Date post: | 03-Apr-2018 |
Category: |
Documents |
Upload: | aamir-khan |
View: | 213 times |
Download: | 0 times |
7/28/2019 chaptr 8 of mnagment information system. prepared by aamir khan
http://slidepdf.com/reader/full/chaptr-8-of-mnagment-information-system-prepared-by-aamir-khan 1/37
TOPIC PRESENTED BY
Need of Security and control of information systems 14
Business Value of System Security 21
Type of Security Threats 41
organizational and managerial framework for security andcontrol
35
Tools for Security and Control 34
CONTENTS
7/28/2019 chaptr 8 of mnagment information system. prepared by aamir khan
http://slidepdf.com/reader/full/chaptr-8-of-mnagment-information-system-prepared-by-aamir-khan 2/37
An information system is a set of
interrelated technologies that areused to collect, process, store and
distribute information to support
management decision making
INFORMATION SYSTEM
7/28/2019 chaptr 8 of mnagment information system. prepared by aamir khan
http://slidepdf.com/reader/full/chaptr-8-of-mnagment-information-system-prepared-by-aamir-khan 3/37
With increasing dependence on
information system, the
organization are facing a challenge
to ensure the security of data and
information systems against thesecurity threats for getting the
maximum advantage
SECURING INFORMATION SYSTEM
7/28/2019 chaptr 8 of mnagment information system. prepared by aamir khan
http://slidepdf.com/reader/full/chaptr-8-of-mnagment-information-system-prepared-by-aamir-khan 4/37
The term “system security threats” refers tothe acts or incidents that can and will affect
the integrity of business systems, which inturn will affect the reliability and privacy of
business data. Most organizations are
dependent on computer systems tofunction, and thus must deal with systems
security threats.
SECURING INFORMATION SYSTEM
7/28/2019 chaptr 8 of mnagment information system. prepared by aamir khan
http://slidepdf.com/reader/full/chaptr-8-of-mnagment-information-system-prepared-by-aamir-khan 5/37
According to a report , In mid-2012,
coordinated attacks on 60 banks
around the world netted anestimated $80 million for the
hackers. research shows that the
value of corporate and government
information lost in 2008 alone
topped $1 trillion.
SECURING INFORMATION SYSTEM
7/28/2019 chaptr 8 of mnagment information system. prepared by aamir khan
http://slidepdf.com/reader/full/chaptr-8-of-mnagment-information-system-prepared-by-aamir-khan 6/37
To secure the information
system, organizations need to
adopt the required security andcontrol measures
SECURING INFORMATION SYSTEM
7/28/2019 chaptr 8 of mnagment information system. prepared by aamir khan
http://slidepdf.com/reader/full/chaptr-8-of-mnagment-information-system-prepared-by-aamir-khan 7/37
Security refers to policies, procedures and
technical measures to prevent
unauthorized access, alteration. Theft or
physical damage to information system
SECURING INFORMATION SYSTEM
Controls are methods, policies andorganizational procedures that ensures the
safety of organization’s assets, records andoperation of organization
7/28/2019 chaptr 8 of mnagment information system. prepared by aamir khan
http://slidepdf.com/reader/full/chaptr-8-of-mnagment-information-system-prepared-by-aamir-khan 8/37
Need of Securityand control of
information systems
PRESENTED BY:ABDUL GHAYAS
ROLL NO. 14
7/28/2019 chaptr 8 of mnagment information system. prepared by aamir khan
http://slidepdf.com/reader/full/chaptr-8-of-mnagment-information-system-prepared-by-aamir-khan 9/37
• Internet and the public networks are more vulnerableto threats as they are virtually open to anyone
• Use of fixed Internet addresses through use of cable
modems or DSL can easily be identified and useb byoutsiders to demage the system and hack theinformation
• Lack of encryption with most Voice over IP (VoIP)means that the message or voice communication canbe intercepted by any hacker
Internet Vulnerabilities and Security Issues
7/28/2019 chaptr 8 of mnagment information system. prepared by aamir khan
http://slidepdf.com/reader/full/chaptr-8-of-mnagment-information-system-prepared-by-aamir-khan 10/3710.10 © 2006 by Prentice Hall
Internet Vulnerabilities and SecurityIssues
Widespread use of e-mail and instant messaging (IM) meanshuge traffic and a lot of unwanted messages on the network
The malwares and viruses can be spread easily through anyinternet in the form of e-mail attachments and downloadedfiles
7/28/2019 chaptr 8 of mnagment information system. prepared by aamir khan
http://slidepdf.com/reader/full/chaptr-8-of-mnagment-information-system-prepared-by-aamir-khan 11/37
• Radio frequency bands are easy to scan thatmakes wireless networks easy to be attacked by
outsiders
• The service set identifiers (SSID) identifying theaccess points broadcast multiple times and cab
be picked easily by hackers and used for the
purpose of stealing information
Wireless Security Challenges:
7/28/2019 chaptr 8 of mnagment information system. prepared by aamir khan
http://slidepdf.com/reader/full/chaptr-8-of-mnagment-information-system-prepared-by-aamir-khan 12/37
Business Value of SystemSecurity
PRESENTED BY:
IDREES ILYAS
ROLL NO. 41
7/28/2019 chaptr 8 of mnagment information system. prepared by aamir khan
http://slidepdf.com/reader/full/chaptr-8-of-mnagment-information-system-prepared-by-aamir-khan 13/37
• Inadequate security and control of the information may
create serious legal liability.
