1 Lecture 5 Part 1 - Security IS Security definitions and issues
Dec 25, 2015
1
Lecture 5
Part 1 - Security
IS Security definitions and issues
2
Security
• An organization may be required by organizational policy or compliance to the law to have an information security program in place.
• A security program may be put in place to insure against identified problems or risks.
3
Security
• The goal of a security program is to provide assurance that there exists security to:
– Provide for timely and reliable availability of information and systems
– Preserve confidentiality of data– Safeguard integrity of data
4
Those Involved with Security
• Executives authorize plans, ensure security and privacy protections are integrated, and accept risks to information systems in the organization
• Managers (information owners) develop requirements, assess information sensitivity and privacy needs, develop security plans and work with IT and security on monitoring
• IT staff provide, document and monitor technical security controls and are considered the owners of the infrastructure of information systems
5
Those Involved with Security
• Security staff manage the security program, assess risks, consult and review the security plan and privacy impact assessments (as documents) and manage the monitoring and compliance of reporting activities
• Auditors review security programs and systems for compliance according to organizational policy or legal requirement
• Supervisors assure staff compliance with security and privacy training and awareness requirements
6
A Security Program Combines People, Processes and Technology
7
Security Controls
• A security control is a specific action or procedure that is provided to protect confidentiality, integrity and availability of information/systems.
• Security controls are described in International Organization for Standardization
• Example: ISO 17799, a document describing IT security
8
Security Controls
Management Controls• Focus on the management of the computer
security system and the management of risk for a system
Operational Controls• Focus on mechanisms that primarily are
implemented and executed by people (as opposed to systems)
Technical Controls• Focus on security controls that the computer
system executes
9
Security Types
• Three security types;
– Physical controls– Administrative controls– Computational controls
10
Physical Controls
• Physical security• These controls ensure that hardware is secure.• They check for equipment malfunction.• May include access to hardware and an
example might be the restriction of access to a computer room to operational personnel or the taking of back-up copies of files in case of accidents.
• Hardware controls should take account of fire and environmental hazards.
11
Administrative Controls
• Administrative disciplines, standards and proceduresThese controls are formalized standards, rules, procedures and control disciplines to ensure that the organization's other controls are properly executed and enforced. Examples of these controls are:
segregation of functionswritten policies and procedures supervision
12
Administrative Controls
• Controls over the system implementation processImplementation controls audit the system development process at various points in time to ensure that the project in hand is being properly controlled and managed.
• An example of such a control is a 'sign-off' at the end of each stage of the development process where a developer offers a section of the project to a user or manager to sign off, thereby documenting their approval of the development stage offered.
13
Administrative Controls
• Computer operations controlsThese controls apply to the work of the computer department and help to ensure that programmed procedures are consistently and correctly applied to the storage and retrieval of data.
• They include, for example, controls over set-up, operations software, computer operations and backup and recovery procedures.
14
Computational Controls
• Software controls
These controls monitor the use of system software and prevent unauthorized access to software programs.
• System software controls govern the software for the operating system.
• Program security controls are used to prevent unauthorized changes to programs on the system.
15
Computational Controls
• Internal system securityValidation and verification checks on input data, authorization procedures for some types of input data, the provision of an audit trail of file changes and the use of control totals.
• It may be necessary to include such things as encryption, which is coding, of data held on files, multi-level password systems including the use of magnetic keys, voice recognition access and the monitoring of the identity and access time of each user on the system.
16
Computational Controls
• Data security controls
Data security controls ensure that data files on disk or tape are not subject to unauthorized access, change or destruction. These controls are needed for when the data is in use (active) and when being held for storage.
17
Computational Controls
• Application controlsApplication controls are specific controls within each computer application.
• Objectives:1.Completeness of input2.Accuracy of input3.Validity of data4.Maintenance (where data on files continue
to be correct and current).
18
Computational Controls
• Application controls are usually in one of three categories:
1.Input controls
2.Processing controls
3.Output controls
19
Audits
• Auditing information systems• An information system audit identifies all of the
controls that govern individual information systems and assess their effectiveness.
20
Audits
• For this the auditor must make value judgements about– operations,– physical facilities,– telecommunications,– control systems,– data security objectives,– organizational structure,– personnel,– manual procedures and individual applications.
21
Audits
• The audit is a matter of collecting and analyzing the details on an information system including – user and system documentation,
– sample inputs,
– sample outputs,
– documentation on integrity controls (to compare the details) and
– anything else that might be lying around that might give an indication of how the system is being used.
