SlideShare a Scribd company logo

Topic 6 -it_security

Nên Trần Ngọc
Nên Trần Ngọc

This document discusses key topics relating to information security and risk management. It covers e-crime threats like viruses, worms and hacking. It also discusses information security laws and frameworks for compliance like SOX, HIPAA and GLBA. The document emphasizes the importance of information security policies, business continuity planning, electronic records management and the role of the chief information security officer in managing risks.

Technology
1 of 23
Download to read offline
MANAGEMENT INFORMATION SYSTEMS Executive MBA PGSM 1 INFORMATION SECURITY Management Information Systems 2 Information Security • Background – Organizations face security threats from both within and outside – Traditional security measures have addressed external threats – Understanding the managerial aspects of information security is important because of the changing regulatory environment and the potential risk exposure that some firms face
MANAGEMENT INFORMATION SYSTEMS Executive MBA PGSM 3 E-Crime • any criminal violation in which a computer or e-media is used in the commission of the crime E-Crime 4 E-Crime • Example of Credit card security breaches – TJX – CardSystems Inc. Figure 16.1
MANAGEMENT INFORMATION SYSTEMS Executive MBA PGSM 5 E-Crime • Many Types of E-Crime – All incur costs to organizations or individuals Figure 16.2 6 E-Crime • Some common ways computers are attacked • A small unit of code embedded in a file or program that when executed will replicate itself and may cause damage to infected computers Virus • A self-replicating virus Worm • A security-breaking program that is disguised as a legitimate program Trojan horse • A program, or code within a system that takes action when a certain even occurs Logic bomb • Occurs when a large number of messages are sent to a target computer simultaneously with the purpose of disrupting the capability of the target Denial of service attack
MANAGEMENT INFORMATION SYSTEMS Executive MBA PGSM 7 E-Crime • Other techniques used in E-Crime: • Involves the solicitation of sensitive personal information from users, commonly in the form of email and instant messages Phishing • The use of a fraudulent Web site mimics a legitimate one. Often used in conjunction with phishing Spoofing 8 E-Crime • Hacker vs. Cracker Hacker • An individual with no malicious intent who attacks computer systems for the purpose of highlighting security vulnerabilities Cracker • An individual who attacks computer systems to intentionally steal information or cause harm
MANAGEMENT INFORMATION SYSTEMS Executive MBA PGSM 9 E-Crime • All managers responsible for security compliance should have an understanding of the basics of security Technology Security Basics (Figure 16.4) • Firewall and Proxy Servers • Encryption and VPNs • Identity and Access Management Systems (IAM) • Content-Filtering Tools • Penetration-Testing Tools 10 Information Risk Management • Steps in Risk Management – Determine the organization’s information assets and their values – Decide how long can the organization function without specific information assets – Develop and implement security procedures to protect these information assets
MANAGEMENT INFORMATION SYSTEMS Executive MBA PGSM 11 Information Risk Management • Steps in Risk Management – Determine the organization’s information assets and their values – Example: • One organization determined that corporate information found on employee laptops is an important asset • The organization estimates that a loss of the information on a single laptop may cost $50,000 on average 12 Information Risk Management • Calculation of the expected losses due to a vulnerability can be calculated by the following formula: Annualized Expected Losses (AEL) Single Loss Expectancy (SLE) Annual Occurrence Rate (AOR)
MANAGEMENT INFORMATION SYSTEMS Executive MBA PGSM 13 Information Risk Management • Quantitative example: – Losing the corporate data from a single laptop has an estimated value of $50,000 – The corporation identified three occurrences in the last two years where a laptop had been lost • This is an Annual Occurrence Rate of 1.5 Annualized Expected Losses (AEL) Single Loss Expectancy (SLE) Annual Occurrence Rate (AOR) 14 Information Risk Management • Quantitative example: – Therefore, the Annualized Expected Losses (AEL) amount to $75,000 Annualized Expected Losses (AEL) Single Loss Expectancy (SLE) Annual Occurrence Rate (AOR) $75,000 $50,000 1.5
MANAGEMENT INFORMATION SYSTEMS Executive MBA PGSM 15 Information Risk Management • After performing a quantitative risk analysis, the Annualized Expected Losses (AEL) are used to perform security cost-benefit analysis • A quantitative analysis IS managers may perform to examine the potential business benefits and the intervention costs involved with mitigating security risks Security Cost-Benefit Analysis 16 Information Risk Management • Security Cost-Benefit Analysis – Managers must estimate the costs of the actions performed to secure the information asset – The Return Benefit from the actions can be estimated by the following formula: Return Benefit Annualized Expected Losses (AEL) Annualized Cost of Actions
MANAGEMENT INFORMATION SYSTEMS Executive MBA PGSM 17 Information Risk Management • Security Cost-Benefit Analysis – From the laptop example, the company estimates that adding strong encryption to the corporate data on the laptops will cost $100 per year for each of the 200 laptops in the company – Overall, a $20,000 annualized cost for this intervention would be realized Return Benefit Annualized Expected Losses (AEL) Annualized Cost of Actions 18 Information Risk Management • Security Cost-Benefit Analysis – After performing a the analysis, we find that this action has an estimated return benefit of $55,000 per year Return Benefit Annualized Expected Losses (AEL) Annualized Cost of Actions $55,000 $75,000 $20,000
MANAGEMENT INFORMATION SYSTEMS Executive MBA PGSM 19 Compliance with Current Security Laws • Legal and Regulatory Environment – Impacts information security practices Figure 16.7 20 Compliance with Current Security Laws • Sarbanes-Oxley Act of 2002 (SOX) – Created as a response to the scandals at Enron, Tyco, WorldCom, and others – Applies to publically traded US companies
MANAGEMENT INFORMATION SYSTEMS Executive MBA PGSM 21 Compliance with Current Security Laws • Sarbanes-Oxley Act of 2002 (SOX) "Sarbanes is the most sweeping legislation to affect publicly traded companies since the reforms during the Great Depression" - Gartner Analyst John Bace 22 Compliance with Current Security Laws • SOX affects IS leaders in two major ways: – Records retention • The act states that companies must retain electronic communication such as email and instant messaging for a period of at least five years – IT audit controls • Officers must certify that they are responsible for establishing and maintaining internal controls
MANAGEMENT INFORMATION SYSTEMS Executive MBA PGSM 23 Compliance with Current Security Laws • Section 404 of SOX states that companies must use an internal control framework such as COSO • COSO is an a framework for auditors to use when assessing internal controls that was created by the Committee of Sponsoring Organizations (COSO) COSO 24 Compliance with Current Security Laws • Internal controls are assurance processes • COSO defines internal controls: • COSO Definition of Internal Control: “a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: • Effectiveness and efficiency of operations • Reliability of financial reporting • Compliance with applicable laws and regulations” Internal Controls