•
Businesses must protect not only their own informationassets but also those of customers, employees, and
business partners. Failure to do so can lead to costly
consequences for data exposure or theft.
• A business must evelopsound security and control
framework that protects business information assets
can thus produce a high return on investment.
BUSINESS VALUE OF SECURITY AND
CONTROL
7/28/2019 chaptr 8 of mnagment information system. prepared by aamir khan
http://slidepdf.com/reader/full/chaptr-8-of-mnagment-information-system-prepared-by-aamir-khan 14/37
BUSINESS VALUE OF SECURITY AND
CONTROL
Legal and Regulatory Requirements for Electronic RecordsManagement
• Electronic Records Management (ERM): Policies,procedures and tools for managing the retention,
destruction, and storage of electronic records
7/28/2019 chaptr 8 of mnagment information system. prepared by aamir khan
http://slidepdf.com/reader/full/chaptr-8-of-mnagment-information-system-prepared-by-aamir-khan 15/37
BUSINESS VALUE OF SECURITY AND
CONTROL
Data Security and Control Laws in united States
• The Health Insurance Portability and Accountability
Act (HIPAA)
• Gramm-Leach-Bliley Act
•
Sarbanes-Oxley Act of 2002
7/28/2019 chaptr 8 of mnagment information system. prepared by aamir khan
http://slidepdf.com/reader/full/chaptr-8-of-mnagment-information-system-prepared-by-aamir-khan 16/37
• Electronic Evidence: Computer data stored on disks
and drives, e-mail, instant messages, and e-
commerce transactions
• Computer Forensics: Scientific collection,
examination, authentication, preservation, and
analysis of computer data for use as evidence in a
court of law
BUSINESS VALUE OF SECURITY AND
CONTROL
It is needed for organizations to maintain and
organizae the Electronic Evidence andComputer Forensics
7/28/2019 chaptr 8 of mnagment information system. prepared by aamir khan
http://slidepdf.com/reader/full/chaptr-8-of-mnagment-information-system-prepared-by-aamir-khan 17/37
Type of Security Threats
PRESENTED BY:
SHAMAS HABIB QURESHIROLL NO. 21
7/28/2019 chaptr 8 of mnagment information system. prepared by aamir khan
http://slidepdf.com/reader/full/chaptr-8-of-mnagment-information-system-prepared-by-aamir-khan 18/37
• Computer viruses- A software program that attachesitself to other software programs and spread fromone computer or other through file sharing and e-
mail attachments and without the user knowledgeand permission, It executes and damage thefunctioning
• Worms- Independent computer programs that copy
themselves rom one computer to other an destroydata and program
• Trojan horses- a software that itself does notreplicate but make ay or viruses or other malicioussoftware to attack
THREATS POSED TO INFORMATION
SYSTEMS
Malicious Software: Viruses, Worms, Trojan Horses,
and Spyware
7/28/2019 chaptr 8 of mnagment information system. prepared by aamir khan
http://slidepdf.com/reader/full/chaptr-8-of-mnagment-information-system-prepared-by-aamir-khan 19/3710.19 © 2006 by Prentice Hall
THREATS POSED TO INFORMATION SYSTEMS
•Spyware-software that install themselves oncomputers and monitor user web surfing activity andserve up advertising
• Spoofing-involves redirecting a web link to an
address different from actual and direct users to fakewebsites which can be used to extract personal andconfidential information
• Sniffers-program that monitor the flow of informationover a network and allow hackers steal theinformation from anywhere on networks
• Denial of Service (DoS) Attacks-hackers load thenetwork or web servers with thousand of falsecommunications to slow down and crash the network
7/28/2019 chaptr 8 of mnagment information system. prepared by aamir khan
http://slidepdf.com/reader/full/chaptr-8-of-mnagment-information-system-prepared-by-aamir-khan 20/37
10.20 © 2006 by Prentice Hall
THREATS POSED TO INFORMATION SYSTEMS
• Identity theft- a crime in which n imposter can gainimportant personal information such as personalidentification number, driver’s license number or credit card numbers to impersonate someone else
• Phishing-involves setting up fake websites or sendinge-mails look like the legitimate businesses to askusers of confidential information hat can be used for financial frauds
• The rise in cybercrimes and cyberwarfare is posing aserious threat to the information systems
7/28/2019 chaptr 8 of mnagment information system. prepared by aamir khan
http://slidepdf.com/reader/full/chaptr-8-of-mnagment-information-system-prepared-by-aamir-khan 21/37
10.21 © 2006 by Prentice Hall
THREATS POSED TO INFORMATION SYSTEMS
internal threats from employees