22
Issues and Considerations of Security Management
• Access control• Awareness and training• Audit and accountability• Certification, accreditation, and security
assessments• Configuration management• Contingency planning• Identification and authentication• Incident response
23
Issues and Considerations of Security Management
• Maintenance• Media protection • Physical and environmental protection• Planning• Personnel security• Risk assessment• System and services acquisition• System and communications protection• System and information integrity
24
Security During the Life Cycle
• Security is less expensive if it is planned and implemented from the start; it is more costly to add security features to a system after it has been designed.
• If not addressed in the initial phases, security controls added at the last minute can diminish performance and delay implementation.
25
Risks
• Risk management is the total process of identifying, controlling, and minimizing the impact of uncertain events against an information resource.
• The risk management process can be broken down into three main areas:
– Risk assessment– Risk mitigation– On-going evaluation
26
Risks
• Examples of types of vulnerabilities include:
– Poorly communicated or implemented policy
– Poorly trained personnel
– Misconfigured systems or controls
– Poorly designed and implemented commercial off-the shelf (COTS) or custom components
– Lack of access controls
– Lack of physical controls
– Lack of visitor policy
27
Consequences
• The consequences of ignoring risk – or having inadequate security may result in:– Loss of data– Disclosure of sensitive information– Disruption or denial of service– Loss of competitive edge– Monetary loss– Damage to reputation or public trust– Lawsuits– Death (in extreme cases)
28
Management Responsibilities for Risk
• Document the criticality and sensitivity of the information in the risk assessment
• Define and document the appropriate controls needed to mitigate the risk
• Use the appropriate security requirements• Develop Plans of Action and Milestones to
mitigate risks • Monitor and reassess risks, security and related
policy regularly
29
Steps for Managers to Take
• Step 1: Develop policy statement
• Step 2: Conduct Business Impact Assessment
• Step 3: Identify preventive controls
• Step 4: Develop recovery strategies
• Step 5: Develop IT contingency plans
• Step 6: Conduct plan testing, training and exercises for staff
• Step 7: Maintain the plan
30
Part 2
IS and the Legal System
31
Information Systems Management and the Law
• The law is the set of rules that can be enforced in a court. There are many sets of laws and they exist in a jurisdiction.
32
What is Regulation?
• Regulations for technology are often associated with the Data Protection Act and trading acts.
• You could say that regulation in information systems comes mainly from individual contracts set up by organizations.
33
What is Compliance?
• Where there are regulations – either by law or company policy, compliance could be seen as observance of the official requirements of the regulations.
• The act or process of complying with a demand or recommendation that comes from regulation is usually a task for a member of management.
34
Legal Issues
• The laws associated with information technology have many aspects. We can look at commonly discussed legal issues related to information systems or IT:– Contracts– Outsourcing– Software licensing– Data protection– Acceptable use– Intellectual property rights– Computer fraud– Taxation
35
Contracts
• Contracts are legal documents defining the legal implications of buying, selling or becoming involved with products and services of – in this MIS context – hardware and software systems and the issues surrounding them.
• Contracts can take many forms – what follows is a general, basic description of a contract.
36
Contracts
• The structure of a contract in our context is, generally:– The date on which the contract was entered into– The names and addresses of those entering the
contract– A description of what the contract is about –
having titles such as ‘Background’ or ‘Whereas’– Definitions of terms used in the contract– Provisions made by one party (e.g. Supplier)– What must be paid to the provider (supplier)
37
Hardware Procurement Contract
• The details for a hardware procurement contract might include:– A description of the hardware
– A warranty for the quality of the hardware
– Delivery dates
– Price
– Acceptance testing (description)
– Future maintenance description
– Training
38
Software Procurement Contract
• Software purchase is much more complex in terms of contract design. The software may be developed specifically for the organization or be ready to sell ‘off-the shelf’.
39
Software Procurement Contract
• What type of software will be provided, what the software is required to do, whether there is a maintenance feature to the deal, what provision there is for the cessation of the supply company and many other aspects of law surrounding the idea of ‘keeping the software working’.
40
A Contract for Outsourcing
• It is difficult to specify a typical contract for product or service outsourcing, but – very generally – a contract for software services, as an example, may contain:– The statement of requirements– The technical solution– An output specification
41
A Contract for Outsourcing
• Similar to hardware, software and services procurement, there is often a special contract that is applied to outsourcing called a Service Level Agreement (SLA).
• An SLA often has the details of:– Service levels to be achieved– Targets for service levels– Mechanisms for monitoring and reporting
service levels against those targets– Consequences of failure to meet targets
42
Software Licensing
• One might view software licensing as another form of contract.
• A licence should confirm that the software supplier owns the copyright in the software or has the right to licence it to the organization.
