chaptr 8 of mnagment information system. prepared by aamir khan

7/28/2019 chaptr 8 of mnagment information system. prepared by aamir khan

http://slidepdf.com/reader/full/chaptr-8-of-mnagment-information-system-prepared-by-aamir-khan 1/37

TOPIC PRESENTED BY

Need of Security and control of information systems 14

Business Value of System Security 21

Type of Security Threats 41

organizational and managerial framework for security andcontrol

35

Tools for Security and Control 34

CONTENTS



An information system is a set of

interrelated technologies that areused to collect, process, store and

distribute information to support

management decision making

INFORMATION SYSTEM



With increasing dependence on

information system, the

organization are facing a challenge

to ensure the security of data and

information systems against thesecurity threats for getting the

maximum advantage

SECURING INFORMATION SYSTEM



The term “system security threats” refers tothe acts or incidents that can and will affect

the integrity of business systems, which inturn will affect the reliability and privacy of

business data. Most organizations are

dependent on computer systems tofunction, and thus must deal with systems

security threats.




According to a report , In mid-2012,

coordinated attacks on 60 banks

around the world netted anestimated $80 million for the

hackers. research shows that the

value of corporate and government

information lost in 2008 alone

topped $1 trillion.




To secure the information

system, organizations need to

adopt the required security andcontrol measures




Security refers to policies, procedures and

technical measures to prevent

unauthorized access, alteration. Theft or

physical damage to information system


Controls are methods, policies andorganizational procedures that ensures the

safety of organization’s assets, records andoperation of organization



Need of Securityand control of

information systems

PRESENTED BY:ABDUL GHAYAS

ROLL NO. 14



• Internet and the public networks are more vulnerableto threats as they are virtually open to anyone

• Use of fixed Internet addresses through use of cable

modems or DSL can easily be identified and useb byoutsiders to demage the system and hack theinformation

• Lack of encryption with most Voice over IP (VoIP)means that the message or voice communication canbe intercepted by any hacker

Internet Vulnerabilities and Security Issues


http://slidepdf.com/reader/full/chaptr-8-of-mnagment-information-system-prepared-by-aamir-khan 10/3710.10 © 2006 by Prentice Hall

Internet Vulnerabilities and SecurityIssues

Widespread use of e-mail and instant messaging (IM) meanshuge traffic and a lot of unwanted messages on the network

The malwares and viruses can be spread easily through anyinternet in the form of e-mail attachments and downloadedfiles



• Radio frequency bands are easy to scan thatmakes wireless networks easy to be attacked by

outsiders

• The service set identifiers (SSID) identifying theaccess points broadcast multiple times and cab

be picked easily by hackers and used for the

purpose of stealing information

Wireless Security Challenges:



Business Value of SystemSecurity

PRESENTED BY:

IDREES ILYAS

ROLL NO. 41



• Inadequate security and control of the information may

create serious legal liability.

•

Businesses must protect not only their own informationassets but also those of customers, employees, and

business partners. Failure to do so can lead to costly

consequences for data exposure or theft.

• A business must evelopsound security and control

framework that protects business information assets

can thus produce a high return on investment.

BUSINESS VALUE OF SECURITY AND

CONTROL




CONTROL

Legal and Regulatory Requirements for Electronic RecordsManagement

• Electronic Records Management (ERM): Policies,procedures and tools for managing the retention,

destruction, and storage of electronic records




CONTROL

Data Security and Control Laws in united States

• The Health Insurance Portability and Accountability

Act (HIPAA)

• Gramm-Leach-Bliley Act

•

Sarbanes-Oxley Act of 2002



• Electronic Evidence: Computer data stored on disks

and drives, e-mail, instant messages, and e-

commerce transactions

• Computer Forensics: Scientific collection,

examination, authentication, preservation, and

analysis of computer data for use as evidence in a

court of law


CONTROL

It is needed for organizations to maintain and

organizae the Electronic Evidence andComputer Forensics



Type of Security Threats

PRESENTED BY:

SHAMAS HABIB QURESHIROLL NO. 21



• Computer viruses- A software program that attachesitself to other software programs and spread fromone computer or other through file sharing and e-

mail attachments and without the user knowledgeand permission, It executes and damage thefunctioning

• Worms- Independent computer programs that copy

themselves rom one computer to other an destroydata and program

• Trojan horses- a software that itself does notreplicate but make ay or viruses or other malicioussoftware to attack

THREATS POSED TO INFORMATION

SYSTEMS

Malicious Software: Viruses, Worms, Trojan Horses,

and Spyware


http://slidepdf.com/reader/full/chaptr-8-of-mnagment-information-system-prepared-by-aamir-khan 19/3710.19 © 2006 by Prentice Hall

THREATS POSED TO INFORMATION SYSTEMS

•Spyware-software that install themselves oncomputers and monitor user web surfing activity andserve up advertising

• Spoofing-involves redirecting a web link to an

address different from actual and direct users to fakewebsites which can be used to extract personal andconfidential information

• Sniffers-program that monitor the flow of informationover a network and allow hackers steal theinformation from anywhere on networks

• Denial of Service (DoS) Attacks-hackers load thenetwork or web servers with thousand of falsecommunications to slow down and crash the network



10.20 © 2006 by Prentice Hall


• Identity theft- a crime in which n imposter can gainimportant personal information such as personalidentification number, driver’s license number or credit card numbers to impersonate someone else

• Phishing-involves setting up fake websites or sendinge-mails look like the legitimate businesses to askusers of confidential information hat can be used for financial frauds

• The rise in cybercrimes and cyberwarfare is posing aserious threat to the information systems





internal threats from employees

Employees have access to confidential information so,

negligence on their part will be serious threat

User lack of knowledge and inability to protect theirpasswords means outsiders can breach the security

software flaws- the defects in the software programs caneasily be exploited to get he valuable informations



SYSTEM VULNERABILITY AND ABUSE

Worldwide Damage from Digital Attacks

Figure 10-3



Organizational and ManagerialFramework for Security and

Control

PRESENTED BY:

SHAMAS HABIB QURESHI

ROLL NO. 21




ESTABLISHING A MANAGEMENT FRAMEWORK FOR SECURITY AND

CONTROL

• It is required from the management perspective that

• Security and control must become a more visible and explicit

priority and area of information systems investment.