MANAGEMENT INFORMATION SYSTEMS Executive MBA PGSM 25 Compliance with Current Security Laws • The COSO framework contains five interrelated categories: – Risk Assessment – Control Environment – Control Activities – Monitoring – Information and Communication 26 Compliance with Current Security Laws • Gramm-Leach-Bliley Act of 1999 (GBLA) – Mandates that all organizations maintain a high level of confidentiality of all financial information of their clients or customers – The act gives federal agencies and states to enforce the following rules: • Financial Privacy Rule • Safeguards Rule
MANAGEMENT INFORMATION SYSTEMS Executive MBA PGSM 27 Compliance with Current Security Laws • Gramm-Leach-Bliley Act of 1999 (GBLA) – Financial Privacy Rule • Requires financial institutions to provide customers with privacy notices • Organizations must clearly state their privacy policies when establishing relationships with customers • Organizations cannot disclose nonpublic personal information to a third-party – Safeguards Rule 28 Compliance with Current Security Laws • Gramm-Leach-Bliley Act of 1999 (GBLA) – Safeguards Rule • Organizations must have a written security plan in place to protect customer’s nonpublic confidential information
MANAGEMENT INFORMATION SYSTEMS Executive MBA PGSM 29 Compliance with Current Security Laws • Health Insurance Portability and Accountability Act (HIPAA) – HIPPA requires organizations to secure nonpublic confidential medical information – Noncompliance can lead to serious penalties and fines 30 Compliance with Current Security Laws • Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT) – Commonly called the PATRIOT Act – Gives the US government greater ability to access information – Victims of computer hacking can now request law enforcement assistance
MANAGEMENT INFORMATION SYSTEMS Executive MBA PGSM 31 Compliance with Current Security Laws • California Information Practices Act (Senate Bill 1386) – In the past, companies have often been silent when information theft occurred – This act requires organizations that store nonpublic information on California residents to report information theft within 96 hours – Noncompliance may lead to civil or criminal consequences 32 Developing and Information Security Policy • Information Security Policies – Required by many regulations (e.g., SOX) – Required to obtain insurance • A written document describing what is, and is not, permissible use of information in the organization and the consequences for violation of the policy Information Security Policy
MANAGEMENT INFORMATION SYSTEMS Executive MBA PGSM 33 Developing and Information Security Policy • Who should develop the security policy? – Representatives of all affected user groups and stakeholders – Must have support of managers who train and enforce the policy – Committee who develops policy should meet regularly to ensure that security policy meets the organization’s needs and satisfies current regulations 34 Developing and Information Security Policy • What should be in the policy? – Common Topics • Access control policies • External access policies • User a physical policies – Example Policies • SANS Institute provides template of many policy types
MANAGEMENT INFORMATION SYSTEMS Executive MBA PGSM 35 Developing and Information Security Policy • Policy should be appropriate to the estimated risks of the organization • They should be quickly modified when new situations arise affecting security • Organizations should make it easy for employees to access the most recent policy 36 Planning for Business Continuity • This is more than simple disaster recovery • When an organization cannot resume operations in a reasonable time frame, it leads to business failure • Putting specific plans in place that ensure that employees and business processes can continue when faced with any major unanticipated disruption Business Continuity Planning (PCP)
MANAGEMENT INFORMATION SYSTEMS Executive MBA PGSM 37 Planning for Business Continuity • McNurlin & Sprague identified the following components of BCP that were often overlooked before the 9/11 terrorist attacks: – Alternate workspaces for people with working computers and phone lines – Backup IT sites that are not too close, but not too far away – Up-to-date evacuation plans that everyone knows and has practiced 38 Planning for Business Continuity • McNurlin & Sprague identified the following components of BCP that were often overlooked before the 9/11 terrorist attacks: – Backed-up laptops and departmental servers, because a lot of corporate information is housed on these machines rather than in the data center – Helping people cope with a disaster by having easily accessible phone lists, e-mail lists, and even instant-messenger lists so that people can communicate with loved ones and colleagues
MANAGEMENT INFORMATION SYSTEMS Executive MBA PGSM 39 Planning for Business Continuity • Creating a BCP begins with a business impact analysis with the following steps: 1. Define the critical business processes and departments 2. Identify interdependencies between them 3. Examine all possible disruptions to these systems 4. Gather quantitative and qualitative information on these threats 5. Provide remedies for restoring systems 40 Planning for Business Continuity • Disruptions are usually ranked based on the following categories: Lower- priority • 30 days Normal • 7 days Important • 72 hours Urgent • 24 hours Critical • < 12 hours
MANAGEMENT INFORMATION SYSTEMS Executive MBA PGSM 41 Planning for Business Continuity • Electronic Records Management (ERM) – Covers the retention of important digital documents – Grew out of the need to satisfy regulation such as SOX and HIPAA – May require a centralized approach – eDiscovery amendments to rules for civil procedures make ERM even more important 42 Planning for Business Continuity • Electronic Records Management (ERM) – ERM managers are responsible for the following • Defining what constitutes an electronic record • Analyzing the current business environment and developing appropriate ERM policies • Classifying specific records based upon their importance, regulatory requirements, and duration • Authenticating records by maintaining accurate logs and procedures to prove that these are the actual records, and that they have not been altered • Managing policy compliance
MANAGEMENT INFORMATION SYSTEMS Executive MBA PGSM 43 Planning for Business Continuity • Electronic Records Management (ERM) – Managers must realize that businesses may be digitally liable for actions their employees have taken when communicating electronically – Electronic corporate information may reside on computers external to the company (e.g. cached email) 44 The Chief Information Security Role • With increasing pressure to comply with laws and regulations, many companies have added a chief information security officer (CISO) to there is organization • Responsible for monitoring information security risks and developing strategies to mitigate that risk
MANAGEMENT INFORMATION SYSTEMS Executive MBA PGSM 45 The Chief Information Security Role • As it is impossible to eliminate all risk, the CISO must balance the trade-offs between risks and the costs of eliminating them Cost of Prevention Risk

