Top Banner
© 2007 by Prentice Hall © 2007 by Prentice Hall Management Information Systems, 10/ Management Information Systems, 10/ e Raymond McLeod and George Schell e Raymond McLeod and George Schell 1 Management Management Information Information Systems, 10/e Systems, 10/e Raymond McLeod and George Raymond McLeod and George Schell Schell
35
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: SIM - Mc leod ch09

© 2007 by Prentice Hall© 2007 by Prentice Hall Management Information Systems, 10/e RManagement Information Systems, 10/e Raymond McLeod and George Schell aymond McLeod and George Schell

11

Management Management Information Systems, Information Systems,

10/e10/eRaymond McLeod and George Raymond McLeod and George

Schell Schell

Page 2: SIM - Mc leod ch09

© 2007 by Prentice Hall© 2007 by Prentice Hall Management Information Systems, 10/e RManagement Information Systems, 10/e Raymond McLeod and George Schell aymond McLeod and George Schell

22

Chapter 9Chapter 9

Information SecurityInformation Security

Page 3: SIM - Mc leod ch09

© 2007 by Prentice Hall Management Information Systems, 10/e Raymond McLeod and George Schell

3

Learning ObjectivesLearning Objectives

► Understand the organizational needs for information Understand the organizational needs for information security & control.security & control.

► Know that information security is concerned with Know that information security is concerned with securing all information resources, not just hardware & securing all information resources, not just hardware & data.data.

► Know the three main objectives of information security.Know the three main objectives of information security.► Know that management of information security consists Know that management of information security consists

of two areas: information security management (ISM) & of two areas: information security management (ISM) & business continuity management (BCM).business continuity management (BCM).

► See the logical relationship among threats, risks & See the logical relationship among threats, risks & controls.controls.

► Know what the main security threats are.Know what the main security threats are.► Know what the main security risks are.Know what the main security risks are.

Page 4: SIM - Mc leod ch09

© 2007 by Prentice Hall Management Information Systems, 10/e Raymond McLeod and George Schell

4

Learning Objectives (Cont’d)Learning Objectives (Cont’d)

► Recognize the security concerns of e-commerce & Recognize the security concerns of e-commerce & how credit card companies are dealing with them.how credit card companies are dealing with them.

► Be familiar with a formal way to engage in risk Be familiar with a formal way to engage in risk management.management.

► Know the process for implementing an information Know the process for implementing an information security policy.security policy.

► Be familiar with the more popular security controls.Be familiar with the more popular security controls.► Be familiar with actions of government & industry Be familiar with actions of government & industry

that influence information security.that influence information security.► Know how to obtain professional certification in Know how to obtain professional certification in

security & control.security & control.► Know the types of plans that are included in Know the types of plans that are included in

contingency planning.contingency planning.

Page 5: SIM - Mc leod ch09

© 2007 by Prentice Hall Management Information Systems, 10/e Raymond McLeod and George Schell

5

Organizational Needs for Organizational Needs for Security & ControlSecurity & Control

►Experience inspired industry to:Experience inspired industry to: Place security precautions aimed at Place security precautions aimed at

eliminating or reducing the opportunity of eliminating or reducing the opportunity of damage or destruction.damage or destruction.

Provide the organization the ability to Provide the organization the ability to continue operations after disruption.continue operations after disruption.

►Patriot Act & Office of Homeland SecurityPatriot Act & Office of Homeland Security 11stst issue is security vs. individual rights. issue is security vs. individual rights. 22ndnd issue is security vs. availability (i.e. issue is security vs. availability (i.e.

HIPPA).HIPPA).

Page 6: SIM - Mc leod ch09

© 2007 by Prentice Hall Management Information Systems, 10/e Raymond McLeod and George Schell

6

Information SecurityInformation Security

► System securitySystem security focuses on protecting focuses on protecting hardware, data, software, computer hardware, data, software, computer facilities, & personnel.facilities, & personnel.

