Upload
sajwal-tamrakar
View
219
Download
0
Embed Size (px)
Citation preview
8/6/2019 Chapter6-Information System Security and Control
1/35
8/6/2019 Chapter6-Information System Security and Control
2/35
Explain why information systems need special
protection from destruction, error, and abuse
Assess the business value of security andcontrol
Evaluate elements of an organizational and
managerial framework for security and control
8/6/2019 Chapter6-Information System Security and Control
3/35
Evaluate the most important tools and
technologies for safeguarding information
resources
Identify the challenges posed by information
systems security and control and management
solutions
8/6/2019 Chapter6-Information System Security and Control
4/35
` Why Systems Are Vulnerable
` Contemporary Security Challenges and
Vulnerabilities
8/6/2019 Chapter6-Information System Security and Control
5/35
` Why Systems Are Vulnerable (continue)
` Internet Vulnerabilities:
Use of fixed Internet addresses through use of
cable modems or DSL
Lack of encryption with most Voice over IP
(VoIP)
Widespread use of e-mail and instant
messaging (IM)
8/6/2019 Chapter6-Information System Security and Control
6/35
` Wireless Security Challenges:
Radio frequency bands are easy to scan
The service set identifiers (SSID) identifyingthe access points broadcast multiple times
8/6/2019 Chapter6-Information System Security and Control
7/35
` Wi-Fi Security Challenges
8/6/2019 Chapter6-Information System Security and Control
8/35
` Malicious Software: Viruses, Worms, Trojan Horses, and Spyware
` Hackers and Cybervandalism Computer viruses, worms, Trojan horses
Spyware
Spoofing and Sniffers
Denial of Service (DoS) Attacks
Identity theft
Cyber terrorism and Cyber warfare
Vulnerabilities from internal threats (employees); software flaws
8/6/2019 Chapter6-Information System Security and Control
9/35
` Worldwide Damage from Digital Attacks
8/6/2019 Chapter6-Information System Security and Control
10/35
` Types of Information Systems Controls
` General controls:
Software and hardware
Computer operations
Data security
Systems implementation process
8/6/2019 Chapter6-Information System Security and Control
11/35
` Application controls:
Input
Processing
Output
8/6/2019 Chapter6-Information System Security and Control
12/35
` Risk Assessment:
Determines the level of risk to the firm if a
specific activity or process is not properlycontrolled
8/6/2019 Chapter6-Information System Security and Control
13/35
` Security Policy:
` Policy ranking information risks, identifying
acceptable security goals, and identifying the
mechanisms for achieving these goals Acceptable Use Policy (AUP)
Authorization policies
8/6/2019 Chapter6-Information System Security and Control
14/35
` Security Profiles for a Personnel System
8/6/2019 Chapter6-Information System Security and Control
15/35
` Ensuring Business Continuity
Downtime: Period of time in which a system is not
operational
Fault-tolerant computer systems: Redundant hardware,
software, and power supply components to provide
continuous, uninterrupted service
High-availability computing: Designing to maximize
application and system availability
8/6/2019 Chapter6-Information System Security and Control
16/35
` Ensuring Business Continuity (continue)
Load balancing: Distributes access requests
across multiple servers
Mirroring: Backup server that duplicates
processes on primary server
Recovery-oriented computing: Designingcomputing systems to recover more rapidly frommishaps
8/6/2019 Chapter6-Information System Security and Control
17/35
` Ensuring Business Continuity (continue)
Disaster recovery planning: Plans for
restoration of computing and communications
disrupted by an event such as an earthquake,flood, or terrorist attack
Business continuity planning: Plans forhandling mission-critical functions if systems
go down
8/6/2019 Chapter6-Information System Security and Control
18/35
` Auditing:
MIS audit: Identifies all of the controls that
govern individual information systems and
assesses their effectiveness
Security audits: Review technologies,
procedures, documentation, training, and
personnel
8/6/2019 Chapter6-Information System Security and Control
19/35
` Sample Auditors List of ControlWeaknesses
8/6/2019 Chapter6-Information System Security and Control
20/35
` Access Control
` Access control: Consists of all the policies
and procedures a company uses to prevent
improper access to systems by unauthorizedinsiders and outsiders
` Authentication: Passwords
Tokens, smart cards Biometric authentication
Network access control/ application access control
8/6/2019 Chapter6-Information System Security and Control
21/35
` Firewalls, Intrusion Detection Systems, andAntivirus Software
Firewalls: Hardware and software controlling flow
of incoming and outgoing network traffic
Intrusion detection systems: Full-time monitoring
tools placed at the most vulnerable points of
corporate networks to detect and deter intruders
`
8/6/2019 Chapter6-Information System Security and Control
22/35
` Firewalls
` Apacket filtering firewalldoes exactly what its
name implies -- it filters packets.` As each packet passes through the firewall, it
examined and information contained in the header
is compared to a pre-configured set of rules or
filters. An allow or deny decision is made based onthe results of the comparison.
