1 Lecture 5 Part 1 - Security IS Security definitions and issues.

1

Lecture 5

Part 1 - Security

IS Security definitions and issues

2

Security

• An organization may be required by organizational policy or compliance to the law to have an information security program in place.

• A security program may be put in place to insure against identified problems or risks.

3

Security

• The goal of a security program is to provide assurance that there exists security to:

– Provide for timely and reliable availability of information and systems

– Preserve confidentiality of data– Safeguard integrity of data

4

Those Involved with Security

• Executives authorize plans, ensure security and privacy protections are integrated, and accept risks to information systems in the organization

• Managers (information owners) develop requirements, assess information sensitivity and privacy needs, develop security plans and work with IT and security on monitoring

• IT staff provide, document and monitor technical security controls and are considered the owners of the infrastructure of information systems

5

Those Involved with Security

• Security staff manage the security program, assess risks, consult and review the security plan and privacy impact assessments (as documents) and manage the monitoring and compliance of reporting activities

• Auditors review security programs and systems for compliance according to organizational policy or legal requirement

• Supervisors assure staff compliance with security and privacy training and awareness requirements

6

A Security Program Combines People, Processes and Technology

7

Security Controls

• A security control is a specific action or procedure that is provided to protect confidentiality, integrity and availability of information/systems.

• Security controls are described in International Organization for Standardization

• Example: ISO 17799, a document describing IT security

8

Security Controls

Management Controls• Focus on the management of the computer

security system and the management of risk for a system

Operational Controls• Focus on mechanisms that primarily are

implemented and executed by people (as opposed to systems)

Technical Controls• Focus on security controls that the computer

system executes

9

Security Types

• Three security types;

– Physical controls– Administrative controls– Computational controls

10

Physical Controls

• Physical security• These controls ensure that hardware is secure.• They check for equipment malfunction.• May include access to hardware and an

example might be the restriction of access to a computer room to operational personnel or the taking of back-up copies of files in case of accidents.

• Hardware controls should take account of fire and environmental hazards.

11

Administrative Controls

• Administrative disciplines, standards and proceduresThese controls are formalized standards, rules, procedures and control disciplines to ensure that the organization's other controls are properly executed and enforced. Examples of these controls are:

segregation of functionswritten policies and procedures supervision

12

Administrative Controls

• Controls over the system implementation processImplementation controls audit the system development process at various points in time to ensure that the project in hand is being properly controlled and managed.

• An example of such a control is a 'sign-off' at the end of each stage of the development process where a developer offers a section of the project to a user or manager to sign off, thereby documenting their approval of the development stage offered.

13

Administrative Controls

• Computer operations controlsThese controls apply to the work of the computer department and help to ensure that programmed procedures are consistently and correctly applied to the storage and retrieval of data.

• They include, for example, controls over set-up, operations software, computer operations and backup and recovery procedures.

14

Computational Controls

• Software controls

These controls monitor the use of system software and prevent unauthorized access to software programs.

• System software controls govern the software for the operating system.

• Program security controls are used to prevent unauthorized changes to programs on the system.

15

Computational Controls

• Internal system securityValidation and verification checks on input data, authorization procedures for some types of input data, the provision of an audit trail of file changes and the use of control totals.

• It may be necessary to include such things as encryption, which is coding, of data held on files, multi-level password systems including the use of magnetic keys, voice recognition access and the monitoring of the identity and access time of each user on the system.

16

Computational Controls

• Data security controls

Data security controls ensure that data files on disk or tape are not subject to unauthorized access, change or destruction. These controls are needed for when the data is in use (active) and when being held for storage.

17

Computational Controls

• Application controlsApplication controls are specific controls within each computer application.

• Objectives:1.Completeness of input2.Accuracy of input3.Validity of data4.Maintenance (where data on files continue

to be correct and current).

18

Computational Controls

• Application controls are usually in one of three categories:

1.Input controls

2.Processing controls

3.Output controls

19

Audits

• Auditing information systems• An information system audit identifies all of the

controls that govern individual information systems and assess their effectiveness.

20

Audits

• For this the auditor must make value judgements about– operations,– physical facilities,– telecommunications,– control systems,– data security objectives,– organizational structure,– personnel,– manual procedures and individual applications.

21

Audits

• The audit is a matter of collecting and analyzing the details on an information system including – user and system documentation,

– sample inputs,

– sample outputs,

– documentation on integrity controls (to compare the details) and

– anything else that might be lying around that might give an indication of how the system is being used.