Recommended

Chapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.pptChapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.ppt
Shruthi48
 
Chapter 4 Risk Management.pptx
Chapter 4 Risk Management.pptxChapter 4 Risk Management.pptx
Chapter 4 Risk Management.pptx
Shruthi48
 
Information security management iso27001
Information security management iso27001Information security management iso27001
Information security management iso27001
Hiran Kanishka
 
Gtag 1 information risk and control
Gtag 1 information risk and controlGtag 1 information risk and control
Gtag 1 information risk and controlYulias Sihombing, Ak, MAk, CIA
 
Information Security
Information SecurityInformation Security
Information Securitychenpingling
 
Security Management Strategies and Defense and their uses.
Security Management Strategies and Defense and their uses.Security Management Strategies and Defense and their uses.
Security Management Strategies and Defense and their uses.
Computer engineering company
 
ISSC471_Final_Project_Paper_John_Intindolo
ISSC471_Final_Project_Paper_John_IntindoloISSC471_Final_Project_Paper_John_Intindolo
ISSC471_Final_Project_Paper_John_IntindoloJohn Intindolo
 
Bis Chapter15
Bis Chapter15Bis Chapter15
Bis Chapter15Chun Hoi Lam
 

Recommended

Chapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.pptChapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.ppt
Shruthi48
 
Chapter 4 Risk Management.pptx
Chapter 4 Risk Management.pptxChapter 4 Risk Management.pptx
Chapter 4 Risk Management.pptx
Shruthi48
 
Information security management iso27001
Information security management iso27001Information security management iso27001
Information security management iso27001
Hiran Kanishka
 
Gtag 1 information risk and control
Gtag 1 information risk and controlGtag 1 information risk and control
Gtag 1 information risk and controlYulias Sihombing, Ak, MAk, CIA
 
Information Security
Information SecurityInformation Security
Information Securitychenpingling
 
Security Management Strategies and Defense and their uses.
Security Management Strategies and Defense and their uses.Security Management Strategies and Defense and their uses.
Security Management Strategies and Defense and their uses.
Computer engineering company
 
ISSC471_Final_Project_Paper_John_Intindolo
ISSC471_Final_Project_Paper_John_IntindoloISSC471_Final_Project_Paper_John_Intindolo
ISSC471_Final_Project_Paper_John_IntindoloJohn Intindolo
 
Bis Chapter15
Bis Chapter15Bis Chapter15
Bis Chapter15Chun Hoi Lam
 
Physical security information management market
Physical security information management marketPhysical security information management market
Physical security information management market
RishabhJain1113
 
Security Management Practices
Security Management PracticesSecurity Management Practices
Security Management Practices
amiable_indian
 
E1804012536
E1804012536E1804012536
E1804012536
IOSR Journals
 
Resume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and ControlsResume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and Controls
Rd. R. Agung Trimanda
 
Information technology risks
Information technology risksInformation technology risks
Information technology riskssalman butt
 
Information security management best practice
Information security management best practiceInformation security management best practice
Information security management best practice
parves kamal
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
MLG College of Learning, Inc
 
Chap18
Chap18Chap18
Chap18Fathur Rohman
 
Information System Audit and Control
Information System Audit and ControlInformation System Audit and Control
Information System Audit and Control
Asad Raza
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security BackgroundNicholas Davis
 
Five principles for improving your cyber security
Five principles for improving your cyber securityFive principles for improving your cyber security
Five principles for improving your cyber security
WGroup
 
3c 2 Information Systems Audit
3c 2 Information Systems Audit3c 2 Information Systems Audit
3c 2 Information Systems AuditRajeswaran Muthu Venkatachalam
 
GDPR & IBM i Security
GDPR & IBM i SecurityGDPR & IBM i Security
GDPR & IBM i Security
Precisely
 
Using international standards to improve US cybersecurity
Using international standards to improve US cybersecurityUsing international standards to improve US cybersecurity
Using international standards to improve US cybersecurity
IT Governance Ltd
 
Task 2
Task 2Task 2
Task 2
BIBEKCHAUDHARYBScHon
 
Systems Analysis
Systems AnalysisSystems Analysis
Systems Analysis
Samir Mostafa
 
Developing an Information Security Program
Developing an Information Security ProgramDeveloping an Information Security Program
Developing an Information Security Program
Shauna_Cox
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
Dam Frank
 
Information Security Management
Information Security ManagementInformation Security Management
Information Security Management
EC-Council
 
Information security
Information securityInformation security
Information security
Lusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
Keenan Matthews Overview
Keenan Matthews OverviewKeenan Matthews Overview
Keenan Matthews OverviewKeenanMatthews
 