8/6/2019 Chapter6-Information System Security and Control
23/35
` Firewalls, Intrusion Detection Systems, andAntivirus Software
Antivirus software: Software that checks computer
systems and drives for the presence of computer
viruses and can eliminate the virus from the
infected area
Wi-Fi Protected Access specification
`
8/6/2019 Chapter6-Information System Security and Control
24/35
` A Corporate Firewall
8/6/2019 Chapter6-Information System Security and Control
25/35
` Encryption and Public Key Infrastructure
Public key encryption: Uses two different keys,
one private and one public. The keys are
mathematically related so that data encrypted
with one key can be decrypted using only the
other key Message integrity: The ability to be certain that
the message being sent arrives at the proper
destination without being copied or changed
8/6/2019 Chapter6-Information System Security and Control
26/35
` Authentication: refers to the ability of each party to
know that the other parties are who they claim to
be.
8/6/2019 Chapter6-Information System Security and Control
27/35
` Encryption and Public Key Infrastructure(continue)
Digital signature: A digital code attached to an
electronically transmitted message that is used toverify the origin and contents of a message
Digital certificates: Data files used to establish theidentity of users and electronic assets for
protection of online transactions
Public Key Infrastructure (PKI): Use of public keycryptography working with a certificate authority
8/6/2019 Chapter6-Information System Security and Control
28/35
` Encryption and Public Key Infrastructure (continue)
Secure Sockets Layer (SSL) and its successorTransport Layer Security (TLS): protocols for secure
information transfer over the Internet; enable client andserver computer encryption and decryption activitiesas they communicate during a secure Web session.
Secure Hypertext Transfer Protocol (S-HTTP): used forencrypting data flowing over the Internet; limited to
Web documents, whereas SSL and TLS encrypt all databeing passed between client and server.
8/6/2019 Chapter6-Information System Security and Control
29/35
` Public Key Encryption
8/6/2019 Chapter6-Information System Security and Control
30/35
8/6/2019 Chapter6-Information System Security and Control
31/35
` Digital Certificates
8/6/2019 Chapter6-Information System Security and Control
32/35
` Management Opportunities:
` Creation of secure, reliableWeb sites and
systems that can support e-commerce and e-
business strategies
8/6/2019 Chapter6-Information System Security and Control
33/35
Management Challenges:
Designing systems that are neither
overcontrolled nor undercontrolled
Implementing an effective security policy
8/6/2019 Chapter6-Information System Security and Control
34/35
` Solution Guidelines:
Security and control must become a more visibleand explicit priority and area of informationsystems investment.
Support and commitment from top managementis required to show that security is indeed acorporate priority and vital to all aspects of thebusiness.
Security and control should be the responsibilityof everyone in the organization.
8/6/2019 Chapter6-Information System Security and Control
35/35
` End of Chapter 6..