22

Issues and Considerations of Security Management

• Access control• Awareness and training• Audit and accountability• Certification, accreditation, and security

assessments• Configuration management• Contingency planning• Identification and authentication• Incident response

23

Issues and Considerations of Security Management

• Maintenance• Media protection • Physical and environmental protection• Planning• Personnel security• Risk assessment• System and services acquisition• System and communications protection• System and information integrity

24

Security During the Life Cycle

• Security is less expensive if it is planned and implemented from the start; it is more costly to add security features to a system after it has been designed.

• If not addressed in the initial phases, security controls added at the last minute can diminish performance and delay implementation.

25

Risks

• Risk management is the total process of identifying, controlling, and minimizing the impact of uncertain events against an information resource.

• The risk management process can be broken down into three main areas:

– Risk assessment– Risk mitigation– On-going evaluation

26

Risks

• Examples of types of vulnerabilities include:

– Poorly communicated or implemented policy

– Poorly trained personnel

– Misconfigured systems or controls

– Poorly designed and implemented commercial off-the shelf (COTS) or custom components

– Lack of access controls

– Lack of physical controls

– Lack of visitor policy

27

Consequences

• The consequences of ignoring risk – or having inadequate security may result in:– Loss of data– Disclosure of sensitive information– Disruption or denial of service– Loss of competitive edge– Monetary loss– Damage to reputation or public trust– Lawsuits– Death (in extreme cases)

28

Management Responsibilities for Risk

• Document the criticality and sensitivity of the information in the risk assessment

• Define and document the appropriate controls needed to mitigate the risk

• Use the appropriate security requirements• Develop Plans of Action and Milestones to

mitigate risks • Monitor and reassess risks, security and related

policy regularly

29

Steps for Managers to Take

• Step 1: Develop policy statement

• Step 2: Conduct Business Impact Assessment

• Step 3: Identify preventive controls

• Step 4: Develop recovery strategies

• Step 5: Develop IT contingency plans

• Step 6: Conduct plan testing, training and exercises for staff

• Step 7: Maintain the plan

30

Part 2

IS and the Legal System

31

Information Systems Management and the Law

• The law is the set of rules that can be enforced in a court. There are many sets of laws and they exist in a jurisdiction.

32

What is Regulation?

• Regulations for technology are often associated with the Data Protection Act and trading acts.

• You could say that regulation in information systems comes mainly from individual contracts set up by organizations.

33

What is Compliance?

• Where there are regulations – either by law or company policy, compliance could be seen as observance of the official requirements of the regulations.

• The act or process of complying with a demand or recommendation that comes from regulation is usually a task for a member of management.

34

Legal Issues

• The laws associated with information technology have many aspects. We can look at commonly discussed legal issues related to information systems or IT:– Contracts– Outsourcing– Software licensing– Data protection– Acceptable use– Intellectual property rights– Computer fraud– Taxation

35

Contracts

• Contracts are legal documents defining the legal implications of buying, selling or becoming involved with products and services of – in this MIS context – hardware and software systems and the issues surrounding them.

• Contracts can take many forms – what follows is a general, basic description of a contract.

36

Contracts

• The structure of a contract in our context is, generally:– The date on which the contract was entered into– The names and addresses of those entering the

contract– A description of what the contract is about –

having titles such as ‘Background’ or ‘Whereas’– Definitions of terms used in the contract– Provisions made by one party (e.g. Supplier)– What must be paid to the provider (supplier)

37

Hardware Procurement Contract

• The details for a hardware procurement contract might include:– A description of the hardware

– A warranty for the quality of the hardware

– Delivery dates

– Price

– Acceptance testing (description)

– Future maintenance description

– Training

38

Software Procurement Contract

• Software purchase is much more complex in terms of contract design. The software may be developed specifically for the organization or be ready to sell ‘off-the shelf’.

39

Software Procurement Contract

• What type of software will be provided, what the software is required to do, whether there is a maintenance feature to the deal, what provision there is for the cessation of the supply company and many other aspects of law surrounding the idea of ‘keeping the software working’.

40

A Contract for Outsourcing

• It is difficult to specify a typical contract for product or service outsourcing, but – very generally – a contract for software services, as an example, may contain:– The statement of requirements– The technical solution– An output specification

41

A Contract for Outsourcing

• Similar to hardware, software and services procurement, there is often a special contract that is applied to outsourcing called a Service Level Agreement (SLA).

• An SLA often has the details of:– Service levels to be achieved– Targets for service levels– Mechanisms for monitoring and reporting

service levels against those targets– Consequences of failure to meet targets

42

Software Licensing

• One might view software licensing as another form of contract.

• A licence should confirm that the software supplier owns the copyright in the software or has the right to licence it to the organization.