Keenan Matthews
Keenan MatthewsKeenan Matthews
Keenan Matthews
KeenanMatthews
 

More Related Content

What's hot

Physical security information management market
Physical security information management marketPhysical security information management market
Physical security information management market
RishabhJain1113
 
Security Management Practices
Security Management PracticesSecurity Management Practices
Security Management Practices
amiable_indian
 
E1804012536
E1804012536E1804012536
E1804012536
IOSR Journals
 
Resume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and ControlsResume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and Controls
Rd. R. Agung Trimanda
 
Information technology risks
Information technology risksInformation technology risks
Information technology riskssalman butt
 
Information security management best practice
Information security management best practiceInformation security management best practice
Information security management best practice
parves kamal
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
MLG College of Learning, Inc
 
Information System Audit and Control
Information System Audit and ControlInformation System Audit and Control
Information System Audit and Control
Asad Raza
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security BackgroundNicholas Davis
 
Five principles for improving your cyber security
Five principles for improving your cyber securityFive principles for improving your cyber security
Five principles for improving your cyber security
WGroup
 
GDPR & IBM i Security
GDPR & IBM i SecurityGDPR & IBM i Security
GDPR & IBM i Security
Precisely
 
Using international standards to improve US cybersecurity
Using international standards to improve US cybersecurityUsing international standards to improve US cybersecurity
Using international standards to improve US cybersecurity
IT Governance Ltd
 
Task 2
Task 2Task 2
Task 2
BIBEKCHAUDHARYBScHon
 
Systems Analysis
Systems AnalysisSystems Analysis
Systems Analysis
Samir Mostafa
 
Developing an Information Security Program
Developing an Information Security ProgramDeveloping an Information Security Program
Developing an Information Security Program
Shauna_Cox
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
Dam Frank
 
Information Security Management
Information Security ManagementInformation Security Management
Information Security Management
EC-Council
 

What's hot (20)

Physical security information management market
Physical security information management marketPhysical security information management market
Physical security information management market
 
Security Management Practices
Security Management PracticesSecurity Management Practices
Security Management Practices
 
E1804012536
E1804012536E1804012536
E1804012536
 
Resume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and ControlsResume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and Controls
 
Information technology risks
Information technology risksInformation technology risks
Information technology risks
 
Information security management best practice
Information security management best practiceInformation security management best practice
Information security management best practice
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
 
Chap18
Chap18Chap18
Chap18
 
Information System Audit and Control
Information System Audit and ControlInformation System Audit and Control
Information System Audit and Control
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security Background
 
Five principles for improving your cyber security
Five principles for improving your cyber securityFive principles for improving your cyber security
Five principles for improving your cyber security
 
3c 2 Information Systems Audit
3c 2 Information Systems Audit3c 2 Information Systems Audit
3c 2 Information Systems Audit
 
GDPR & IBM i Security
GDPR & IBM i SecurityGDPR & IBM i Security
GDPR & IBM i Security
 
Using international standards to improve US cybersecurity
Using international standards to improve US cybersecurityUsing international standards to improve US cybersecurity
Using international standards to improve US cybersecurity
 
Task 2
Task 2Task 2
Task 2
 
Systems Analysis
Systems AnalysisSystems Analysis
Systems Analysis
 
Developing an Information Security Program
Developing an Information Security ProgramDeveloping an Information Security Program
Developing an Information Security Program
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
 
Information Security Management
Information Security ManagementInformation Security Management
Information Security Management
 
Information security
Information securityInformation security
Information security
 

Viewers also liked

Keenan Matthews Overview
Keenan Matthews OverviewKeenan Matthews Overview
Keenan Matthews OverviewKeenanMatthews
 
Keenan Matthews
Keenan MatthewsKeenan Matthews
Keenan Matthews
KeenanMatthews
 
Cac mo hinh_kinh_doanh_dien_tu_ire0hup6_jf_20130529022232_617
Cac mo hinh_kinh_doanh_dien_tu_ire0hup6_jf_20130529022232_617Cac mo hinh_kinh_doanh_dien_tu_ire0hup6_jf_20130529022232_617
Cac mo hinh_kinh_doanh_dien_tu_ire0hup6_jf_20130529022232_617
Nên Trần Ngọc
 
Top five morgan, joshua
Top five morgan, joshuaTop five morgan, joshua
Top five morgan, joshua
jmorga6
 
RemindZapp - The Nest IO Incubation
RemindZapp - The Nest IO IncubationRemindZapp - The Nest IO Incubation
RemindZapp - The Nest IO Incubation
Sameer Khan
 
Chapter 11 supply-chain_management
Chapter 11 supply-chain_managementChapter 11 supply-chain_management
Chapter 11 supply-chain_management
Nên Trần Ngọc
 

Viewers also liked (8)

Keenan Matthews Overview
Keenan Matthews OverviewKeenan Matthews Overview
Keenan Matthews Overview
 
Keenan Matthews
Keenan MatthewsKeenan Matthews
Keenan Matthews
 
Cac mo hinh_kinh_doanh_dien_tu_ire0hup6_jf_20130529022232_617
Cac mo hinh_kinh_doanh_dien_tu_ire0hup6_jf_20130529022232_617Cac mo hinh_kinh_doanh_dien_tu_ire0hup6_jf_20130529022232_617
Cac mo hinh_kinh_doanh_dien_tu_ire0hup6_jf_20130529022232_617
 
Huongdanxe Mercedes tiengviet
Huongdanxe Mercedes tiengvietHuongdanxe Mercedes tiengviet
Huongdanxe Mercedes tiengviet
 
Top five morgan, joshua
Top five morgan, joshuaTop five morgan, joshua
Top five morgan, joshua
 
Reference 1
Reference 1Reference 1
Reference 1
 
RemindZapp - The Nest IO Incubation
RemindZapp - The Nest IO IncubationRemindZapp - The Nest IO Incubation
RemindZapp - The Nest IO Incubation
 