► Information securityInformation security describes the describes the protection of both computer & non-protection of both computer & non-computer equipment, facilities, data, & computer equipment, facilities, data, & information from misuse by unauthorized information from misuse by unauthorized parties.parties. Includes copiers, faxes, all types of media, paper Includes copiers, faxes, all types of media, paper

documents. documents.

Page 7: SIM - Mc leod ch09

© 2007 by Prentice Hall Management Information Systems, 10/e Raymond McLeod and George Schell

7

Objectives of Information Objectives of Information SecuritySecurity

► Information security is intended to achieve three Information security is intended to achieve three main objectivesmain objectives:: Confidentiality:Confidentiality: protecting a firm’s data and information  protecting a firm’s data and information

from disclosure to unauthorized persons.from disclosure to unauthorized persons. Availability:Availability: making sure that the firm's data &  making sure that the firm's data &

information is only available to those authorized to use it.information is only available to those authorized to use it. Integrity:Integrity: information systems should provide an information systems should provide an

accurate representation of the physical systems that they accurate representation of the physical systems that they represent.represent.

► Firm’s information systems must protect data & Firm’s information systems must protect data & information from misuse, ensure availability to information from misuse, ensure availability to authorized users, display confidence in its accuracy.authorized users, display confidence in its accuracy.

Page 8: SIM - Mc leod ch09

© 2007 by Prentice Hall Management Information Systems, 10/e Raymond McLeod and George Schell

8

Management of Information Management of Information SecuritySecurity

► Information security managementInformation security management ( (ISMISM) ) is the activity of keeping information is the activity of keeping information resources secure.resources secure.

► Business continuity managementBusiness continuity management ( (BCMBCM) ) is the activity of keeping the firm & its is the activity of keeping the firm & its information resources functioning after a information resources functioning after a catastrophe.catastrophe.

► Corporate information systems security Corporate information systems security officerofficer ( (CISSOCISSO) is responsible for the firm’s ) is responsible for the firm’s information systems security.information systems security.

► Corporate information assurance officerCorporate information assurance officer ((CIAOCIAO) reports to the CEO & manage an ) reports to the CEO & manage an information assurance unit. information assurance unit.

Page 9: SIM - Mc leod ch09

© 2007 by Prentice Hall Management Information Systems, 10/e Raymond McLeod and George Schell

9

Information Security Information Security ManagementManagement

► Concerned with formulating the firm’s information Concerned with formulating the firm’s information security policy.security policy.

► Risk managementRisk management approach is basing the security of approach is basing the security of the firm’s information resources on the risks (threats the firm’s information resources on the risks (threats imposed) that it faces.imposed) that it faces.

► Information security benchmarkInformation security benchmark is a recommended is a recommended level of security that in normal circumstances should level of security that in normal circumstances should offer reasonable protection against unauthorized offer reasonable protection against unauthorized intrusion.intrusion. BenchmarkBenchmark is a recommended level of performance. is a recommended level of performance. Defined by governments & industry associationsDefined by governments & industry associations What authorities believe to be components of a good What authorities believe to be components of a good

information security program.information security program.► Benchmark complianceBenchmark compliance is when a firm adheres to the is when a firm adheres to the

information security benchmark & recommended information security benchmark & recommended standards by industry authorities.standards by industry authorities.

Page 10: SIM - Mc leod ch09

© 2007 by Prentice Hall Management Information Systems, 10/e Raymond McLeod and George Schell

10

Figure 9.1 Information Security Figure 9.1 Information Security Management (ISM) StrategiesManagement (ISM) Strategies

Page 11: SIM - Mc leod ch09

© 2007 by Prentice Hall Management Information Systems, 10/e Raymond McLeod and George Schell

11

ThreatsThreats► Information security threatInformation security threat is a person, is a person,

organization, mechanism, or event that has organization, mechanism, or event that has potential to inflict harm on the firm’s information potential to inflict harm on the firm’s information resources.resources.

