1

Management Information SystemsManagement Information Systems

Information Security Management

Chapter 12

2

This Could Happen to You

Emerson Pharmaceuticals$800M in sales

200 person IT department

DSI$50M in sales

1 person IT department

No in-house software development

Why the difference?Directors and project managers at DSI are knowledgeable in IT

Support users at DSI want only reliable IT infrastructure

DSI has a wired/wireless LAN with two servers

What about security?

3

Study Questions

Q1. What are the sources and types of security threats?

Q2. What are the elements of a security program?

Q3. How can technical safeguards protect against security threats?

Q4. How can data safeguards protect against security threats?

Q5. How can human safeguards protect against security threats?

Q6. What is necessary for disaster preparedness?

Q7. How should organizations respond to security incidents?

4

Q1. Sources of Security Threats (1)

Human errors and mistakesAccidental problems Poorly written programsPoorly designed proceduresPhysical accidents

Malicious human activityIntentional destruction of dataDestroying system componentsHackersVirus and worm writersCriminals Terrorists

5

Sources of Security Threats (2)

Natural events and disastersFires, floods, hurricanes, earthquakes, tsunamis,

avalanches, tornados

Initial losses of capability

Losses from recovery actions

6

安全威脅

7

Types of Problems (1)

Unauthorized data disclosureHuman error

Posting private information in public place

Placing restricted information on searchable Web sites

Inadvertent disclosure

Malicious release Pretexting

Phishing

Spoofing

Sniffing

Breaking into networks

8

Types of Problems (2)

Incorrect data modificationsHuman errors

Incorrect entries and information

Procedural problems

Incorrect data modifications Systems errors

Hacking

Faulty recovery actions

Faulty ServiceIncorrect systems operations

Usurpation

9

Types of Problems (3)

Denial of service (DOS)Human error

Attacks

Loss of infrastructureAccidental

Theft

Terrorism

Natural disasters

10

MIS in Use: Phishing for Credit Card Accounts

PhishingOperation that spoofs legitimate companies in an attempt to get

credit card information, driver’s licenses, and other data

Usually initiated by e-mail request Designed to cause you to click

Asks for personal data

May install spyware, malware, adware

Defenses Know your purchases and deal directly with vendors

Implausibility of e-mail

Don’t be misled by legitimate-looking graphics, addresses

11

Q2. Elements of a Security Program

Senior management involvementMust establish a security policy

Manage risk Balancing costs and benefits

SafeguardsProtections against security threats

Incident responseMust plan for prior to incidents

12

與五元件有關的安全防護

13

Q3. Technical Safeguards (1)

Involves hardware and software components

User names and passwordsIdentification

Authentication

Smart cardsPersonal identification number (PIN)

Biometric authenticationFingerprints, facial scans, retina scans

Single sign-on

14

Technical Safeguards (2)

MalwareViruses

Worms

Trojan horses

Spyware programs

Adware

Malware safeguardsAntivirus and anti-spyware programs

Scan hard drive and e-mail

Update definitions

Open e-mail attachments only from known sources

Install updates promptly

Browse only reputable Web sites

15

科技面安全防護

16

間諜軟體和廣告軟體

17

惡意軟體研究調查結果

18

Q4. Security Threat Protection by Data Safeguards

Data administrationOrganization-wide function

Develops data policies

Enforce data standards

Database administrationDatabase function

Procedures for multi-user processing

Change control to structure

Protection of database

19

Data Safeguards

Encryption keysKey escrow

Backup copiesStore off-premise

Check validity

Physical securityLock and control access to facility

Maintain entry log

Third party contractsSafeguards are written into contracts

Right to inspect premises and interview personnel

20

資料面防護

21

Q5. Human Safeguards (1)

People and procedure component

Access restriction requires authentication and account management

User accounts considerationsDefine job tasks and responsibility

Separate duties and authorities

Grant least possible privileges

Document security sensitivity

Hiring and screening employees

22

Human Safeguards (2)

Employees need to be made aware of policies and proceduresEmployee security training

Enforcement of policiesDefine responsibilities

Hold employees accountable

Encourage compliance

Management attitude is crucial

Create policies and procedures for employee terminationProtect against malicious actions in unfriendly terminations

Remove user accounts and passwords

內部人員的安全防護法規

24

Non-Employee Personnel

Temporary personnel and vendorsScreen personnel

Training and compliance

Contract should include specific security provisions

Provide accounts and passwords with the least privileges

Public usersHarden Web site and facility

Take extraordinary measures to reduce system’s vulnerability

Partners and public that receive benefits from systemProtect these users from internal company security problems

25

Account Administration

Account management proceduresCreation of new accounts, modification of existing accounts,

removal of terminated accounts

Password managementAcknowledgment forms

Change passwords frequently

Help-desk policies Authentication of users who have lost password

Password should not be e-mailed

26

帳號認可切結書的範例

27

Guide: Metasecurity

Metadata is data about data

Securing the security systemAccounting controls

Storage of file accounts and passwords

Encryption and keys Use temporary keys

Encourage reporting of flaws

Using white hats Do you trust them?

What do you do with them when they’ve completed their check of system?

Code control

28

Information Systems Safety Procedures

Procedure types Normal operations

Backup

Recovery

Should be standardized for each procedure type

Each procedure type should be defined for both system users and operations personnelDifferent duties and responsibilities

Varying needs and goals

29

系統程序

30

Security Monitoring

Activity log analysesFirewall logs

DBMS log-in records

Web server logs

Security testingIn-house and external security professionals

Investigation of incidentsHow did the problem occur?

Lessons learnedIndication of potential vulnerability and corrective actions

31

Q6. Disaster Preparedness

DisasterSubstantial loss of infrastructure caused by acts of nature, crime, or

terrorism

Best safeguard is location of infrastructure

Backup processing centers in geographically removed site

Create backups for critical resources Hot and cold sites

Train and rehearse cutover of operations

32

Q7. Incident Response

Organization must have plan Detail reporting and response

Centralized reporting of incidents Allows for application of specialized expertise

Speed is of the essencePreparation pays off

Identify critical employees and contact numbers

Training is vital

Practice incidence response

33

How Does Knowledge from This Chapter Help You at DSI?

Use it personallyLimit DSI’s exposure

Limit your own exposure

Create strong passwords

Follow appropriate data proceduresDo not store sensitive data on computer

Limit data on laptops

Recognize phishing attacks

Send information on disaster preparedness and incidence response to management