Chapter 11 supply-chain_management
Chapter 11 supply-chain_managementChapter 11 supply-chain_management
Chapter 11 supply-chain_management
 

Similar to Topic 6 -it_security

Federal Cybersecurity: The latest challenges, initiatives and best practices
Federal Cybersecurity: The latest challenges, initiatives and best practicesFederal Cybersecurity: The latest challenges, initiatives and best practices
Federal Cybersecurity: The latest challenges, initiatives and best practices
John Gilligan
 
GMFI Conference (3)
GMFI Conference (3)GMFI Conference (3)
GMFI Conference (3)Daniel Paula
 
IBM i Security SIEM Integration
IBM i Security SIEM IntegrationIBM i Security SIEM Integration
IBM i Security SIEM Integration
Precisely
 
Guide for Applying The Risk Management Framework to Federal Information Systems
Guide for Applying The Risk Management Framework to Federal Information SystemsGuide for Applying The Risk Management Framework to Federal Information Systems
Guide for Applying The Risk Management Framework to Federal Information SystemsGuillermo Remache
 
Get Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionGet Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security Solution
Precisely
 
Topic11
Topic11Topic11
Topic11
Anne Starr
 
Ise viii-information and network security [10 is835]-solution
Ise viii-information and network security [10 is835]-solutionIse viii-information and network security [10 is835]-solution
Ise viii-information and network security [10 is835]-solution
Vivek Maurya
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpoint
randalje86
 
MISO L007 managing system security
MISO L007 managing system securityMISO L007 managing system security
MISO L007 managing system securityJan Wong
 
Information management unit 4 security,control and reporting
Information management unit 4 security,control and reportingInformation management unit 4 security,control and reporting
Information management unit 4 security,control and reporting
Ganesha Pandian
 
zSecurity_L9_Standards and Policies.ppt
zSecurity_L9_Standards and Policies.pptzSecurity_L9_Standards and Policies.ppt
zSecurity_L9_Standards and Policies.ppt
ssuser45a8a6
 
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideFLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
Black Duck by Synopsys
 
L1_Introduction.pptx
L1_Introduction.pptxL1_Introduction.pptx
L1_Introduction.pptx
StevenTharp2
 
9-Steps-Info-Sec-Whitepaper-final.pdf
9-Steps-Info-Sec-Whitepaper-final.pdf9-Steps-Info-Sec-Whitepaper-final.pdf
9-Steps-Info-Sec-Whitepaper-final.pdf
SoniaCristina49
 
Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016Leon Blum
 
2013 Data Protection Maturity Trends: How Do You Compare?
2013 Data Protection Maturity Trends: How Do You Compare?2013 Data Protection Maturity Trends: How Do You Compare?
2013 Data Protection Maturity Trends: How Do You Compare?
Lumension
 
IBM i Security: Identifying the Events That Matter Most
IBM i Security: Identifying the Events That Matter MostIBM i Security: Identifying the Events That Matter Most
IBM i Security: Identifying the Events That Matter Most
Precisely
 
Keamanan informasi
Keamanan informasiKeamanan informasi
Keamanan informasiNova Novelia
 
New Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law RequirementsNew Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law Requirements
Skoda Minotti
 
Improve IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in SplunkImprove IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in Splunk
Precisely
 

Similar to Topic 6 -it_security (20)

Federal Cybersecurity: The latest challenges, initiatives and best practices
Federal Cybersecurity: The latest challenges, initiatives and best practicesFederal Cybersecurity: The latest challenges, initiatives and best practices
Federal Cybersecurity: The latest challenges, initiatives and best practices
 
GMFI Conference (3)
GMFI Conference (3)GMFI Conference (3)
GMFI Conference (3)
 
IBM i Security SIEM Integration
IBM i Security SIEM IntegrationIBM i Security SIEM Integration
IBM i Security SIEM Integration
 
Guide for Applying The Risk Management Framework to Federal Information Systems
Guide for Applying The Risk Management Framework to Federal Information SystemsGuide for Applying The Risk Management Framework to Federal Information Systems
Guide for Applying The Risk Management Framework to Federal Information Systems
 
Get Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionGet Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security Solution
 
Topic11
Topic11Topic11
Topic11
 
Ise viii-information and network security [10 is835]-solution
Ise viii-information and network security [10 is835]-solutionIse viii-information and network security [10 is835]-solution
Ise viii-information and network security [10 is835]-solution
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpoint
 
MISO L007 managing system security
MISO L007 managing system securityMISO L007 managing system security
MISO L007 managing system security
 
Information management unit 4 security,control and reporting
Information management unit 4 security,control and reportingInformation management unit 4 security,control and reporting
Information management unit 4 security,control and reporting
 
zSecurity_L9_Standards and Policies.ppt
zSecurity_L9_Standards and Policies.pptzSecurity_L9_Standards and Policies.ppt
zSecurity_L9_Standards and Policies.ppt
 
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideFLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
 
L1_Introduction.pptx
L1_Introduction.pptxL1_Introduction.pptx
L1_Introduction.pptx
 
9-Steps-Info-Sec-Whitepaper-final.pdf
9-Steps-Info-Sec-Whitepaper-final.pdf9-Steps-Info-Sec-Whitepaper-final.pdf
9-Steps-Info-Sec-Whitepaper-final.pdf
 
Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016
 
2013 Data Protection Maturity Trends: How Do You Compare?
2013 Data Protection Maturity Trends: How Do You Compare?2013 Data Protection Maturity Trends: How Do You Compare?
2013 Data Protection Maturity Trends: How Do You Compare?
 