► Internal & external threats.Internal & external threats. Internal include firm’s employees, temp. workers, Internal include firm’s employees, temp. workers,

consultants, contractors, & even business partners.consultants, contractors, & even business partners. As high as 81% of computer crimes have been committed As high as 81% of computer crimes have been committed

by employees.by employees. Internal threats present potentially more serious damage Internal threats present potentially more serious damage

due to more intimate knowledge of the system.due to more intimate knowledge of the system.

► Accidental & deliberate acts.Accidental & deliberate acts.

Page 12: SIM - Mc leod ch09

© 2007 by Prentice Hall Management Information Systems, 10/e Raymond McLeod and George Schell

12

Figure 9.2 Unauthorized Acts Figure 9.2 Unauthorized Acts Threaten System Security Threaten System Security

ObjectivesObjectives

Page 13: SIM - Mc leod ch09

© 2007 by Prentice Hall Management Information Systems, 10/e Raymond McLeod and George Schell

13

Types of ThreatsTypes of Threats► Malicious softwareMalicious software ( (malwaremalware) consists of complete ) consists of complete

programs or segments of code that can invade a programs or segments of code that can invade a system & perform functions not intended by the system & perform functions not intended by the system owners (i.e. erase files, halt system, etc.).system owners (i.e. erase files, halt system, etc.).

► VirusVirus is a computer program that can replicate itself is a computer program that can replicate itself without being observable to the user & embed copies without being observable to the user & embed copies of itself in other programs & boot sectors.of itself in other programs & boot sectors.

► WormWorm cannot replicate itself within a system, but it cannot replicate itself within a system, but it can transmit its copies by means of e-mail.can transmit its copies by means of e-mail.

► Trojan horse Trojan horse is distributed by users as a utility & is distributed by users as a utility & when the utility is used, it produces unwanted when the utility is used, it produces unwanted changes in the system’s functionality; can’t replicate changes in the system’s functionality; can’t replicate nor duplicate itself.nor duplicate itself.

► AdwareAdware generates intrusive advertising messages. generates intrusive advertising messages.► SpywareSpyware gathers data from the user’s machine. gathers data from the user’s machine.

Page 14: SIM - Mc leod ch09

© 2007 by Prentice Hall Management Information Systems, 10/e Raymond McLeod and George Schell

14

RisksRisks

►Information security riskInformation security risk is a potential is a potential undesirable outcome of a breach of undesirable outcome of a breach of information security by an information information security by an information security threat.security threat. all risks represent unauthorized acts.all risks represent unauthorized acts.

►Unauthorized disclosure & threatsUnauthorized disclosure & threats..►Unauthorized useUnauthorized use..►Unauthorized destruction & denial of Unauthorized destruction & denial of

service.service.►Unauthorized modifications.Unauthorized modifications.

Page 15: SIM - Mc leod ch09

© 2007 by Prentice Hall Management Information Systems, 10/e Raymond McLeod and George Schell

15

E-commerce ConsiderationsE-commerce Considerations

►““Disposable” credit cardDisposable” credit card (AMEX) – an action (AMEX) – an action aimed at 60 to 70% of consumers who fear aimed at 60 to 70% of consumers who fear credit card fraud arising from Internet use.credit card fraud arising from Internet use.

►Visa’s 10 required security practicesVisa’s 10 required security practices for its for its retailers plus 3 general practices for achieving retailers plus 3 general practices for achieving information security in all retailers’ activities.information security in all retailers’ activities.

►Cardholder Information Security ProgramCardholder Information Security Program ((CISPCISP) augmented these required practices.) augmented these required practices.

Page 16: SIM - Mc leod ch09

© 2007 by Prentice Hall Management Information Systems, 10/e Raymond McLeod and George Schell

16

Risk ManagementRisk Management

► Defining risks consists of four substeps.Defining risks consists of four substeps. Identify business assets to be protected from risks.Identify business assets to be protected from risks. Recognize the risks.Recognize the risks. Determine the level of of impact on the firm should the risks Determine the level of of impact on the firm should the risks

materialize.materialize. Analyze the firm’s vulnerabilities.Analyze the firm’s vulnerabilities.