• Usually, the software supplier is not selling ownership of software to an organization but the permission to use it as they wish. This leaves the supplier able to provide copies of the software to other people or organizations.

43

Software Licensing

• Usually a contract is drawn up – called the licence agreement, since the licence is really a legal agreement between the software supplier and a client.

• There are variations in such agreements;– Is the licence restricted to one office, one

department, one organization or can the software be lent to ‘sister companies?

…/ continued

44

Software Licensing

– Is there a user restriction? Does the agreement allow up to, say 20 users? Do extra users require individual licences or another group licence?

– Are there time constraints? One year? Two Years?

– Are there any other restrictions?

45

Data Protection

• As an organization processing data one must ensure that the processing is lawful.

• The data must have been obtained fairly and lawfully.

• When obtaining data from a third party you must inform the subject of the data that you have data pertaining to them, telling the subject why you are using the data and how you will use them.

46

Data Protection

• Personal data must be:– Fairly and lawfully processed– Processed for limited purposes– Adequate, relevant and not excessive– Accurate– Not kept longer than necessary– Processed in accordance with the data subject’s

rights– Secure– Not transferred to countries without adequate

protection

47

Acceptable Use

• Employees use computers for their information work – they may also use their employer’s computers for personal matters, such as booking a cheap flight, buying books and gifts and sending e-mails to friends and family.

48

Acceptable Use

• Misuse might be seen as an – excessive waste of staff time and resources,– actions exposing the organization to claims

for discrimination, harassment, defamation or worse,

– failure to include information that results in criminal liability.

– (On the employer’s side;) health and safety requirements for screens and other computer equipment must be met

49

Acceptable Use

• Usage policiesComputer usage policies are very often established because employers can be held responsible for wrongful actions carried out by employees in the course of their employment.

50

Acceptable Use

• Common usage problems are:– Racial harassment– Sexual harassment– Downloading pornography– Defamation of management, customers or

competitors,– Breach of confidence– Copyright infringement– Hacking (into systems)– Breaches of the Data protection Act

51

Intellectual Property Rights

• Rights on intellectual property are laws related, in the current context of information systems in organizations, to software licensing.

• Types of intellectual property:– Patents

– Design

– Copyright

– Database right

– Trade marks

52

Computer Fraud

• Many Management Information Systems service providers see the responsibility of avoiding this fraud to belong to the organization itself.

• Corporate governance is the term for the idea that an organization ‘watches out’ for computer fraud.

53

Taxation

• E-commerce means that organizations can trade across borders.

• There is a Communications Regulations Bill 2007, which may amend the state law on e-commerce.

54

Taxation

• Issues for taxation in e-commerce include:– Identification of a transaction– Identification of the parties to a transaction– Verification of the details of the transaction– Application of the correct taxing rules and

remittance to the taxing authority– Generation of an audit trail.– The country of the supplier, generally, has the

government to which the tax laws apply.

55

Part 3

Human Computer Interface

Interacting with Computers.

56

Interacting with Computers

• What we are looking at with this topic, largely, is Human-Computer Interaction or, in a narrower field, GUIs (Graphical User Interfaces).

57

Interacting with Computers

• Interacting with computers is improved by ‘good usability’.

• A computer system has usability – whether it is easily usable or difficult to use is measurable.

• Usability, like many features of systems, can be ‘designed in’…

58

Design Principles for Usability

• Principles for good design of this sort include:

• Early focus on the users• Iterative design• Integrative design (Help for users, training,

documentation, etc in parallel to the technical design)

59

Usability

Early focus on users• Bring the design team into direct contact

with the users right from the start.• Get the user involved so they can instill

their knowledge into the design process.

60

Usability

• Collect the users’ thoughts (interviews, questionnaires…)

• Collect the user’s mistakes,• Collect the user's attitudes.

61

Usability

Iterative design• Incorporate the results from the tests into

the next prototype• Set goals for the system• Get feedback on evaluation

62

Usability

• Evaluation criteria–easy to use–user friendly–easy to operate–simple–responsive–flexible

63

Usability

Integrated design• Build the online help, prepare training,

documentation AND process modules (coded programs) at the same time.

64

Usability Definitions

• Usability is task related, people related and function related. It has cognitive, behavioral, and communicative components.

• To be truly usable a system must be compatible not only with the characteristics of human perception and action but, and most critically, with user's cognitive skills in communication, understanding, memory and problem solving.

65

Usability Definitions

• Designing a usable system requires:– understanding of the intended users.– the amount of time they expect to use the

system.– how their needs change as they gain

experience.

