to computers, network and data.
• 5. Having controlled access, make sure transactions are
performed correctly.
• 6. Even with transaction controls in place, motivate efficient
and effective operation and find ways to improve
• 7. Even if the system seems secure, audit it to identify
problems
• 8. Even with continuing vigilance, prepare for disasters
20. Information Systems Security Controls
Information systems security control
package is a set of procedures and
technological measures to ensure secure and
efficient operation of information within an
organization.
21. General controls
• These controls apply to information systems
activities throughout an organization. The
most important general controls are the
measures that control access to computer
systems and the information stored there or
transmitted over telecommunications
networks. General controls include
administrative measures that restrict
employee access to only those processes
directly relevant to their duties. As a result,
these controls limit the damage that any
individual employee can do.
22. Application controls:
• Application controls are specific to a given
application and include such measures as
validating input data, regular archiving
copies of various databases, and ensuring
that information is disseminated only to
authorized users.
23. Hardware control
– Physically secure hardware
– Monitor for and fix malfunction
– Environmental systems and protection
– Backup of disk-based data
24. Data security control
– Prevent unauthorised access, change or
destruction
– When data is in use or being stored
– Physical access to terminals
– Password protection
– Data level access controls
25. Baseline Methods for selecting
Security Controls
• A baseline control method consists of
considering the use of the best practices of
other well run organizations under
similar conditions
• The overall strategy for implementing the
baseline method requires that the security
specialist engage in the following actions:
• Identify information assets.
• Identify current controls.
26. Cont……
• Identify baseline controls for common
threat and vulnerabilities.
• Accept or reject baseline controls.
• Implement approved recommendations
in an acceptable order of urgency.
• Identify and analyze remaining special
threat and vulnerabilities.
• Identify or create special controls.
• Accept and implement special controls.
• Review security periodically as
circumstance change.
27. Information security management in
the new millennium:
• Fast development and growth in the
electronics networks and computer based
many organizations to process,
information systems on one side has made
capable to store and transfer digital data.
While on the other hand this
revolutionary development in
communication and information systems
has increased many problems for the
organization to protect and save their
information resources.