► Impact severity can be classified as:Impact severity can be classified as: Severe impactSevere impact puts the firm out of business or severely limits puts the firm out of business or severely limits

its ability to function.its ability to function. Significant impactSignificant impact causes significant damage & cost, but the causes significant damage & cost, but the

firm will survive.firm will survive. Minor impactMinor impact causes breakdowns that are typical of day-to- causes breakdowns that are typical of day-to-

day operations.day operations.

Page 17: SIM - Mc leod ch09

© 2007 by Prentice Hall Management Information Systems, 10/e Raymond McLeod and George Schell

17

Table 9.1 Degree of Impact & Table 9.1 Degree of Impact & Vulnerability Determine ControlsVulnerability Determine Controls

Page 18: SIM - Mc leod ch09

© 2007 by Prentice Hall Management Information Systems, 10/e Raymond McLeod and George Schell

18

Risk Analysis ReportRisk Analysis Report

► The findings of the risk analysis should be The findings of the risk analysis should be documented in a report that contains detailed documented in a report that contains detailed information such as the following for information such as the following for each riskeach risk:: A description of the risk.A description of the risk. Source of the risk.Source of the risk. Severity of the risk.Severity of the risk. Controls that are being applied to the risk.Controls that are being applied to the risk. The owner(s) of the risk.The owner(s) of the risk. Recommended action to address the risk.Recommended action to address the risk. Recommended time frame for addressing the risk.Recommended time frame for addressing the risk. What was done to mitigate the risk.What was done to mitigate the risk.

Page 19: SIM - Mc leod ch09

© 2007 by Prentice Hall Management Information Systems, 10/e Raymond McLeod and George Schell

19

Information Security PolicyInformation Security Policy

►The five phases of implementing:The five phases of implementing:►Phase 1: Project Initiation.Phase 1: Project Initiation.►Phase 2: Policy Development. Phase 2: Policy Development. ►Phase 3: Consultation & Approval. Phase 3: Consultation & Approval. ►Phase 4:Awareness and Phase 4:Awareness and

Education. Education. ►Phase 5: Policy Dissemination.Phase 5: Policy Dissemination.

Page 20: SIM - Mc leod ch09

© 2007 by Prentice Hall Management Information Systems, 10/e Raymond McLeod and George Schell

20

Figure 9.3 Development of Figure 9.3 Development of Security PolicySecurity Policy

Page 21: SIM - Mc leod ch09

© 2007 by Prentice Hall Management Information Systems, 10/e Raymond McLeod and George Schell

21

ControlsControls

►ControlControl is a mechanism that is is a mechanism that is implemented to either protect the firm implemented to either protect the firm from risks or to minimize the impact of from risks or to minimize the impact of risks on the firm should they occur.risks on the firm should they occur.

►Technical controlsTechnical controls are those that are are those that are built into systems by the system built into systems by the system developers during the systems developers during the systems development life cycle.development life cycle. Include an internal auditor on project team.Include an internal auditor on project team. Based on hardware & software technology.Based on hardware & software technology.

Page 22: SIM - Mc leod ch09

© 2007 by Prentice Hall Management Information Systems, 10/e Raymond McLeod and George Schell

22

Technical ControlsTechnical Controls

►Access controlAccess control is the basis for security is the basis for security against threats by unauthorized persons.against threats by unauthorized persons.

►Access control three-step process includes:Access control three-step process includes: User identificationUser identification;; User authenticationUser authentication;; User authorizationUser authorization..

►User profilesUser profiles - descriptions of authorized - descriptions of authorized users; used in identification & users; used in identification & authorization.authorization.

