The document discusses security concepts in information systems including prevention of unauthorized access, modification, and deletion of information. It outlines unintentional threats like human error and intentional threats like criminal attacks. The goals of information security are prevention, detection, and response. Risks to applications and data include computer crime, hacking, cyber-theft, unauthorized work use, software piracy, and viruses/worms. Risks to hardware include natural disasters, blackouts, and vandalism. Major defense strategies are encryption, authentication, firewalls, email monitoring, antivirus software, backup files, security monitors, and biometric controls. The document also discusses disaster recovery, business recovery plans, and general controls to minimize errors and disasters.

1. SECURITY AND CONTROL IN
INFORMATION SYSTEMS

2. • Security concepts covers a wide array of activities,
includes products and processes to prevent
unauthorized access, modification and deletion of
information knowledge, data and facts.
• Information Systems Concerns:
1. Unintentional threats
• Human error – in design or use of system
• Environmental hazards – acts of God and other
• Computer system failures – faulty products
2. Intentional threats
• Systems are subject to a wide variety of hazards from criminal
attacks

3. GOALS OF INFORMATION SECURITY
1) Prevention
• Prevent computer or information violations from occurring.
- Simple incidents are losing a password, or leaving a terminal
logged on overnight
2) Detection
• Detection includes identifying the assets under attack, how it
occurred and by whom.
3) Response
• Refers to developing strategies and techniques to deal with
an attack or loss.

4. RISK TO IS : 1. Risk to Application and Data
a) Computer crime
• The unauthorized use, access, modification, and destruction of hardware,
software, data, or network resources.
• The unauthorized release of information
• The unauthorized copying of software
• Denying an end user access to his or her own hardware, software, data, or
network resources
b) Hacking
• Hacking is the obsessive use of computers, or the unauthorized access and use
of networked computer systems.
• Illegal hackers (also called crackers) frequently assault the Internet and other
networks to steal or damage data and programs.
• Hackers can monitor e-mail, web server access, or file transfers to extract
passwords or steal network files, or to plant data that will cause a system to
welcome intruders.
• Use remote services that allow one computer on a network to execute programs
on another computer to gain privileged access within a network.

5. RISK TO IS : 1. Risk to Application and Data
c) Cyber-Theft
- Many computer crimes involve the theft of money.
- Involve unauthorized network entry and fraudulent alternation of
computer databases to cover the tracks of the employees involved.
d) Unauthorized Use at Work
- This may range from doing private consulting or personal finances, or
playing video games to unauthorized use of the Internet on company
networks.
e) Software Piracy
- Unauthorized copying of software or software piracy is a major form of
software theft because software is intellectual property, which is
protected by copyright law and user licensing agreements.

6. RISK TO IS : 1. Risk to Application and Data
f) Piracy of Intellectual Property
• Software is not the only intellectual property subject to
computer-based piracy. Other forms of copyrighted material,
such as music, videos, images, articles, books, and other
written works.
g) Computer Viruses and Worms
• Virus - is a program code that cannot work without being
inserted into another program. Worm - is a distinct program
that can run unaided. They typically enter a computer system
through illegal or borrowed copies of software or through
network links to other computer systems.

7. RISK TO IS : 1. Risk to Hardware
a) Natural Disaster
• Disasters that pose a risk to IS include fires, floods,
hurricanes, which can destroy hardware, software and can
causing total @ partial paralysis of systems @
communications lines.
b) Blackout & Brownout
• Blackout – loses of electrical power.
• Brownout – the voltage of power decreases @ short
interruptions in the flow of power.
• Vandalism - occur when human beings deliberately destroy
computer systems.

8. Major Types of Defense Strategies
1. Encryption
Encryption characteristics include:
• Passwords, messages, files, and other data can be transmitted in scrambled form and
unscrambled by computer systems for authorized users only.
• Encryption involves using special mathematical algorithms, or keys, to transform digital
data into a scrambled code before they are transmitted, and to decode the data when they
are received.
2. Authentication
• Authentication is a critical part of a security system. It is part of the process referred to as
Identification and authentication (I&A). Identification process starts when a user ID or
Logon name is typed into a sign on screen. Authentication methods are based on one or
more of three factors.
1) password or PIN.
2) smart card or an identification device.
3) fingerprints or retinal pattern.