66

Usability Design

Early focus on the user• What: understand the users’ cognition, behavior

and attitude in relation to the goals of the organization

• How: interviews, observations, discussions, working with the users.

67

Usability Design

Interactive design• What: the problems encountered are to be

corrected and measure again.• How: an evolving system – prototyping.

Integrated Design• What: a parallel development of interface, help,

documentation, training and measurement.

68

Measurable Human Factors

Goals for usability– Time needed to learn - how long does it take

for typical users to learn to use the commands relevant to a set of tasks?

– Speed of performance - how long does it take to carry out the benchmark set of tasks?

– Rate of errors by users - how many and what kinds of errors are made in carrying out the benchmark set of tasks?

…/continued

69

Measurable Human Factors

– Subjective satisfaction - how much did the users like using aspects of the system?

– Retention over time - how well do users maintain their knowledge?

70

Cognitive Engineering

• Learning is a relatively permanent change in behavior resulting from conditions of practice.

• Human learning then is the association of one item with another item (Associated learning).

• Pairs of stimuli are introduced, a mental association is made for them, and the stimuli then become interrelated.

• Future learning can then depend upon past learning (Constructivism).

• People develop new cognitive structures by using metaphors to cognitive structures they have already learned.

71

Cognitive Engineering

• The metaphor is a model or structure or conceptual framework which helps bridge any gap between what the person (user) knows and what is to be learned.

• Metaphors spontaneously generated by users will predict the ease with which they an master a computer system.

• If this is indeed the case then systems designers must understand and employ the use of metaphors in system designs.

72

Cognitive Engineering

Eight recommendations to aid both the user and designer in build effective systems1. Find and use appropriate metaphors in teaching

the naive user a computer system. A metaphor must have a suitable domain for a given system and given user population.

2. Given a choice between two metaphors choose the one which is most like the way the system works.

3. Assure that the correct attitude is presented. Costs of ignoring this recommendation range from user dissatisfaction and reduced productivity to sabotage.

73

Cognitive Engineering

4. When more than one metaphor is need to represent a system, choose metaphors that are similar enough, but not to similar that confusion results.

5. Consider the probable consequences to users and system designers of each metaphor used. This is the evolving state from novice to user. Two path are possible: one leading to directly to the system, the other to a new metaphor.

6. The limits of the metaphor should be pointed out to the user.

74

Cognitive Engineering

7. The intent of the metaphor in the beginning is to aid understanding and usability; for the continual user it is no longer necessary. The metaphor is used also as a motivator, at first to get the user to use the system, then to make him productive and keep his interest.

8. Provide the user with an exciting metaphor for routine work and eventually present the user with advanced scenarios requiring different action.

75

Cognitive Engineering

Learning is a relatively permanent change in behavior resulting from:

• Elaboration, association, practice, rehearsal.

Metaphor - a mental model, structure, or framework which help bridge any gap between what a person knows and what is being attempted to be learned.

76

Cognitive Engineering

Goals– To understand the fundamental principles of

human action and performance relevant to the principles of system design.

– To devise physical systems that are pleasant to use.

– Psychological variables - goals, intentions and attitudes

– Physical variables - pertain to to system.

77

Human-Computer Dialogue

Computer based systems should be easy to learn and remember, effective, and pleasant to use.

These are testable usability behavioral measures.

78

Cognitive Engineering

Nine basic categories of usability problems:1. Simple and natural dialogue: The dialogue should be simple

and clearly stated. It should not contain any irrelevant information. The information should appear in a natural and logical order.

2. Speak the user's language: the dialogue should be expressed in the terminology familiar to the user rather than in system oriented terms.

3. Minimize the user's memory load: instructions should be visible, easily retrievable, and simplified. Presentation load should be reduced when ever possible (i.e. users should not have to remember file names when they are retrievable).

4. Be consistent: the terminology and concepts should always be used in the same manner.

79

Cognitive Engineering

5. Provide feedback: the system should provide feedback as to what is transpiring within a reasonable time.

6. Provide clearly marked exits: clearly marked exits should be provided to the user in case of mistakes.

7. Provide shortcuts: system flexibility for the novice and expert. Menus for the novice and commands for the experts.

8. Provide Good Error Messages: The error messages should be constructive and provide meaningful suggestions to the user of what to do next.

9. Error Prevention: A careful design that prevents error messages form occurring in the first place.

80

Cognitive Engineering

Conclusion:• The identification of specific, and potential

usability problems in a human computer dialogue design is difficult.

• Usability goals should be defined and incorporated into the design.

• Designers may have difficulties in applying design principles unless they have simple basic requirements for the design product.

81

End of Lecture 5