Page 23: SIM - Mc leod ch09

© 2007 by Prentice Hall Management Information Systems, 10/e Raymond McLeod and George Schell

23

Figure 9.4 Access Control Figure 9.4 Access Control FunctionsFunctions

Page 24: SIM - Mc leod ch09

© 2007 by Prentice Hall Management Information Systems, 10/e Raymond McLeod and George Schell

24

Technical Controls (Cont’d)Technical Controls (Cont’d)

► Intrusion detection systemsIntrusion detection systems ( (IDSIDS) ) recognize an attempt to break the security recognize an attempt to break the security beforebefore it has an opportunity to inflict damage. it has an opportunity to inflict damage.

► Virus protection software that is effective Virus protection software that is effective against viruses transported in e-mail.against viruses transported in e-mail. Identifies virus-carrying message & warns user.Identifies virus-carrying message & warns user.

► Inside threat prediction toolsInside threat prediction tools classify classify internal threats in categories such as:internal threats in categories such as: Possible intentional threat;Possible intentional threat; Potential accidental threat;Potential accidental threat; Suspicious;Suspicious; Harmless.Harmless.

Page 25: SIM - Mc leod ch09

© 2007 by Prentice Hall Management Information Systems, 10/e Raymond McLeod and George Schell

25

FirewallsFirewalls► FirewallFirewall acts as a filter & barrier that restricts the flow of data to & acts as a filter & barrier that restricts the flow of data to &

from the firm & the Internet. Three types of firewalls are:from the firm & the Internet. Three types of firewalls are:► Packet-filtering Packet-filtering are routers equipped with data tables of IP are routers equipped with data tables of IP

addresses which reflect the filtering policy positioned between the addresses which reflect the filtering policy positioned between the Internet and the internal network, it can serve as a firewall.Internet and the internal network, it can serve as a firewall. RouterRouter is a network device that directs the flow of network traffic. is a network device that directs the flow of network traffic. IP addressIP address is a set of four numbers (each from 0 to 255) that is a set of four numbers (each from 0 to 255) that

uniquely identify each computer connected to the Internet.uniquely identify each computer connected to the Internet.► Circuit-level firewallCircuit-level firewall installed between the Internet & the firm’s installed between the Internet & the firm’s

network but closer to the communications medium (circuit) than the network but closer to the communications medium (circuit) than the router.router. Allows for a high amount of authentication & filtering to be Allows for a high amount of authentication & filtering to be

performed.performed.► Application-level firewall Application-level firewall located between the router & computer located between the router & computer

performing the application.performing the application. Allows for full power of additional security checks to be performed.Allows for full power of additional security checks to be performed.

Page 26: SIM - Mc leod ch09

© 2007 by Prentice Hall Management Information Systems, 10/e Raymond McLeod and George Schell

26

Figure 9.5 Firewall Locations in Figure 9.5 Firewall Locations in the Networkthe Network

Page 27: SIM - Mc leod ch09

© 2007 by Prentice Hall Management Information Systems, 10/e Raymond McLeod and George Schell

27

Cryptographic & Physical Cryptographic & Physical ControlsControls

► CryptographyCryptography is the use of coding by means of mathematical is the use of coding by means of mathematical processes.processes.

► The data and information can be encrypted as it resides in The data and information can be encrypted as it resides in storage and or transmitted over networks. storage and or transmitted over networks.

► If an unauthorized person gains access, the encryption makes If an unauthorized person gains access, the encryption makes the data and information unreadable and prevents its the data and information unreadable and prevents its unauthorized use.unauthorized use.

► Special protocols such as Special protocols such as SETSET (Secure Electronic Transactions) (Secure Electronic Transactions) perform security checks using digital signatures developed for perform security checks using digital signatures developed for use in e-commerce.use in e-commerce.

► Export of encryption technology is prohibited to Cuba, Iran, Export of encryption technology is prohibited to Cuba, Iran, Iraq, Libya, North Korea, Sudan, & Syria.Iraq, Libya, North Korea, Sudan, & Syria.