IBM i Security: Identifying the Events That Matter Most
IBM i Security: Identifying the Events That Matter MostIBM i Security: Identifying the Events That Matter Most
IBM i Security: Identifying the Events That Matter Most
 
Keamanan informasi
Keamanan informasiKeamanan informasi
Keamanan informasi
 
New Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law RequirementsNew Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law Requirements
 
Improve IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in SplunkImprove IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in Splunk
 

More from Nên Trần Ngọc

Chapter 10 human_resources_and_job_design
Chapter 10 human_resources_and_job_designChapter 10 human_resources_and_job_design
Chapter 10 human_resources_and_job_design
Nên Trần Ngọc
 
Chapter 09 layout_strategies
Chapter 09 layout_strategiesChapter 09 layout_strategies
Chapter 09 layout_strategies
Nên Trần Ngọc
 
Chapter 07 process_strategy
Chapter 07 process_strategyChapter 07 process_strategy
Chapter 07 process_strategy
Nên Trần Ngọc
 
Chapter 5 design_of_goods_and_services
Chapter 5 design_of_goods_and_servicesChapter 5 design_of_goods_and_services
Chapter 5 design_of_goods_and_services
Nên Trần Ngọc
 
Chapter 01 operations_and_productivity
Chapter 01 operations_and_productivityChapter 01 operations_and_productivity
Chapter 01 operations_and_productivity
Nên Trần Ngọc
 
Topic 5 managerial-support_systems
Topic 5 managerial-support_systemsTopic 5 managerial-support_systems
Topic 5 managerial-support_systemsNên Trần Ngọc
 
Topic 3 e-commerce-and_e-business
Topic 3 e-commerce-and_e-businessTopic 3 e-commerce-and_e-business
Topic 3 e-commerce-and_e-businessNên Trần Ngọc
 
1 pp luan tiep can kinh te & quan ly
1 pp luan tiep can kinh te & quan ly1 pp luan tiep can kinh te & quan ly
1 pp luan tiep can kinh te & quan lyNên Trần Ngọc
 
Năm chiều văn hóa hofstede và đánh giá về việt nam
Năm chiều văn hóa hofstede và đánh giá về việt namNăm chiều văn hóa hofstede và đánh giá về việt nam
Năm chiều văn hóa hofstede và đánh giá về việt nam
Nên Trần Ngọc
 
24 the use_of_economic_capital
24 the use_of_economic_capital24 the use_of_economic_capital
24 the use_of_economic_capitalNên Trần Ngọc
 

More from Nên Trần Ngọc (17)

Chapter 10 human_resources_and_job_design
Chapter 10 human_resources_and_job_designChapter 10 human_resources_and_job_design
Chapter 10 human_resources_and_job_design
 
Chapter 09 layout_strategies
Chapter 09 layout_strategiesChapter 09 layout_strategies
Chapter 09 layout_strategies
 
Chapter 07 process_strategy
Chapter 07 process_strategyChapter 07 process_strategy
Chapter 07 process_strategy
 
Chapter 5 design_of_goods_and_services
Chapter 5 design_of_goods_and_servicesChapter 5 design_of_goods_and_services
Chapter 5 design_of_goods_and_services
 
Chapter 01 operations_and_productivity
Chapter 01 operations_and_productivityChapter 01 operations_and_productivity
Chapter 01 operations_and_productivity
 
Topic 5 managerial-support_systems
Topic 5 managerial-support_systemsTopic 5 managerial-support_systems
Topic 5 managerial-support_systems
 
Topic 4 -enterprize_system
Topic 4 -enterprize_systemTopic 4 -enterprize_system
Topic 4 -enterprize_system
 
Topic 3 e-commerce-and_e-business
Topic 3 e-commerce-and_e-businessTopic 3 e-commerce-and_e-business
Topic 3 e-commerce-and_e-business
 
Topic 2 -network_computing
Topic 2 -network_computingTopic 2 -network_computing
Topic 2 -network_computing
 
Topic 1 -it_in_organization
Topic 1 -it_in_organizationTopic 1 -it_in_organization
Topic 1 -it_in_organization
 
85818076
8581807685818076
85818076
 
Markeing communication
Markeing communicationMarkeing communication
Markeing communication
 
Branding
BrandingBranding
Branding
 
1 pp luan tiep can kinh te & quan ly
1 pp luan tiep can kinh te & quan ly1 pp luan tiep can kinh te & quan ly
1 pp luan tiep can kinh te & quan ly
 
Năm chiều văn hóa hofstede và đánh giá về việt nam
Năm chiều văn hóa hofstede và đánh giá về việt namNăm chiều văn hóa hofstede và đánh giá về việt nam
Năm chiều văn hóa hofstede và đánh giá về việt nam
 
Currmulticulturalstaff
CurrmulticulturalstaffCurrmulticulturalstaff
Currmulticulturalstaff
 
24 the use_of_economic_capital
24 the use_of_economic_capital24 the use_of_economic_capital
24 the use_of_economic_capital
 

Recently uploaded

From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 

Recently uploaded (20)

