Lecture 6 - Information Systems Management
Lecture 6 - Information Systems Management ACC1006
Popular in Accounting Information Systems
Popular in Accounting
This 6 page Class Notes was uploaded by Wai Chuan on Sunday August 16, 2015. The Class Notes belongs to ACC1006 at National University of Singapore taught by in Summer 2015. Since its upload, it has received 90 views. For similar materials see Accounting Information Systems in Accounting at National University of Singapore.
Reviews for Lecture 6 - Information Systems Management
Report this Material
What is Karma?
Karma is the currency of StudySoup.
You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!
Date Created: 08/16/15
Chapter 8 Information Security Management Lecture 6 81 Threats to lnformation Security the Sources of Threats 811 Sources of threat I Human Errors and Mistakes I Accidental problems caused by both employees and nonemployees I Eg Misunderstand operating procedures and accidentally deletes files customer records I Eg Enter values in the wrong field quite frequently I Eg Installing an old database on top of the current one I Poorly written application programs and poorly designed procedures I These could be prevented during systems development SDLC important I Physical accidents such as driving a forklift through the wall of a computer room I Malicious Human Activity I Employees and former employees who intentionally destroy data or other system components I Hackers virus and worm writers I Outside criminals who break into a system to steal for financial gain I Terrorism I Natural Events and Disasters I Fires floods hurricanes earthquakes tsunamis avalanches and other acts of nature I When disaster strikes years of development can be wiped out in seconds I Includes the initial loss of capability and service and losses stemming from actions to recover from the initial problem 812 Types of Security Problems Unauthorized Procedural imista Ices Pretexting Disclosure during data disclosure Phishing recovery Spoofing Sniffing Computer crime Ilricorrecr data Procedural mistakes Hacking Incorrect data modi cation Incorrect procedures Computer crime recovery Ineffective accounting IProhlem controls System errors IFaullty service Procedural imista Ices Computer crime Service improperlyr Development and Usu rpation restored installation errors Denial of service Accidents D05 attacks Service interruption ILoss of Accidents Theft Property loss infrastructure Terrorist activity I Denial of service DOS I Attempt to make a computer resource unavailable to its intended users I Prevent an Internet site or service from functioning efficiently or at all temporarily or indefinitely I Eg flooding the server with thousands of email denying others of the use of the email system crash I Unauthorised Data Disclosure I Pretexting I Person lies about his identity or purpose to obtain privileged data about another individual I Use this data to engage in identity theft or corporate espionage I Means of pretexting teephone I Phishing I Acquire sensitive information such as usernames passwords and credit card details by masquerading as a trustworthy entity in an electronic communication Actually pretexting using email Communications purporting to be from popular social web sites auction sites online payment processors or IT administrators I Spoofing I Person successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage I Sniffing I Capture data being transmitted on a network I A router with a sniffer may be able to read the data that passes through it as well as the source and destination addresses I Often used on academic networks to prevent traffic bottlenecks caused by filesharing applications 813 Components of an Organization s Security Program I Seniormanagement involvement Two critical security functions 1 Senior management must establish security policy This policy sets the stage for organization s response to security threats However because no security program is perfect there is always risk 2 Manage risk by balancing the costs and benefits of security program 0 Safeguards Protections against security threats Data IProc39edures N I39 t n39 v Technical Safeguards Data Safeguards lIlluman Safeguards Idlenti cation and Data rights and Hiring authorization responsibilities Training Encryption Passwords Education Firewalls En cryption Procedlu re dlesfign Malware protection Backup and Administration Application design FEEDVEF Assessment Physical security Compliance Accountability Effective security reg uiires ballanced attention to all ne components 0 Incident response 0 Addressing and managing the aftermath of a security breach or attack also known as an incident 0 Objective Damage control limit damage and reduce recovery time and costs 0 Incident response plan I Defines what constitutes an incident I Provides a stepbystep process that should be followed when an incident occurs I Spells out which mission critical systems to protect 82 Senior Management s Securitv Role 821 NIST Handbook of Security Elements National Institute of Standards and Technology 0 Computer security 0 Should support the mission of organisation Is an integral element of sound management Should be cost effective Responsibilities an daccountability should be made explict Requires comprehensive and integrated approach Should be periodically reassessed