New User Special Price Expires in

Let's log you in.

Sign in with Facebook


Don't have a StudySoup account? Create one here!


Create a StudySoup account

Be part of our community, it's free to join!

Sign up with Facebook


Create your account
By creating an account you agree to StudySoup's terms and conditions and privacy policy

Already have a StudySoup account? Login here

Lecture 6 - Information Systems Management

by: Wai Chuan

Lecture 6 - Information Systems Management ACC1006

Marketplace > National University of Singapore > Accounting > ACC1006 > Lecture 6 Information Systems Management
Wai Chuan
GPA 4.0
Accounting Information Systems

Almost Ready


These notes were just uploaded, and will be ready to view shortly.

Purchase these notes here, or revisit this page.

Either way, we'll remind you when they're ready :)

Preview These Notes for FREE

Get a free preview of these Notes, just enter your email below.

Unlock Preview
Unlock Preview

Preview these materials now for free

Why put in your email? Get access to more of this material and other relevant free materials for your school

View Preview

About this Document

Class Notes for Chapter 8 (Information Systems Management)
Accounting Information Systems
Class Notes
25 ?




Popular in Accounting Information Systems

Popular in Accounting

This 6 page Class Notes was uploaded by Wai Chuan on Sunday August 16, 2015. The Class Notes belongs to ACC1006 at National University of Singapore taught by in Summer 2015. Since its upload, it has received 90 views. For similar materials see Accounting Information Systems in Accounting at National University of Singapore.


Reviews for Lecture 6 - Information Systems Management


Report this Material


What is Karma?


Karma is the currency of StudySoup.

You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!