From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 

Topic 6 -it_security

  • 1. MANAGEMENT INFORMATION SYSTEMS Executive MBA PGSM 1 INFORMATION SECURITY Management Information Systems 2 Information Security • Background – Organizations face security threats from both within and outside – Traditional security measures have addressed external threats – Understanding the managerial aspects of information security is important because of the changing regulatory environment and the potential risk exposure that some firms face
  • 2. MANAGEMENT INFORMATION SYSTEMS Executive MBA PGSM 3 E-Crime • any criminal violation in which a computer or e-media is used in the commission of the crime E-Crime 4 E-Crime • Example of Credit card security breaches – TJX – CardSystems Inc. Figure 16.1
  • 3. MANAGEMENT INFORMATION SYSTEMS Executive MBA PGSM 5 E-Crime • Many Types of E-Crime – All incur costs to organizations or individuals Figure 16.2 6 E-Crime • Some common ways computers are attacked • A small unit of code embedded in a file or program that when executed will replicate itself and may cause damage to infected computers Virus • A self-replicating virus Worm • A security-breaking program that is disguised as a legitimate program Trojan horse • A program, or code within a system that takes action when a certain even occurs Logic bomb • Occurs when a large number of messages are sent to a target computer simultaneously with the purpose of disrupting the capability of the target Denial of service attack
  • 4. MANAGEMENT INFORMATION SYSTEMS Executive MBA PGSM 7 E-Crime • Other techniques used in E-Crime: • Involves the solicitation of sensitive personal information from users, commonly in the form of email and instant messages Phishing • The use of a fraudulent Web site mimics a legitimate one. Often used in conjunction with phishing Spoofing 8 E-Crime • Hacker vs. Cracker Hacker • An individual with no malicious intent who attacks computer systems for the purpose of highlighting security vulnerabilities Cracker • An individual who attacks computer systems to intentionally steal information or cause harm
  • 5. MANAGEMENT INFORMATION SYSTEMS Executive MBA PGSM 9 E-Crime • All managers responsible for security compliance should have an understanding of the basics of security Technology Security Basics (Figure 16.4) • Firewall and Proxy Servers • Encryption and VPNs • Identity and Access Management Systems (IAM) • Content-Filtering Tools • Penetration-Testing Tools 10 Information Risk Management • Steps in Risk Management – Determine the organization’s information assets and their values – Decide how long can the organization function without specific information assets – Develop and implement security procedures to protect these information assets
  • 6. MANAGEMENT INFORMATION SYSTEMS Executive MBA PGSM 11 Information Risk Management • Steps in Risk Management – Determine the organization’s information assets and their values – Example: • One organization determined that corporate information found on employee laptops is an important asset • The organization estimates that a loss of the information on a single laptop may cost $50,000 on average 12 Information Risk Management • Calculation of the expected losses due to a vulnerability can be calculated by the following formula: Annualized Expected Losses (AEL) Single Loss Expectancy (SLE) Annual Occurrence Rate (AOR)
  • 7. MANAGEMENT INFORMATION SYSTEMS Executive MBA PGSM 13 Information Risk Management • Quantitative example: – Losing the corporate data from a single laptop has an estimated value of $50,000 – The corporation identified three occurrences in the last two years where a laptop had been lost • This is an Annual Occurrence Rate of 1.5 Annualized Expected Losses (AEL) Single Loss Expectancy (SLE) Annual Occurrence Rate (AOR) 14 Information Risk Management • Quantitative example: – Therefore, the Annualized Expected Losses (AEL) amount to $75,000 Annualized Expected Losses (AEL) Single Loss Expectancy (SLE) Annual Occurrence Rate (AOR) $75,000 $50,000 1.5
  • 8. MANAGEMENT INFORMATION SYSTEMS Executive MBA PGSM 15 Information Risk Management • After performing a quantitative risk analysis, the Annualized Expected Losses (AEL) are used to perform security cost-benefit analysis • A quantitative analysis IS managers may perform to examine the potential business benefits and the intervention costs involved with mitigating security risks Security Cost-Benefit Analysis 16 Information Risk Management • Security Cost-Benefit Analysis – Managers must estimate the costs of the actions performed to secure the information asset – The Return Benefit from the actions can be estimated by the following formula: Return Benefit Annualized Expected Losses (AEL) Annualized Cost of Actions
  • 9. MANAGEMENT INFORMATION SYSTEMS Executive MBA PGSM 17 Information Risk Management • Security Cost-Benefit Analysis – From the laptop example, the company estimates that adding strong encryption to the corporate data on the laptops will cost $100 per year for each of the 200 laptops in the company – Overall, a $20,000 annualized cost for this intervention would be realized Return Benefit Annualized Expected Losses (AEL) Annualized Cost of Actions 18 Information Risk Management • Security Cost-Benefit Analysis – After performing a the analysis, we find that this action has an estimated return benefit of $55,000 per year Return Benefit Annualized Expected Losses (AEL) Annualized Cost of Actions $55,000 $75,000 $20,000
  • 10. MANAGEMENT INFORMATION SYSTEMS Executive MBA PGSM 19 Compliance with Current Security Laws • Legal and Regulatory Environment – Impacts information security practices Figure 16.7 20 Compliance with Current Security Laws • Sarbanes-Oxley Act of 2002 (SOX) – Created as a response to the scandals at Enron, Tyco, WorldCom, and others – Applies to publically traded US companies
  • 11. MANAGEMENT INFORMATION SYSTEMS Executive MBA PGSM 21 Compliance with Current Security Laws • Sarbanes-Oxley Act of 2002 (SOX) "Sarbanes is the most sweeping legislation to affect publicly traded companies since the reforms during the Great Depression" - Gartner Analyst John Bace 22 Compliance with Current Security Laws • SOX affects IS leaders in two major ways: – Records retention • The act states that companies must retain electronic communication such as email and instant messaging for a period of at least five years – IT audit controls • Officers must certify that they are responsible for establishing and maintaining internal controls
  • 12. MANAGEMENT INFORMATION SYSTEMS Executive MBA PGSM 23 Compliance with Current Security Laws • Section 404 of SOX states that companies must use an internal control framework such as COSO • COSO is an a framework for auditors to use when assessing internal controls that was created by the Committee of Sponsoring Organizations (COSO) COSO 24 Compliance with Current Security Laws • Internal controls are assurance processes • COSO defines internal controls: • COSO Definition of Internal Control: “a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: • Effectiveness and efficiency of operations • Reliability of financial reporting • Compliance with applicable laws and regulations” Internal Controls