• Usually, the software supplier is not selling ownership of software to an organization but the permission to use it as they wish. This leaves the supplier able to provide copies of the software to other people or organizations.
43
Software Licensing
• Usually a contract is drawn up – called the licence agreement, since the licence is really a legal agreement between the software supplier and a client.
• There are variations in such agreements;– Is the licence restricted to one office, one
department, one organization or can the software be lent to ‘sister companies?
…/ continued
44
Software Licensing
– Is there a user restriction? Does the agreement allow up to, say 20 users? Do extra users require individual licences or another group licence?
– Are there time constraints? One year? Two Years?
– Are there any other restrictions?
45
Data Protection
• As an organization processing data one must ensure that the processing is lawful.
• The data must have been obtained fairly and lawfully.
• When obtaining data from a third party you must inform the subject of the data that you have data pertaining to them, telling the subject why you are using the data and how you will use them.
46
Data Protection
• Personal data must be:– Fairly and lawfully processed– Processed for limited purposes– Adequate, relevant and not excessive– Accurate– Not kept longer than necessary– Processed in accordance with the data subject’s
rights– Secure– Not transferred to countries without adequate
protection
47
Acceptable Use
• Employees use computers for their information work – they may also use their employer’s computers for personal matters, such as booking a cheap flight, buying books and gifts and sending e-mails to friends and family.
48
Acceptable Use
• Misuse might be seen as an – excessive waste of staff time and resources,– actions exposing the organization to claims
for discrimination, harassment, defamation or worse,
– failure to include information that results in criminal liability.
– (On the employer’s side;) health and safety requirements for screens and other computer equipment must be met
49
Acceptable Use
• Usage policiesComputer usage policies are very often established because employers can be held responsible for wrongful actions carried out by employees in the course of their employment.
50
Acceptable Use
• Common usage problems are:– Racial harassment– Sexual harassment– Downloading pornography– Defamation of management, customers or
competitors,– Breach of confidence– Copyright infringement– Hacking (into systems)– Breaches of the Data protection Act
51
Intellectual Property Rights
• Rights on intellectual property are laws related, in the current context of information systems in organizations, to software licensing.
• Types of intellectual property:– Patents
– Design
– Copyright
– Database right
– Trade marks
52
Computer Fraud
• Many Management Information Systems service providers see the responsibility of avoiding this fraud to belong to the organization itself.
• Corporate governance is the term for the idea that an organization ‘watches out’ for computer fraud.
53
Taxation
• E-commerce means that organizations can trade across borders.
• There is a Communications Regulations Bill 2007, which may amend the state law on e-commerce.
54
Taxation
• Issues for taxation in e-commerce include:– Identification of a transaction– Identification of the parties to a transaction– Verification of the details of the transaction– Application of the correct taxing rules and
remittance to the taxing authority– Generation of an audit trail.– The country of the supplier, generally, has the
government to which the tax laws apply.
55
Part 3
Human Computer Interface
Interacting with Computers.
56
Interacting with Computers
• What we are looking at with this topic, largely, is Human-Computer Interaction or, in a narrower field, GUIs (Graphical User Interfaces).
57
Interacting with Computers
• Interacting with computers is improved by ‘good usability’.
• A computer system has usability – whether it is easily usable or difficult to use is measurable.
• Usability, like many features of systems, can be ‘designed in’…
58
Design Principles for Usability
• Principles for good design of this sort include:
• Early focus on the users• Iterative design• Integrative design (Help for users, training,
documentation, etc in parallel to the technical design)
59
Usability
Early focus on users• Bring the design team into direct contact
with the users right from the start.• Get the user involved so they can instill
their knowledge into the design process.
60
Usability
• Collect the users’ thoughts (interviews, questionnaires…)
• Collect the user’s mistakes,• Collect the user's attitudes.
61
Usability
Iterative design• Incorporate the results from the tests into
the next prototype• Set goals for the system• Get feedback on evaluation
62
Usability
• Evaluation criteria–easy to use–user friendly–easy to operate–simple–responsive–flexible
63
Usability
Integrated design• Build the online help, prepare training,
documentation AND process modules (coded programs) at the same time.
64
Usability Definitions
• Usability is task related, people related and function related. It has cognitive, behavioral, and communicative components.
• To be truly usable a system must be compatible not only with the characteristics of human perception and action but, and most critically, with user's cognitive skills in communication, understanding, memory and problem solving.
65
Usability Definitions
• Designing a usable system requires:– understanding of the intended users.– the amount of time they expect to use the
system.– how their needs change as they gain
experience.