9. Major Types of Defense Strategies
3. Firewalls
• Firewall computers and software is another important method for control
and security on the Internet and other networks. A network firewall can
be a communications processor, typically a router, or a dedicated server,
along with firewall software.
4. E-Mail Monitoring
• Internet and other online e-mail systems are one of the favourite avenues
of attack by hackers for spreading computer viruses or breaking into
networked computers.
5. Virus Defenses (Antivirus Software)
• Antivirus software scan’s the computers memory, disks and all email. It
uses a virus definition file that is updated regularly.

10. 5 Major Characteristics of Firewall
• A firewall serves as a “gatekeeper” computer system
• A firewall computer screens all network traffic for proper
passwords and other security.
• only allows authorized transmissions in and out of the
network.
• Firewalls have become an essential component of
organizations connecting to the Internet.
• Firewalls can deter, but not completely prevent, unauthorized
access (hacking) into computer networks.

11. Major Types of Defense Strategies
6. Backup Files
• Backup files, which are duplicate files of data or programs, are another
important security measure.
• Files can be protected by file retention measures that involve storing
copies of files from previous periods.
• Several generations of files can be kept for control purposes.
7. Security Monitors
• System security monitors are programs that monitor the use of computer
systems and networks and protect them from unauthorized use, fraud,
and destruction.

12. Major Types of Defense Strategies
8. Biometric Controls
Uses physical characteristics to identify the user.
• Voice verification
• Fingerprints
• Hand geometry
• Signature dynamics
• Retina scanning
• Face recognition
• Genetic pattern analysis
5. Disaster Recovery
• Hurricanes, earthquakes, fires, floods, criminal and terrorist acts, and human error
can all severely damage an organization's computing resources. Many
organizations, like airlines and banks can be crippled by losing even a few hours of
computing power.

13. Business Recovery Plan
• Business recovery plan – concern on the
disaster recovery has spread beyond banks,
insurance companies and data centers. It the
traditional recovery fanatics.

14. 9 Steps of the Development a Business
Recovery Plan
1. Obtain management’s commitment to the plan
Top management must be convinced of the potential damages that paralysis of information
systems may cause.
2. Establish a planning committee
Coordinator establishes a planning committee comprising representative from all business
unit that are dependent on computer-based ISs.
3. Perform risk assessment and impact analysis
The committee assesses which operations would be hurt by disasters and how long the
organization could continue to operate without damaged resources.
4. Prioritize recovery needs
The disaster recovery coordinator ranks each IS application according to its effect on an
organization’s ability to achieve its mission.

15. 9 Steps of the Development a
Business Recovery Plan
5. Select a recovery plan
Recovery plan alternatives are evaluated by considering advantages and disadvantages in
terms of risk reduction, cost and the speed.
6. Select vendors
Vendor’s ability to provide telecommunications alternatives, experience and capacity to
support current applications.
7. Develop and implement the plan
The plan includes organizational and vendor responsibilities and the sequence of events that
will take place.
8. Test the plan
Walk through with each business unit, simulations as if a real disaster had occurred and
deliberate interruption of the system and implementation of the plan.
9. Continually test and evaluate
Must be aware of the plan al the times.

16. General Controls to Minimize Errors and
Disasters of Information Systems
– Software controls—monitors the use of system software and prevents
unauthorized access of software programs, system software, and computer
programs.
– Hardware controls—ensure that computer hardware is physically secure
and functioning properly.
– Computer operations controls—oversee the work of the computer
department to ensure that programmed procedures are consistently and
correctly applied.
– Data security controls—ensures that valuable business data files are not
subjected to unauthorized access, change, or destruction.
– Implementation controls—audit the systems development process at
various points to ensure that the process is properly controlled and
managed.
– Administrative controls—formalized standards, rules, procedures, and
control disciplines to ensure that the organization’s controls are properly
executed and enforced.

17. Security Management Steps to Protect
Computer System Resources