  • 13. MANAGEMENT INFORMATION SYSTEMS Executive MBA PGSM 25 Compliance with Current Security Laws • The COSO framework contains five interrelated categories: – Risk Assessment – Control Environment – Control Activities – Monitoring – Information and Communication 26 Compliance with Current Security Laws • Gramm-Leach-Bliley Act of 1999 (GBLA) – Mandates that all organizations maintain a high level of confidentiality of all financial information of their clients or customers – The act gives federal agencies and states to enforce the following rules: • Financial Privacy Rule • Safeguards Rule
  • 14. MANAGEMENT INFORMATION SYSTEMS Executive MBA PGSM 27 Compliance with Current Security Laws • Gramm-Leach-Bliley Act of 1999 (GBLA) – Financial Privacy Rule • Requires financial institutions to provide customers with privacy notices • Organizations must clearly state their privacy policies when establishing relationships with customers • Organizations cannot disclose nonpublic personal information to a third-party – Safeguards Rule 28 Compliance with Current Security Laws • Gramm-Leach-Bliley Act of 1999 (GBLA) – Safeguards Rule • Organizations must have a written security plan in place to protect customer’s nonpublic confidential information
  • 15. MANAGEMENT INFORMATION SYSTEMS Executive MBA PGSM 29 Compliance with Current Security Laws • Health Insurance Portability and Accountability Act (HIPAA) – HIPPA requires organizations to secure nonpublic confidential medical information – Noncompliance can lead to serious penalties and fines 30 Compliance with Current Security Laws • Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT) – Commonly called the PATRIOT Act – Gives the US government greater ability to access information – Victims of computer hacking can now request law enforcement assistance
  • 16. MANAGEMENT INFORMATION SYSTEMS Executive MBA PGSM 31 Compliance with Current Security Laws • California Information Practices Act (Senate Bill 1386) – In the past, companies have often been silent when information theft occurred – This act requires organizations that store nonpublic information on California residents to report information theft within 96 hours – Noncompliance may lead to civil or criminal consequences 32 Developing and Information Security Policy • Information Security Policies – Required by many regulations (e.g., SOX) – Required to obtain insurance • A written document describing what is, and is not, permissible use of information in the organization and the consequences for violation of the policy Information Security Policy
  • 17. MANAGEMENT INFORMATION SYSTEMS Executive MBA PGSM 33 Developing and Information Security Policy • Who should develop the security policy? – Representatives of all affected user groups and stakeholders – Must have support of managers who train and enforce the policy – Committee who develops policy should meet regularly to ensure that security policy meets the organization’s needs and satisfies current regulations 34 Developing and Information Security Policy • What should be in the policy? – Common Topics • Access control policies • External access policies • User a physical policies – Example Policies • SANS Institute provides template of many policy types
  • 18. MANAGEMENT INFORMATION SYSTEMS Executive MBA PGSM 35 Developing and Information Security Policy • Policy should be appropriate to the estimated risks of the organization • They should be quickly modified when new situations arise affecting security • Organizations should make it easy for employees to access the most recent policy 36 Planning for Business Continuity • This is more than simple disaster recovery • When an organization cannot resume operations in a reasonable time frame, it leads to business failure • Putting specific plans in place that ensure that employees and business processes can continue when faced with any major unanticipated disruption Business Continuity Planning (PCP)
  • 19. MANAGEMENT INFORMATION SYSTEMS Executive MBA PGSM 37 Planning for Business Continuity • McNurlin & Sprague identified the following components of BCP that were often overlooked before the 9/11 terrorist attacks: – Alternate workspaces for people with working computers and phone lines – Backup IT sites that are not too close, but not too far away – Up-to-date evacuation plans that everyone knows and has practiced 38 Planning for Business Continuity • McNurlin & Sprague identified the following components of BCP that were often overlooked before the 9/11 terrorist attacks: – Backed-up laptops and departmental servers, because a lot of corporate information is housed on these machines rather than in the data center – Helping people cope with a disaster by having easily accessible phone lists, e-mail lists, and even instant-messenger lists so that people can communicate with loved ones and colleagues
  • 20. MANAGEMENT INFORMATION SYSTEMS Executive MBA PGSM 39 Planning for Business Continuity • Creating a BCP begins with a business impact analysis with the following steps: 1. Define the critical business processes and departments 2. Identify interdependencies between them 3. Examine all possible disruptions to these systems 4. Gather quantitative and qualitative information on these threats 5. Provide remedies for restoring systems 40 Planning for Business Continuity • Disruptions are usually ranked based on the following categories: Lower- priority • 30 days Normal • 7 days Important • 72 hours Urgent • 24 hours Critical • < 12 hours
  • 21. MANAGEMENT INFORMATION SYSTEMS Executive MBA PGSM 41 Planning for Business Continuity • Electronic Records Management (ERM) – Covers the retention of important digital documents – Grew out of the need to satisfy regulation such as SOX and HIPAA – May require a centralized approach – eDiscovery amendments to rules for civil procedures make ERM even more important 42 Planning for Business Continuity • Electronic Records Management (ERM) – ERM managers are responsible for the following • Defining what constitutes an electronic record • Analyzing the current business environment and developing appropriate ERM policies • Classifying specific records based upon their importance, regulatory requirements, and duration • Authenticating records by maintaining accurate logs and procedures to prove that these are the actual records, and that they have not been altered • Managing policy compliance
  • 22. MANAGEMENT INFORMATION SYSTEMS Executive MBA PGSM 43 Planning for Business Continuity • Electronic Records Management (ERM) – Managers must realize that businesses may be digitally liable for actions their employees have taken when communicating electronically – Electronic corporate information may reside on computers external to the company (e.g. cached email) 44 The Chief Information Security Role • With increasing pressure to comply with laws and regulations, many companies have added a chief information security officer (CISO) to there is organization • Responsible for monitoring information security risks and developing strategies to mitigate that risk
  • 23. MANAGEMENT INFORMATION SYSTEMS Executive MBA PGSM 45 The Chief Information Security Role • As it is impossible to eliminate all risk, the CISO must balance the trade-offs between risks and the costs of eliminating them Cost of Prevention Risk