66
Usability Design
Early focus on the user• What: understand the users’ cognition, behavior
and attitude in relation to the goals of the organization
• How: interviews, observations, discussions, working with the users.
67
Usability Design
Interactive design• What: the problems encountered are to be
corrected and measure again.• How: an evolving system – prototyping.
Integrated Design• What: a parallel development of interface, help,
documentation, training and measurement.
68
Measurable Human Factors
Goals for usability– Time needed to learn - how long does it take
for typical users to learn to use the commands relevant to a set of tasks?
– Speed of performance - how long does it take to carry out the benchmark set of tasks?
– Rate of errors by users - how many and what kinds of errors are made in carrying out the benchmark set of tasks?
…/continued
69
Measurable Human Factors
– Subjective satisfaction - how much did the users like using aspects of the system?
– Retention over time - how well do users maintain their knowledge?
70
Cognitive Engineering
• Learning is a relatively permanent change in behavior resulting from conditions of practice.
• Human learning then is the association of one item with another item (Associated learning).
• Pairs of stimuli are introduced, a mental association is made for them, and the stimuli then become interrelated.
• Future learning can then depend upon past learning (Constructivism).
• People develop new cognitive structures by using metaphors to cognitive structures they have already learned.
71
Cognitive Engineering
• The metaphor is a model or structure or conceptual framework which helps bridge any gap between what the person (user) knows and what is to be learned.
• Metaphors spontaneously generated by users will predict the ease with which they an master a computer system.
• If this is indeed the case then systems designers must understand and employ the use of metaphors in system designs.
72
Cognitive Engineering
Eight recommendations to aid both the user and designer in build effective systems1. Find and use appropriate metaphors in teaching
the naive user a computer system. A metaphor must have a suitable domain for a given system and given user population.
2. Given a choice between two metaphors choose the one which is most like the way the system works.
3. Assure that the correct attitude is presented. Costs of ignoring this recommendation range from user dissatisfaction and reduced productivity to sabotage.
73
Cognitive Engineering
4. When more than one metaphor is need to represent a system, choose metaphors that are similar enough, but not to similar that confusion results.
5. Consider the probable consequences to users and system designers of each metaphor used. This is the evolving state from novice to user. Two path are possible: one leading to directly to the system, the other to a new metaphor.
6. The limits of the metaphor should be pointed out to the user.
74
Cognitive Engineering
7. The intent of the metaphor in the beginning is to aid understanding and usability; for the continual user it is no longer necessary. The metaphor is used also as a motivator, at first to get the user to use the system, then to make him productive and keep his interest.
8. Provide the user with an exciting metaphor for routine work and eventually present the user with advanced scenarios requiring different action.
75
Cognitive Engineering
Learning is a relatively permanent change in behavior resulting from:
• Elaboration, association, practice, rehearsal.
Metaphor - a mental model, structure, or framework which help bridge any gap between what a person knows and what is being attempted to be learned.
76
Cognitive Engineering
Goals– To understand the fundamental principles of
human action and performance relevant to the principles of system design.
– To devise physical systems that are pleasant to use.
– Psychological variables - goals, intentions and attitudes
– Physical variables - pertain to to system.
77
Human-Computer Dialogue
Computer based systems should be easy to learn and remember, effective, and pleasant to use.
These are testable usability behavioral measures.
78
Cognitive Engineering
Nine basic categories of usability problems:1. Simple and natural dialogue: The dialogue should be simple
and clearly stated. It should not contain any irrelevant information. The information should appear in a natural and logical order.
2. Speak the user's language: the dialogue should be expressed in the terminology familiar to the user rather than in system oriented terms.
3. Minimize the user's memory load: instructions should be visible, easily retrievable, and simplified. Presentation load should be reduced when ever possible (i.e. users should not have to remember file names when they are retrievable).
4. Be consistent: the terminology and concepts should always be used in the same manner.
79
Cognitive Engineering
5. Provide feedback: the system should provide feedback as to what is transpiring within a reasonable time.
6. Provide clearly marked exits: clearly marked exits should be provided to the user in case of mistakes.
7. Provide shortcuts: system flexibility for the novice and expert. Menus for the novice and commands for the experts.
8. Provide Good Error Messages: The error messages should be constructive and provide meaningful suggestions to the user of what to do next.
9. Error Prevention: A careful design that prevents error messages form occurring in the first place.
80
Cognitive Engineering
Conclusion:• The identification of specific, and potential
usability problems in a human computer dialogue design is difficult.
• Usability goals should be defined and incorporated into the design.
• Designers may have difficulties in applying design principles unless they have simple basic requirements for the design product.
81
End of Lecture 5