• Support and commitment from top management is required to

show that security is indeed a corporate priority and vital to all

aspects of the business.

• Security and control should be the responsibility of everyone inthe organization.




ESTABLISHING A MANAGEMENT FRAMEWORK FOR SECURITYAND CONTROL

Controls are methods, policies and organizational proceduresthat ensures the safety of organization’s assets, records andoperation of organization

Controls for securing information Systems General Controls

Application Controls




ESTABLISHING A MANAGEMENT FRAMEWORK FOR SECURITY AND

CONTROL

General Controls

The controls applied to all the computer applications

Includes the design, security and use of computer system andtools to protect the information throughout the informationtechnology infrastructure

l C t l




General Controls

Software Controls Monitor the use of computer software and avoid unauthorized

access of software

Hardware Controls Ensure that the hardware and equipments are physically secure

Computer OperationControls

Ensure that the computer and processing operations are done

consistently and as planned

Data SecurityControls

Ensure that the valuable business data are not subjected to

unauthorized access or destruction

ImplementationControls

Audit that the system process is properly controlled and managed

Administrative

Controls

Formulate standards, rules and procedures to ensure general and

application controls are properly executed and enforces



• Input –check data for accuracy and

completeness when they are entered insystem

• Processing-ensure that processing run

smoothly and data are complete duringupdating

• Output –ensure the results are complete,

accurate and properly distributed

ESTABLISHING A MANAGEMENT FRAMEWORK FOR

SECURITY AND CONTROL

Application controls: specific controls unique to each

computerized application and ensure the authorized dataare processed by that application




ESTABLISHING A MANAGEMENT FRAMEWORK FOR SECURITY

AND CONTROL

Develop a security policy

A security policy consist of statements ranking information

risks, identifying acceptable security goals and identifying amechanism for acheving those security goals

C f S i P li




Risk

Assessment

•Determine the risky information assets

•Determine the level of risks associated with the

information assets

Acceptablesecurity

goals

• Define acceptable use of information resources andequipments and authorization level for employees

• Disaster recovery planning: Plans for restoration of computingand communications disrupted by an event such as anearthquake, flood, or terrorist attack

• Business continuity planning: Plans for handling mission-criticalfunctions if systems go down

Impementati

on ofpolicies

•Use the technologies and tools to secure the informationsystems and achieve the security goals

•Control and management of the security tools

Components of Security Policy



• MIS audit: Identifies all of the controls that govern

individual information systems and assesses their

effectiveness

• Security audits: Review technologies, procedures,

documentation, training, and personnel

ESTABLISHING A MANAGEMENT FRAMEWORK

FOR SECURITY AND CONTROL

Auditing:



TECHNOLOGIES AND TOOLS FOR


Access Control

•

Passwords

Authentication:

Access control: Consists of all the policies and procedures a

company uses to prevent improper access to systems by

unauthorized insiders and outsiders

• Tokens, smart cards

• Biometric authentication



• Firewalls: Hardware and software controlling flow of

incoming and outgoing network traffic

• Intrusion detection systems: Full-time monitoring

tools placed at the most vulnerable points of corporate networks to detect and deter intruders



Firewalls, Intrusion Detection Systems, and

Antivirus Software



• Antivirus software: Software that checks computer

systems and drives for the presence of computer

viruses and can eliminate the virus from the infected

area

• Wi-Fi Protected Access specification

TECHNOLOGIES AND TOOLS FOR SECURITY

AND CONTROL



• Public key encryption: Uses two different keys, one

private and one public. The keys are mathematically

related so that data encrypted with one key can be

decrypted using only the other key

• Message integrity: The ability to be certain that the

message being sent arrives at the proper destination

without being copied or changed



Encryption and Public Key Infrastructure



• Digital signature: A digital code attached to an

electronically transmitted message that is used to

verify the origin and contents of a message

• Digital certificates: Data files used to establish the

identity of users and electronic assets for protection

of online transactions

• Public Key Infrastructure (PKI): Use of public key

cryptography working with a certificate authority



Encryption and Public Key Infrastructure(Continued)



• Secure Sockets Layer (SSL) and its successor

Transport Layer Security (TLS): protocols for secure

information transfer over the Internet; enable clientand server computer encryption and decryption

activities as they communicate during a secure Web

session.

• Secure Hypertext Transfer Protocol (S-HTTP): used for encrypting data flowing over the Internet; limited to

Web documents, whereas SSL and TLS encrypt all

data being passed between client and server.



Encryption and Public Key Infrastructure(Continued)

Date post:	03-Apr-2018
Category:	Documents
Upload:	aamir-khan
View:	213 times
Download:	0 times

chaptr 8 of mnagment information system. prepared by aamir khan

Documents