Prepared by Natalie Rose1 Managing Information Resources, Control and Security Lecture 9.

Prepared by Natalie Rose 1

Managing Information Resources, Control and Security

Lecture 9

Prepared by Natalie Rose 2

Risks to Information Systems

• Risks to Hardware

– Natural disasters

– Blackouts and brownouts

– Vandalism

Prepared by Natalie Rose 3

Risks to Information Systems (Cont.)

• Risks to Applications and Data

– Theft of information

– Social engineering and identity theft

– Data alteration, data destruction, and Web defacement

– Computer viruses, worms, and logic bombs

– Nonmalicious mishaps

Prepared by Natalie Rose 4

• Denial of service

• Hijacking

• Spoofing

Risks to Online Operations

Prepared by Natalie Rose 5

Risks to Online Operations

Prepared by Natalie Rose 6

Controls

Prepared by Natalie Rose 7

Controls (Cont.)• Program Robustness and Data Entry Controls

– Provide a clear and sound interface with the user

– Menus and limits

• Backup– Periodic duplication of all data

• Access Controls– Ensure that only authorized people can gain access to systems

and files

– Access codes and passwords

Prepared by Natalie Rose 8

Controls (Cont.)

Prepared by Natalie Rose 9

Controls (Cont.)• Atomic Transactions

– Ensures that transaction data are recorded properly in all the pertinent files to ensure integrity

• Audit Trails

– Built into an IS so that transactions can be traced to people, times, and authorization information

Prepared by Natalie Rose 10

Controls (Cont.)

Prepared by Natalie Rose 11

Security Measures• Firewalls

– Defense against unauthorized access to systems over the Internet

– Controls communication between a trusted network and the “untrusted” Internet

– Proxy Server: represents another server for all information requests and acts as a buffer

Prepared by Natalie Rose 12

Security Measures (Cont.)

Prepared by Natalie Rose 13

• Keeps communications secret

• Authentication: the process of ensuring the identity of the person sending the message

• Encryption: coding a message into a form unreadable to an interceptor

Authentication and Encryption

Prepared by Natalie Rose 14

Authentication and Encryption (Cont.)

Prepared by Natalie Rose 15

• Encryption Strength

• Distribution Restrictions

• Public-key Encryptions

– Symmetric and asymmetric encryption

• Secure Sockets Layer and Secure Hypertext Transport Protocol

• Pretty Good Privacy

Authentication and Encryption (Cont.)

Prepared by Natalie Rose 16

Authentication and Encryption (Cont.)

Prepared by Natalie Rose 17

Authentication and Encryption (Cont.)

Prepared by Natalie Rose 18

• Electronic Signatures

• Digital Signatures

• Digital Certificates

Digital Signatures and Digital Certificates

Prepared by Natalie Rose 19

Digital Signatures and Digital Certificates (Cont.)

Prepared by Natalie Rose 20

Digital Signatures and Digital Certificates (Cont.)

Prepared by Natalie Rose 21

• Obtain management’s commitment to the plan

• Establish a planning committee

• Perform risk assessment and impact analysis

• Prioritize recovery needs: critical, vital, sensitive, noncritical

The business recovery plan

Prepared by Natalie Rose 22

• Select a recovery plan

• Select vendors

• Develop and implement the plan

• Test the plan

• Continually test and evaluate

The business recovery plan (Cont.)

Prepared by Natalie Rose 23

• Companies that specialize in either disaster recovery planning or provision of alternate sites

• Small companies can opt for Web-based services

Recovery plan providers

Prepared by Natalie Rose 24

The IS Security Budget

Prepared by Natalie Rose 25

• How much security is enough security?

• Calculating downtime

The IS Security Budget (Cont.)

Prepared by Natalie Rose 26

The IS Security Budget (Cont.)

Prepared by Natalie Rose 27

Ethical and Societal IssuesTerrorism, Carnivores, and Echelons

• Carnivorous methods

– FBI developed Carnivore

• Device is attached to the ISP servers to monitor email

• Top Echelon

– Surveillance system