Employees have access to confidential information so,
negligence on their part will be serious threat
User lack of knowledge and inability to protect theirpasswords means outsiders can breach the security
software flaws- the defects in the software programs caneasily be exploited to get he valuable informations
7/28/2019 chaptr 8 of mnagment information system. prepared by aamir khan
http://slidepdf.com/reader/full/chaptr-8-of-mnagment-information-system-prepared-by-aamir-khan 22/37
SYSTEM VULNERABILITY AND ABUSE
Worldwide Damage from Digital Attacks
Figure 10-3
7/28/2019 chaptr 8 of mnagment information system. prepared by aamir khan
http://slidepdf.com/reader/full/chaptr-8-of-mnagment-information-system-prepared-by-aamir-khan 23/37
Organizational and ManagerialFramework for Security and
Control
PRESENTED BY:
SHAMAS HABIB QURESHI
ROLL NO. 21
7/28/2019 chaptr 8 of mnagment information system. prepared by aamir khan
http://slidepdf.com/reader/full/chaptr-8-of-mnagment-information-system-prepared-by-aamir-khan 24/37
10.24 © 2006 by Prentice Hall
ESTABLISHING A MANAGEMENT FRAMEWORK FOR SECURITY AND
CONTROL
• It is required from the management perspective that
• Security and control must become a more visible and explicit
priority and area of information systems investment.
• Support and commitment from top management is required to
show that security is indeed a corporate priority and vital to all
aspects of the business.
• Security and control should be the responsibility of everyone inthe organization.
7/28/2019 chaptr 8 of mnagment information system. prepared by aamir khan
http://slidepdf.com/reader/full/chaptr-8-of-mnagment-information-system-prepared-by-aamir-khan 25/37
10.25 © 2006 by Prentice Hall
ESTABLISHING A MANAGEMENT FRAMEWORK FOR SECURITYAND CONTROL
Controls are methods, policies and organizational proceduresthat ensures the safety of organization’s assets, records andoperation of organization
Controls for securing information Systems General Controls
Application Controls
7/28/2019 chaptr 8 of mnagment information system. prepared by aamir khan
http://slidepdf.com/reader/full/chaptr-8-of-mnagment-information-system-prepared-by-aamir-khan 26/37
10.26 © 2006 by Prentice Hall
ESTABLISHING A MANAGEMENT FRAMEWORK FOR SECURITY AND
CONTROL
General Controls
The controls applied to all the computer applications
Includes the design, security and use of computer system andtools to protect the information throughout the informationtechnology infrastructure
l C t l
7/28/2019 chaptr 8 of mnagment information system. prepared by aamir khan
http://slidepdf.com/reader/full/chaptr-8-of-mnagment-information-system-prepared-by-aamir-khan 27/37
10.27 © 2006 by Prentice Hall
General Controls
Software Controls Monitor the use of computer software and avoid unauthorized
access of software
Hardware Controls Ensure that the hardware and equipments are physically secure
Computer OperationControls
Ensure that the computer and processing operations are done
consistently and as planned
Data SecurityControls
Ensure that the valuable business data are not subjected to
unauthorized access or destruction
ImplementationControls
Audit that the system process is properly controlled and managed
Administrative
Controls
Formulate standards, rules and procedures to ensure general and
application controls are properly executed and enforces
7/28/2019 chaptr 8 of mnagment information system. prepared by aamir khan
http://slidepdf.com/reader/full/chaptr-8-of-mnagment-information-system-prepared-by-aamir-khan 28/37
• Input –check data for accuracy and
completeness when they are entered insystem
• Processing-ensure that processing run
smoothly and data are complete duringupdating
• Output –ensure the results are complete,
accurate and properly distributed
ESTABLISHING A MANAGEMENT FRAMEWORK FOR
SECURITY AND CONTROL
Application controls: specific controls unique to each
computerized application and ensure the authorized dataare processed by that application
7/28/2019 chaptr 8 of mnagment information system. prepared by aamir khan
http://slidepdf.com/reader/full/chaptr-8-of-mnagment-information-system-prepared-by-aamir-khan 29/37
10.29 © 2006 by Prentice Hall
ESTABLISHING A MANAGEMENT FRAMEWORK FOR SECURITY
AND CONTROL
Develop a security policy
A security policy consist of statements ranking information
risks, identifying acceptable security goals and identifying amechanism for acheving those security goals
C f S i P li
7/28/2019 chaptr 8 of mnagment information system. prepared by aamir khan
http://slidepdf.com/reader/full/chaptr-8-of-mnagment-information-system-prepared-by-aamir-khan 30/37