► Physical controlsPhysical controls against unauthorized intrusions such as door against unauthorized intrusions such as door locks, palm prints, voice prints, surveillance cameras, & locks, palm prints, voice prints, surveillance cameras, & security guardssecurity guards Locate computer centers in remote areas that are less susceptible Locate computer centers in remote areas that are less susceptible

to natural disasters such as earthquakes, floods, & hurricanes.to natural disasters such as earthquakes, floods, & hurricanes.

Page 28: SIM - Mc leod ch09

© 2007 by Prentice Hall Management Information Systems, 10/e Raymond McLeod and George Schell

28

Formal ControlsFormal Controls

► Formal controlsFormal controls include the establishment include the establishment of codes of conduct, documentation of of codes of conduct, documentation of expected procedures & practices, expected procedures & practices, monitoring, & preventing behavior that monitoring, & preventing behavior that varies from the established guidelines.varies from the established guidelines. Management denotes considerable time to Management denotes considerable time to

devising them.devising them. Documented in writing.Documented in writing. Expected to be in force for the long term.Expected to be in force for the long term.

► Top management must participate actively Top management must participate actively in their establishment & enforcement.in their establishment & enforcement.

Page 29: SIM - Mc leod ch09

© 2007 by Prentice Hall Management Information Systems, 10/e Raymond McLeod and George Schell

29

Informal ControlsInformal Controls

►Education.Education.►Training programs.Training programs.►Management development programs.Management development programs.► Intended to ensure the firm’s employees Intended to ensure the firm’s employees

both understand & support the security both understand & support the security program.program.

►Good business practice is not to spend more Good business practice is not to spend more for a control than the expected cost of the for a control than the expected cost of the risk that it addresses.risk that it addresses. Establish controls at the proper level.Establish controls at the proper level.

Page 30: SIM - Mc leod ch09

© 2007 by Prentice Hall Management Information Systems, 10/e Raymond McLeod and George Schell

30

Government & Industry Government & Industry AssistanceAssistance

► United Kingdom's BS7799. United Kingdom's BS7799. The UK standards establish a set of baseline The UK standards establish a set of baseline controls. They were first published by the British Standards Institute in 1995, controls. They were first published by the British Standards Institute in 1995, then published by the International Standards Organization as ISO 17799 in then published by the International Standards Organization as ISO 17799 in 2000, & made available to potential adopters online in 2003.2000, & made available to potential adopters online in 2003.

► BSI IT Baseline Protection Manual. BSI IT Baseline Protection Manual. The baseline approach is also The baseline approach is also followed by the German Bundesamt fur Sicherheit in der Informationstechnik followed by the German Bundesamt fur Sicherheit in der Informationstechnik (BSI). The baselines are intended to provide reasonable security when (BSI). The baselines are intended to provide reasonable security when normal protection requirements are intended. The baselines can also serve normal protection requirements are intended. The baselines can also serve as the basis for higher degrees of protection when those are desired.as the basis for higher degrees of protection when those are desired.

► COBIT. COBIT. COBIT, from the Information Systems Audit and Control Association COBIT, from the Information Systems Audit and Control Association & Foundation (ISACAF), focuses on the process that a firm can follow in & Foundation (ISACAF), focuses on the process that a firm can follow in developing standards, paying special attention to the writing & maintaining developing standards, paying special attention to the writing & maintaining of the documentation.of the documentation.

► GASSP. GASSP. Generally Accepted System Security Principles (GASSP) is a product Generally Accepted System Security Principles (GASSP) is a product of the U. S. National Research Council. Emphasis is on the rationale for of the U. S. National Research Council. Emphasis is on the rationale for establishing a security policy.establishing a security policy.

► ISF Standard of Good Practice. ISF Standard of Good Practice. The Information Security Forum Standard The Information Security Forum Standard of Good Practice takes a baseline approach, devoting considerable attention of Good Practice takes a baseline approach, devoting considerable attention to the user behavior that is expected if the program is to be successful. The to the user behavior that is expected if the program is to be successful. The 2005 edition addresses such topics as secure instant messaging, Web server 2005 edition addresses such topics as secure instant messaging, Web server security, & virus protection.security, & virus protection.