Date Created: 08/16/15
Chapter 8 Information Security Management Lecture 6 81 Threats to lnformation Security the Sources of Threats 811 Sources of threat I Human Errors and Mistakes I Accidental problems caused by both employees and nonemployees I Eg Misunderstand operating procedures and accidentally deletes files customer records I Eg Enter values in the wrong field quite frequently I Eg Installing an old database on top of the current one I Poorly written application programs and poorly designed procedures I These could be prevented during systems development SDLC important I Physical accidents such as driving a forklift through the wall of a computer room I Malicious Human Activity I Employees and former employees who intentionally destroy data or other system components I Hackers virus and worm writers I Outside criminals who break into a system to steal for financial gain I Terrorism I Natural Events and Disasters I Fires floods hurricanes earthquakes tsunamis avalanches and other acts of nature I When disaster strikes years of development can be wiped out in seconds I Includes the initial loss of capability and service and losses stemming from actions to recover from the initial problem 812 Types of Security Problems Unauthorized Procedural imista Ices Pretexting Disclosure during data disclosure Phishing recovery Spoofing Sniffing Computer crime Ilricorrecr data Procedural mistakes Hacking Incorrect data modi cation Incorrect procedures Computer crime recovery Ineffective accounting IProhlem controls System errors IFaullty service Procedural imista Ices Computer crime Service improperlyr Development and Usu rpation restored installation errors Denial of service Accidents D05 attacks Service interruption ILoss of Accidents Theft Property loss infrastructure Terrorist activity I Denial of service DOS I Attempt to make a computer resource unavailable to its intended users I Prevent an Internet site or service from functioning efficiently or at all temporarily or indefinitely I Eg flooding the server with thousands of email denying others of the use of the email system crash I Unauthorised Data Disclosure I Pretexting I Person lies about his identity or purpose to obtain privileged data about another individual I Use this data to engage in identity theft or corporate espionage I Means of pretexting teephone I Phishing I Acquire sensitive information such as usernames passwords and credit card details by masquerading as a trustworthy entity in an electronic communication Actually pretexting using email Communications purporting to be from popular social web sites auction sites online payment processors or IT administrators I Spoofing I Person successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage I Sniffing I Capture data being transmitted on a network I A router with a sniffer may be able to read the data that passes through it as well as the source and destination addresses I Often used on academic networks to prevent traffic bottlenecks caused by filesharing applications 813 Components of an Organization s Security Program I Seniormanagement involvement Two critical security functions 1 Senior management must establish security policy This policy sets the stage for organization s response to security threats However because no security program is perfect there is always risk 2 Manage risk by balancing the costs and benefits of security program 0 Safeguards Protections against security threats Data IProc39edures N I39 t n39 v Technical Safeguards Data Safeguards lIlluman Safeguards Idlenti cation and Data rights and Hiring authorization responsibilities Training Encryption Passwords Education Firewalls En cryption Procedlu re dlesfign Malware protection Backup and Administration Application design FEEDVEF Assessment Physical security Compliance Accountability Effective security reg uiires ballanced attention to all ne components 0 Incident response 0 Addressing and managing the aftermath of a security breach or attack also known as an incident 0 Objective Damage control limit damage and reduce recovery time and costs 0 Incident response plan I Defines what constitutes an incident I Provides a stepbystep process that should be followed when an incident occurs I Spells out which mission critical systems to protect 82 Senior Management s Securitv Role 821 NIST Handbook of Security Elements National Institute of Standards and Technology 0 Computer security 0 Should support the mission of organisation Is an integral element of sound management Should be cost effective Responsibilities an daccountability should be made explict Requires comprehensive and integrated approach Should be periodically reassessed Is constrained by societal factors Systems owners have computer security responsibilities outside their own organisations OOOOOOO 822 Three Elements of a Security Policy 0 General statement of organization s security program 0 Becomes the foundation for more specific security measures 0 Management specifies the goals of security program and assets to be protected 0 Statement designates a department for managing security program and documents 0 Generally specifies how the organization will ensure enforcement of security programs and policies 0 Issuespecific policy 0 Eg Personal use of computers at work and email privacy 0 Systemspecific policy 0 Eg What customer data from orderentry system will be sold or shared with other organizations 0 Eg Or what policies govern the design and operation of systems that process employee data 0 Eg What must an organization do so that it compile with the law 0 Addressing such policies as part of standard systems development process 823 Howls Risk Managed 0 Likelihood of an adverse occurrence threat 0 Management cannot manage threats directly but can limit security consequences by creating a backup processing facility at a remote location 0 Companies can reduce risks but always at a cost Management s responsibility to decide how much to spend and how much risk to assume 0 Uncertainty Lack of knowledge about chance of occurrence or risk of an outcome or event 0 Eg An earthquake could devastate a corporate data center built on a fault that no one knew about 0 Eg An employee finds a way to steal inventory using a hole in the corporate Web site that no expert knew existed 0 Factors to Consider in Risk Assessment 0 Assets Which to protect o Threats Which threats are the assets exposed to o Safeguard Any action device procedure technique or other measure that reduces a system s vulnerability to a threat I No safeguard is ironclad there is always a residual risk that it will not protect the assets in all circumstances 0 Vulnerability is an opening or a weakness in security system I Some vulnerabilities exist because there are no safeguards or because existing safeguards are ineffective 0 Consequences are damages that occur when an asset is compromised Two types I Tangible consequences those whose financial impact can be measured I Intangible consequences such as the loss of customer goodwill due to an outage cannot be measured 0 Likelihood is the probability that a given asset will be compromised by a given threat despite the safeguards o Probable loss is the quotbottom line of risk assessment I To obtain a measure of probable loss companies multiply likelihood by cost of the consequences I Also includes a statement of intangible consequences I Estimate of maximum dollar value that can be lost under realistic situations 0 Eg a fire or other peril occurs but a sprinkler system works and a fire department responds in good order 0 RiskManagement Decisions 0 Some assets can be protected by inexpensive and easily implemented safeguards 0 Some vulnerabilities can be expensive to eliminate and management must determine if costs of safeguard are worth the benefit of probable loss reduction 83 Technical Safeguards Identificationiand authentication Encryption 831 Identification and Authentication Single Signon 50 for Multiple Systems 0 0 832 Encryption O 0 Access control of multiple related but independent software systems With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them Operating systems authenticate you to networks and other servers You sign on to your local computer and provide authentication data from that point on your operating system authenticates you to another network or server which can authenticate you to yet another network and server and so forth Single signoff is the reverse property whereby a single action of signing out terminates access to multiple software systems Kerberos developed by MIT is a system protocol that authenticates users without sending their passwords across the computer network 0 Uses a complicated system of quotticketsquot to enable users to obtain services from networks and other servers 0 Windows Linux Unix and other operating systems employ kerberos and thus can authenticate user requests across networks of computers This is a key reason why you must Protect your passwords As different applications and resources support different authentication mechanisms single sign on has to internally translate to and store different credentials compared to what is used for initial authentication Wireless Access Driveby sniffers can walk or drive around business or residential neighborhoods with a wireless computer and locate dozens or even hundreds of wireless networks Enterprises must define effective wireless security policies that guard against unauthorized access to important resources Wireless Intrusion Prevention Systemsare commonly used to enforce wireless security policies Defined Encoding information such that only the person or computer with the key can decode it Digital Signatures 833 Firewall Defined computing device that prevents unauthorized network access A firewall can be a special purpose computer or it can be a program on a generalpurpose computer or on a router 0 Technique for ensuring that plaintext messages are received without alteration 0 Most messages such as email are sent over Internet as plaintext which can be intercepted and altered by third party Plaintext message is first hashed Hashing is a method of mathematically creating a string of bits that characterize the message Digital signatures with public keys supplied by certificate authorities CAs I A router is an electronic device that interconnects two or more computer networks and selectively interchanges packets of data between them 0 834 Malware Protection 0 Spyware I Resides in background unknown to user observes user s actions and keystrokes monitors computer activity and reports user s activities to sponsoring organizations I Some captures keystrokes to obtain user names passwords account numbers and other sensitive information I Some support marketing analyses observing what users do Web sites visited products examined and purchased and so forth 0 Adware I Does not perform malicious acts or steal data I Watches user activity and automatically plays displays or downloads advertisements I Can change user s default window or modify search results and switch user s search engine I Some adware may have spyware such as keyloggers and other privacyinvasive software 0 Symptoms of Adware and Spyware I Slow system start up I Sluggish system performance I Many popup ads I Suspicious browser homepage changes I Suspicious changes to taskbar and other system interfaces I Unusual hard disk activity 84 Data Safeguards I Data encryption 0 Key escrow Trusted party should have a copy of encryption key 0 Backup and recovery 0 Periodically create backup copies of database contents 0 Physical security 0 DBMS database mgmt system should reside in locked controlledaccess facilities 0 Organizations may contract with other companies to manage their databases inspect their premises and interview its personnel to make sure they practice proper data protections Data rights and responsibilities Rights enforced by user accounts authenticated by passwords 85 Human Safeguards 0 851 Human Safeguards for Employees 0 Position definition I Separate duties and authorities I Determine least privilege I Document position sensitivity 0 Hiring and screening 0 Dissemination and enforcement responsibility accountability compliance 0 Termination Friend versus Unfriendly 0 852 Human Safeguards for Nonemployee Personnel 0 Protection against threat of temporary personnel vendors partner personnel I Contracts that govern activity should list security measures appropriate for sensitive data and IS resources involved I Require vendors and partners to perform appropriate screening and security training I Specify security responsibilities for work to be performed I Provide computer accounts and passwords with least privilege and remove those accounts as soon as possible 0 Protection against threat of Public users O I Best way is to quotHardenquot Web site or other facility against attack I Hardening a site means to take extraordinary measures to reduce a system s vulnerability I Hardened sites use special versions of operating system and lock down or eliminate operating systems features and functions that are not required Protection against threat of ourselves Protect Ourselves from Us I Safeguards need to protect users from internal company security problems I A disgruntled employee who maliciously changes prices on a Web site potentially damages both public users and business partners 853 Account Administration O O 0 Account management creation of new user accounts etc Password management Helpdesk policies 854 Systems Procedures System users Operations personnel Normal 0 Use the system to perform job tasks I Operate data centre equipment operation with security appropriate to sensitivity 0 Manage networks 0 Run web servers Backup 0 Prepare for loss of system functionality 0 Back up web site resources databases admin data Recovery Accomplish job tasks during failure I Recover systems from backed up data Know tasks to do during system Help desk role recovery 855 Security Monitoring 0 O 0 Activity logs I Including lists of all dropped packets infiltration attempts and unauthorized access attempts from within the firewall I DBMS products produce logs of successful and failed log ins I Web servers produce voluminous logs of Web activities I Operating systems in PCs can produce logs of log ins and firewall activities Security testing I nhouse personnel and outside security consultants to conduct testing Investigating and learning from security incident 86 Responding to security incidents DisasterRecovery Backup Sites Disaster preparedness tasks 1 2 3 4 5 Locate infrastructure in safe location Identify mission critical systems Identify resources needed to run those systems Prepare remote backup facilities 0 Hot site 0 Utility company that can take over another company s processing with no forewa rning o Expensive o Duplicate of the original site of the organization with full computer systems as well as nearcomplete backups of user data 0 Up and running within the shortest time possible 0 Cold sites 0 Provide computers and office space 0 Customers install and manage systems themselves 0 Cheaper to lease but total cost including all customer labor and other expenses might not cost less than a hot site Train and rehearse