10.30 © 2006 by Prentice Hall
Risk
Assessment
•Determine the risky information assets
•Determine the level of risks associated with the
information assets
Acceptablesecurity
goals
• Define acceptable use of information resources andequipments and authorization level for employees
• Disaster recovery planning: Plans for restoration of computingand communications disrupted by an event such as anearthquake, flood, or terrorist attack
• Business continuity planning: Plans for handling mission-criticalfunctions if systems go down
Impementati
on ofpolicies
•Use the technologies and tools to secure the informationsystems and achieve the security goals
•Control and management of the security tools
Components of Security Policy
7/28/2019 chaptr 8 of mnagment information system. prepared by aamir khan
http://slidepdf.com/reader/full/chaptr-8-of-mnagment-information-system-prepared-by-aamir-khan 31/37
• MIS audit: Identifies all of the controls that govern
individual information systems and assesses their
effectiveness
• Security audits: Review technologies, procedures,
documentation, training, and personnel
ESTABLISHING A MANAGEMENT FRAMEWORK
FOR SECURITY AND CONTROL
Auditing:
7/28/2019 chaptr 8 of mnagment information system. prepared by aamir khan
http://slidepdf.com/reader/full/chaptr-8-of-mnagment-information-system-prepared-by-aamir-khan 32/37
TECHNOLOGIES AND TOOLS FOR
SECURITY AND CONTROL
Access Control
•
Passwords
Authentication:
Access control: Consists of all the policies and procedures a
company uses to prevent improper access to systems by
unauthorized insiders and outsiders
• Tokens, smart cards
• Biometric authentication
7/28/2019 chaptr 8 of mnagment information system. prepared by aamir khan
http://slidepdf.com/reader/full/chaptr-8-of-mnagment-information-system-prepared-by-aamir-khan 33/37
• Firewalls: Hardware and software controlling flow of
incoming and outgoing network traffic
• Intrusion detection systems: Full-time monitoring
tools placed at the most vulnerable points of corporate networks to detect and deter intruders
TECHNOLOGIES AND TOOLS FOR
SECURITY AND CONTROL
Firewalls, Intrusion Detection Systems, and
Antivirus Software
7/28/2019 chaptr 8 of mnagment information system. prepared by aamir khan
http://slidepdf.com/reader/full/chaptr-8-of-mnagment-information-system-prepared-by-aamir-khan 34/37
• Antivirus software: Software that checks computer
systems and drives for the presence of computer
viruses and can eliminate the virus from the infected
area
• Wi-Fi Protected Access specification
TECHNOLOGIES AND TOOLS FOR SECURITY
AND CONTROL
7/28/2019 chaptr 8 of mnagment information system. prepared by aamir khan
http://slidepdf.com/reader/full/chaptr-8-of-mnagment-information-system-prepared-by-aamir-khan 35/37
• Public key encryption: Uses two different keys, one
private and one public. The keys are mathematically
related so that data encrypted with one key can be
decrypted using only the other key
• Message integrity: The ability to be certain that the
message being sent arrives at the proper destination
without being copied or changed
TECHNOLOGIES AND TOOLS FOR
SECURITY AND CONTROL
Encryption and Public Key Infrastructure
7/28/2019 chaptr 8 of mnagment information system. prepared by aamir khan
http://slidepdf.com/reader/full/chaptr-8-of-mnagment-information-system-prepared-by-aamir-khan 36/37
• Digital signature: A digital code attached to an
electronically transmitted message that is used to
verify the origin and contents of a message
• Digital certificates: Data files used to establish the
identity of users and electronic assets for protection
of online transactions
• Public Key Infrastructure (PKI): Use of public key
cryptography working with a certificate authority
TECHNOLOGIES AND TOOLS FOR
SECURITY AND CONTROL
Encryption and Public Key Infrastructure(Continued)
7/28/2019 chaptr 8 of mnagment information system. prepared by aamir khan
http://slidepdf.com/reader/full/chaptr-8-of-mnagment-information-system-prepared-by-aamir-khan 37/37
• Secure Sockets Layer (SSL) and its successor
Transport Layer Security (TLS): protocols for secure
information transfer over the Internet; enable clientand server computer encryption and decryption
activities as they communicate during a secure Web
session.
• Secure Hypertext Transfer Protocol (S-HTTP): used for encrypting data flowing over the Internet; limited to
Web documents, whereas SSL and TLS encrypt all
data being passed between client and server.
TECHNOLOGIES AND TOOLS FOR
SECURITY AND CONTROL
Encryption and Public Key Infrastructure(Continued)