Is constrained by societal factors Systems owners have computer security responsibilities outside their own organisations OOOOOOO 822 Three Elements of a Security Policy 0 General statement of organization s security program 0 Becomes the foundation for more specific security measures 0 Management specifies the goals of security program and assets to be protected 0 Statement designates a department for managing security program and documents 0 Generally specifies how the organization will ensure enforcement of security programs and policies 0 Issuespecific policy 0 Eg Personal use of computers at work and email privacy 0 Systemspecific policy 0 Eg What customer data from orderentry system will be sold or shared with other organizations 0 Eg Or what policies govern the design and operation of systems that process employee data 0 Eg What must an organization do so that it compile with the law 0 Addressing such policies as part of standard systems development process 823 Howls Risk Managed 0 Likelihood of an adverse occurrence threat 0 Management cannot manage threats directly but can limit security consequences by creating a backup processing facility at a remote location 0 Companies can reduce risks but always at a cost Management s responsibility to decide how much to spend and how much risk to assume 0 Uncertainty Lack of knowledge about chance of occurrence or risk of an outcome or event 0 Eg An earthquake could devastate a corporate data center built on a fault that no one knew about 0 Eg An employee finds a way to steal inventory using a hole in the corporate Web site that no expert knew existed 0 Factors to Consider in Risk Assessment 0 Assets Which to protect o Threats Which threats are the assets exposed to o Safeguard Any action device procedure technique or other measure that reduces a system s vulnerability to a threat I No safeguard is ironclad there is always a residual risk that it will not protect the assets in all circumstances 0 Vulnerability is an opening or a weakness in security system I Some vulnerabilities exist because there are no safeguards or because existing safeguards are ineffective 0 Consequences are damages that occur when an asset is compromised Two types I Tangible consequences those whose financial impact can be measured I Intangible consequences such as the loss of customer goodwill due to an outage cannot be measured 0 Likelihood is the probability that a given asset will be compromised by a given threat despite the safeguards o Probable loss is the quotbottom line of risk assessment I To obtain a measure of probable loss companies multiply likelihood by cost of the consequences I Also includes a statement of intangible consequences I Estimate of maximum dollar value that can be lost under realistic situations 0 Eg a fire or other peril occurs but a sprinkler system works and a fire department responds in good order 0 RiskManagement Decisions 0 Some assets can be protected by inexpensive and easily implemented safeguards 0 Some vulnerabilities can be expensive to eliminate and management must determine if costs of safeguard are worth the benefit of probable loss reduction 83 Technical Safeguards Identificationiand authentication Encryption 831 Identification and Authentication Single Signon 50 for Multiple Systems 0 0 832 Encryption O 0 Access control of multiple related but independent software systems With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them Operating systems authenticate you to networks and other servers You sign on to your local computer and provide authentication data from that point on your operating system authenticates you to another network or server which can authenticate you to yet another network and server and so forth Single signoff is the reverse property whereby a single action of signing out terminates access to multiple software systems Kerberos developed by MIT is a system protocol that authenticates users without sending their passwords across the computer network 0 Uses a complicated system of quotticketsquot to enable users to obtain services from networks and other servers 0 Windows Linux Unix and other operating systems employ kerberos and thus can authenticate user requests across networks of computers This is a key reason why you must Protect your passwords As different applications and resources support different authentication mechanisms single sign on has to internally translate to and store different credentials compared to what is used for initial authentication Wireless Access Driveby sniffers can walk or drive around business or residential neighborhoods with a wireless computer and locate dozens or even hundreds of wireless networks Enterprises must define effective wireless security policies that guard against unauthorized access to important resources Wireless Intrusion Prevention Systemsare commonly used to enforce wireless security policies Defined Encoding information such that only the person or computer with the key can decode it Digital Signatures 833 Firewall Defined computing device that prevents unauthorized network access A firewall can be a special purpose computer or it can be a program on a generalpurpose computer or on a router 0 Technique for ensuring that plaintext messages are received without alteration 0 Most messages such as email are sent over Internet