chapter6-information system security and control

8/6/2019 Chapter6-Information System Security and Control

1/35


2/35

Explain why information systems need special

protection from destruction, error, and abuse

Assess the business value of security andcontrol

Evaluate elements of an organizational and

managerial framework for security and control


3/35

Evaluate the most important tools and

technologies for safeguarding information

resources

Identify the challenges posed by information

systems security and control and management

solutions


4/35

` Why Systems Are Vulnerable

` Contemporary Security Challenges and

Vulnerabilities


5/35

` Why Systems Are Vulnerable (continue)

` Internet Vulnerabilities:

Use of fixed Internet addresses through use of

cable modems or DSL

Lack of encryption with most Voice over IP

(VoIP)

Widespread use of e-mail and instant

messaging (IM)


6/35

` Wireless Security Challenges:

Radio frequency bands are easy to scan

The service set identifiers (SSID) identifyingthe access points broadcast multiple times


7/35

` Wi-Fi Security Challenges


8/35

` Malicious Software: Viruses, Worms, Trojan Horses, and Spyware

` Hackers and Cybervandalism Computer viruses, worms, Trojan horses

Spyware

Spoofing and Sniffers

Denial of Service (DoS) Attacks

Identity theft

Cyber terrorism and Cyber warfare

Vulnerabilities from internal threats (employees); software flaws


9/35

` Worldwide Damage from Digital Attacks


10/35

` Types of Information Systems Controls

` General controls:

Software and hardware

Computer operations

Data security

Systems implementation process


11/35

` Application controls:

Input

Processing

Output


12/35

` Risk Assessment:

Determines the level of risk to the firm if a

specific activity or process is not properlycontrolled


13/35

` Security Policy:

` Policy ranking information risks, identifying

acceptable security goals, and identifying the

mechanisms for achieving these goals Acceptable Use Policy (AUP)

Authorization policies


14/35

` Security Profiles for a Personnel System


15/35

` Ensuring Business Continuity

Downtime: Period of time in which a system is not

operational

Fault-tolerant computer systems: Redundant hardware,

software, and power supply components to provide

continuous, uninterrupted service

High-availability computing: Designing to maximize

application and system availability


16/35

` Ensuring Business Continuity (continue)

Load balancing: Distributes access requests

across multiple servers

Mirroring: Backup server that duplicates

processes on primary server

Recovery-oriented computing: Designingcomputing systems to recover more rapidly frommishaps


17/35

` Ensuring Business Continuity (continue)

Disaster recovery planning: Plans for

restoration of computing and communications

disrupted by an event such as an earthquake,flood, or terrorist attack

Business continuity planning: Plans forhandling mission-critical functions if systems

go down


18/35

` Auditing:

MIS audit: Identifies all of the controls that

govern individual information systems and

assesses their effectiveness

Security audits: Review technologies,

procedures, documentation, training, and

personnel


19/35

` Sample Auditors List of ControlWeaknesses


20/35

` Access Control

` Access control: Consists of all the policies

and procedures a company uses to prevent

improper access to systems by unauthorizedinsiders and outsiders

` Authentication: Passwords

Tokens, smart cards Biometric authentication

Network access control/ application access control


21/35

` Firewalls, Intrusion Detection Systems, andAntivirus Software

Firewalls: Hardware and software controlling flow

of incoming and outgoing network traffic

Intrusion detection systems: Full-time monitoring

tools placed at the most vulnerable points of

corporate networks to detect and deter intruders

`


22/35

` Firewalls

` Apacket filtering firewalldoes exactly what its

name implies -- it filters packets.` As each packet passes through the firewall, it

examined and information contained in the header

is compared to a pre-configured set of rules or

filters. An allow or deny decision is made based onthe results of the comparison.


23/35

` Firewalls, Intrusion Detection Systems, andAntivirus Software

Antivirus software: Software that checks computer

systems and drives for the presence of computer

viruses and can eliminate the virus from the

infected area

Wi-Fi Protected Access specification

`


24/35

` A Corporate Firewall


25/35

` Encryption and Public Key Infrastructure

Public key encryption: Uses two different keys,

one private and one public. The keys are

mathematically related so that data encrypted

with one key can be decrypted using only the

other key Message integrity: The ability to be certain that

the message being sent arrives at the proper

destination without being copied or changed


26/35

` Authentication: refers to the ability of each party to

know that the other parties are who they claim to

be.


27/35

` Encryption and Public Key Infrastructure(continue)

Digital signature: A digital code attached to an

electronically transmitted message that is used toverify the origin and contents of a message

Digital certificates: Data files used to establish theidentity of users and electronic assets for

protection of online transactions

Public Key Infrastructure (PKI): Use of public keycryptography working with a certificate authority


28/35

` Encryption and Public Key Infrastructure (continue)

Secure Sockets Layer (SSL) and its successorTransport Layer Security (TLS): protocols for secure

information transfer over the Internet; enable client andserver computer encryption and decryption activitiesas they communicate during a secure Web session.

Secure Hypertext Transfer Protocol (S-HTTP): used forencrypting data flowing over the Internet; limited to

Web documents, whereas SSL and TLS encrypt all databeing passed between client and server.


29/35

` Public Key Encryption


30/35


31/35

` Digital Certificates


32/35

` Management Opportunities:

` Creation of secure, reliableWeb sites and

systems that can support e-commerce and e-

business strategies


33/35

Management Challenges:

Designing systems that are neither

overcontrolled nor undercontrolled

Implementing an effective security policy


34/35

` Solution Guidelines:

Security and control must become a more visibleand explicit priority and area of informationsystems investment.

Support and commitment from top managementis required to show that security is indeed acorporate priority and vital to all aspects of thebusiness.

Security and control should be the responsibilityof everyone in the organization.


35/35

` End of Chapter 6..

chapter6-information system security and control

Documents