View
215
Download
0
Category
Tags:
Preview:
Citation preview
Prepared by Natalie Rose 1
Managing Information Resources, Control and Security
Lecture 9
Prepared by Natalie Rose 2
Risks to Information Systems
• Risks to Hardware
– Natural disasters
– Blackouts and brownouts
– Vandalism
Prepared by Natalie Rose 3
Risks to Information Systems (Cont.)
• Risks to Applications and Data
– Theft of information
– Social engineering and identity theft
– Data alteration, data destruction, and Web defacement
– Computer viruses, worms, and logic bombs
– Nonmalicious mishaps
Prepared by Natalie Rose 4
• Denial of service
• Hijacking
• Spoofing
Risks to Online Operations
Prepared by Natalie Rose 5
Risks to Online Operations
Prepared by Natalie Rose 6
Controls
Prepared by Natalie Rose 7
Controls (Cont.)• Program Robustness and Data Entry Controls
– Provide a clear and sound interface with the user
– Menus and limits
• Backup– Periodic duplication of all data
• Access Controls– Ensure that only authorized people can gain access to systems
and files
– Access codes and passwords
Prepared by Natalie Rose 8
Controls (Cont.)
Prepared by Natalie Rose 9
Controls (Cont.)• Atomic Transactions
– Ensures that transaction data are recorded properly in all the pertinent files to ensure integrity
• Audit Trails
– Built into an IS so that transactions can be traced to people, times, and authorization information
Prepared by Natalie Rose 10
Controls (Cont.)
Prepared by Natalie Rose 11
Security Measures• Firewalls
– Defense against unauthorized access to systems over the Internet
– Controls communication between a trusted network and the “untrusted” Internet
– Proxy Server: represents another server for all information requests and acts as a buffer
Prepared by Natalie Rose 12
Security Measures (Cont.)
Prepared by Natalie Rose 13
• Keeps communications secret
• Authentication: the process of ensuring the identity of the person sending the message
• Encryption: coding a message into a form unreadable to an interceptor
Authentication and Encryption
Prepared by Natalie Rose 14
Authentication and Encryption (Cont.)
Prepared by Natalie Rose 15
• Encryption Strength
• Distribution Restrictions
• Public-key Encryptions
– Symmetric and asymmetric encryption
• Secure Sockets Layer and Secure Hypertext Transport Protocol
• Pretty Good Privacy
Authentication and Encryption (Cont.)
Prepared by Natalie Rose 16
Authentication and Encryption (Cont.)
Prepared by Natalie Rose 17
Authentication and Encryption (Cont.)
Prepared by Natalie Rose 18
• Electronic Signatures
• Digital Signatures
• Digital Certificates
Digital Signatures and Digital Certificates
Prepared by Natalie Rose 19
Digital Signatures and Digital Certificates (Cont.)
Prepared by Natalie Rose 20
Digital Signatures and Digital Certificates (Cont.)
Prepared by Natalie Rose 21
• Obtain management’s commitment to the plan
• Establish a planning committee
• Perform risk assessment and impact analysis
• Prioritize recovery needs: critical, vital, sensitive, noncritical
The business recovery plan
Prepared by Natalie Rose 22
• Select a recovery plan
• Select vendors
• Develop and implement the plan
• Test the plan
• Continually test and evaluate
The business recovery plan (Cont.)
Prepared by Natalie Rose 23
• Companies that specialize in either disaster recovery planning or provision of alternate sites
• Small companies can opt for Web-based services
Recovery plan providers
Prepared by Natalie Rose 24
The IS Security Budget
Prepared by Natalie Rose 25
• How much security is enough security?
• Calculating downtime
The IS Security Budget (Cont.)
Prepared by Natalie Rose 26
The IS Security Budget (Cont.)
Prepared by Natalie Rose 27
Ethical and Societal IssuesTerrorism, Carnivores, and Echelons
• Carnivorous methods
– FBI developed Carnivore
• Device is attached to the ISP servers to monitor email
• Top Echelon
– Surveillance system
Recommended