as plaintext which can be intercepted and altered by third party Plaintext message is first hashed Hashing is a method of mathematically creating a string of bits that characterize the message Digital signatures with public keys supplied by certificate authorities CAs I A router is an electronic device that interconnects two or more computer networks and selectively interchanges packets of data between them 0 834 Malware Protection 0 Spyware I Resides in background unknown to user observes user s actions and keystrokes monitors computer activity and reports user s activities to sponsoring organizations I Some captures keystrokes to obtain user names passwords account numbers and other sensitive information I Some support marketing analyses observing what users do Web sites visited products examined and purchased and so forth 0 Adware I Does not perform malicious acts or steal data I Watches user activity and automatically plays displays or downloads advertisements I Can change user s default window or modify search results and switch user s search engine I Some adware may have spyware such as keyloggers and other privacyinvasive software 0 Symptoms of Adware and Spyware I Slow system start up I Sluggish system performance I Many popup ads I Suspicious browser homepage changes I Suspicious changes to taskbar and other system interfaces I Unusual hard disk activity 84 Data Safeguards I Data encryption 0 Key escrow Trusted party should have a copy of encryption key 0 Backup and recovery 0 Periodically create backup copies of database contents 0 Physical security 0 DBMS database mgmt system should reside in locked controlledaccess facilities 0 Organizations may contract with other companies to manage their databases inspect their premises and interview its personnel to make sure they practice proper data protections Data rights and responsibilities Rights enforced by user accounts authenticated by passwords 85 Human Safeguards 0 851 Human Safeguards for Employees 0 Position definition I Separate duties and authorities I Determine least privilege I Document position sensitivity 0 Hiring and screening 0 Dissemination and enforcement responsibility accountability compliance 0 Termination Friend versus Unfriendly 0 852 Human Safeguards for Nonemployee Personnel 0 Protection against threat of temporary personnel vendors partner personnel I Contracts that govern activity should list security measures appropriate for sensitive data and IS resources involved I Require vendors and partners to perform appropriate screening and security training I Specify security responsibilities for work to be performed I Provide computer accounts and passwords with least privilege and remove those accounts as soon as possible 0 Protection against threat of Public users O I Best way is to quotHardenquot Web site or other facility against attack I Hardening a site means to take extraordinary measures to reduce a system s vulnerability I Hardened sites use special versions of operating system and lock down or eliminate operating systems features and functions that are not required Protection against threat of ourselves Protect Ourselves from Us I Safeguards need to protect users from internal company security problems I A disgruntled employee who maliciously changes prices on a Web site potentially damages both public users and business partners 853 Account Administration O O 0 Account management creation of new user accounts etc Password management Helpdesk policies 854 Systems Procedures System users Operations personnel Normal 0 Use the system to perform job tasks I Operate data centre equipment operation with security appropriate to sensitivity 0 Manage networks 0 Run web servers Backup 0 Prepare for loss of system functionality 0 Back up web site resources databases admin data Recovery Accomplish job tasks during failure I Recover systems from backed up data Know tasks to do during system Help desk role recovery 855 Security Monitoring 0 O 0 Activity logs I Including lists of all dropped packets infiltration attempts and unauthorized access attempts from within the firewall I DBMS products produce logs of successful and failed log ins I Web servers produce voluminous logs of Web activities I Operating systems in PCs can produce logs of log ins and firewall activities Security testing I nhouse personnel and outside security consultants to conduct testing Investigating and learning from security incident 86 Responding to security incidents DisasterRecovery Backup Sites Disaster preparedness tasks 1 2 3 4 5 Locate infrastructure in safe location Identify mission critical systems Identify resources needed to run those systems Prepare remote backup facilities 0 Hot site 0 Utility company that can take over another company s processing with no forewa rning o Expensive o Duplicate of the original site of the organization with full computer systems as well as nearcomplete backups of user data 0 Up and running within the shortest time possible 0 Cold sites 0 Provide computers and office space 0 Customers install and manage systems themselves 0 Cheaper to lease but total cost including all customer labor and other expenses might not cost less than a hot site Train and rehearse
Are you sure you want to buy this material for
You're already Subscribed!
Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'