Page 31: SIM - Mc leod ch09

© 2007 by Prentice Hall Management Information Systems, 10/e Raymond McLeod and George Schell

31

Government LegislationGovernment Legislation

► BBoth U.S. oth U.S. && U.K. established standards & U.K. established standards & passed legislation aimed at addressing the passed legislation aimed at addressing the increasing importance of information security.increasing importance of information security.

► U.S. Government Computer Security Standards.U.S. Government Computer Security Standards. Set of security standards organizations should meet. Set of security standards organizations should meet. Availability of softwareAvailability of software program that grades users’ program that grades users’

systems & assists them in configuring their systems systems & assists them in configuring their systems to meet standards.to meet standards.

► U.K. Anti-terrorism, Crime & Security Act U.K. Anti-terrorism, Crime & Security Act (ATCSA) 2001.(ATCSA) 2001.

Page 32: SIM - Mc leod ch09

© 2007 by Prentice Hall Management Information Systems, 10/e Raymond McLeod and George Schell

32

Industry StandardsIndustry Standards

Page 33: SIM - Mc leod ch09

© 2007 by Prentice Hall Management Information Systems, 10/e Raymond McLeod and George Schell

33

Professional CertificationProfessional Certification

►Beginning in the 1960s the IT Beginning in the 1960s the IT profession began offering certification profession began offering certification programsprograms:: Information Systems Audit and Control Information Systems Audit and Control

AssociationAssociation ( (ISACAISACA)) International Information System Security International Information System Security

Certification ConsortiumCertification Consortium ( (ISCISC)) SANSSANS ( (SysAdmin, Audit, Network, SysAdmin, Audit, Network,

SecuritySecurity) ) InstituteInstitute

Page 34: SIM - Mc leod ch09

© 2007 by Prentice Hall Management Information Systems, 10/e Raymond McLeod and George Schell

34

Business Continuity Business Continuity ManagementManagement

► Business continuity managementBusiness continuity management ( (BCMBCM) ) are activities aimed at continuing operations are activities aimed at continuing operations after an information system disruption.after an information system disruption.

► This activity was called This activity was called disaster planningdisaster planning, , then more positive term then more positive term contingency contingency planningplanning..

► Contingency planContingency plan is the is the keykey element in element in contingency planning; it is a formal written contingency planning; it is a formal written document that spells out in detail the actions document that spells out in detail the actions to be taken in the event that there is a to be taken in the event that there is a disruption, or threat of disruption, in any part disruption, or threat of disruption, in any part of the firm’s computing operations.of the firm’s computing operations.

Page 35: SIM - Mc leod ch09

© 2007 by Prentice Hall Management Information Systems, 10/e Raymond McLeod and George Schell

35

Contingency SubplansContingency Subplans► Emergency planEmergency plan specifies those measures that specifies those measures that

ensure the safety of ensure the safety of employeesemployees when disaster strikes. when disaster strikes. Include alarm systems, evacuation procedures, & fire-Include alarm systems, evacuation procedures, & fire-

suppression systems.suppression systems.► Backup planBackup plan is the arrangements for backup is the arrangements for backup

computing facilities in the event that the regular computing facilities in the event that the regular facilities are destroyed or damaged beyond use. facilities are destroyed or damaged beyond use. Backup can be achieved by some combination of Backup can be achieved by some combination of redundancy, diversity, & mobility.redundancy, diversity, & mobility.

► Vital recordsVital records are those paper documents, are those paper documents, microforms, & magnetic & optical storage media that microforms, & magnetic & optical storage media that are necessary for carrying on the firm’s business.are necessary for carrying on the firm’s business.

► Vital records planVital records plan specifies how the vital records specifies how the vital records will be protected & should include offsite backup will be protected & should include offsite backup copies.copies.