Buy Material

Are you sure you want to buy this material for

25 Karma

Buy Material

BOOM! Enjoy Your Free Notes!

We've added these Notes to your profile, click here to view them now.


You're already Subscribed!

Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'

Why people love StudySoup

Steve Martinelli UC Los Angeles

"There's no way I would have passed my Organic Chemistry class this semester without the notes and study guides I got from StudySoup."

Jennifer McGill UCSF Med School

"Selling my MCAT study guides and notes has been a great source of side revenue while I'm in school. Some months I'm making over $500! Plus, it makes me happy knowing that I'm helping future med students with their MCAT."

Jim McGreen Ohio University

"Knowing I can count on the Elite Notetaker in my class allows me to focus on what the professor is saying instead of just scribbling notes the whole time and falling behind."

Parker Thompson 500 Startups

"It's a great way for students to improve their educational experience and it seemed like a product that everybody wants, so all the people participating are winning."

Become an Elite Notetaker and start selling your notes online!

Refund Policy


All subscriptions to StudySoup are paid in full at the time of subscribing. To change your credit card information or to cancel your subscription, go to "Edit Settings". All credit card information will be available there. If you should decide to cancel your subscription, it will continue to be valid until the next payment period, as all payments for the current period were made in advance. For special circumstances, please email


StudySoup has more than 1 million course-specific study resources to help students study smarter. If you’re having trouble finding what you’re looking for, our customer support team can help you find what you need! Feel free to contact them here:

Recurring Subscriptions: If you have canceled your recurring subscription on the day of renewal and have not downloaded any documents, you may request a refund by submitting an email to

Satisfaction Guarantee: If you’re not satisfied with your subscription, you can contact us for further help. Contact must be made within 3 business days of your subscription purchase and your refund request will be subject for review.

Please Note: Refunds can never be provided more than 30 days after the initial purchase date regardless of your activity on the site.