Using MIS 2e Chapter 12 Information Security Management David Kroenke © Pearson Prentice Hall 2009
Q1 – What are the threats to information security? Study Questions Q1 – What are the threats to information security? Q2 – What is senior management’s security role? Q3 – What technical safeguards are available? Q4 – What data safeguards are available? Q5 – What human safeguards are available? Q6 – How should organizations respond to security incidents? Q7 – What is the extent of computer crime? © Pearson Prentice Hall 2009
Q1 – What are the threats to information security? Q2 – What is senior management’s security role? Q3 – What technical safeguards are available? Q4 – What data safeguards are available? Q5 – What human safeguards are available? Q6 – How should organizations respond to security incidents? Q7 – What is the extent of computer crime? © Pearson Prentice Hall 2009
Q1 – What are the threats to information security? In order to adequately protect information resources, managers must be aware of the sources of threats to those resources, the types of security problems the threats present, and how to safeguard against both. The three most common sources of threats are: Human error and mistakes Malicious human activity Natural events and disasters. © Pearson Prentice Hall 2009
Q1 – What are the threats to information security? Human error and mistakes stem from employees and nonemployees. They may misunderstand operating procedures and inadvertently cause data to be deleted. Poorly written application programs and poorly designed procedures may allow employees to enter data incorrectly or misuse the system. Employees may make physical mistakes like unplugging a piece of hardware that causes the system to crash. Malicious human activity results from employees, former employees, and hackers who intentionally destroy data or system components. These actions include: Breaking into systems with the intent of stealing, altering or destroying data. Introducing viruses and worms into a system. Acts of terrorism. © Pearson Prentice Hall 2009
Q1 – What are the threats to information security? The last source of threats to information security are those caused by natural events and disasters. These threats pose problems stemming not just from the initial loss of capability and service but also problems a company may experience as it recovers from the initial problem. They include: Fires Floods Hurricanes Earthquakes and Other acts of nature. © Pearson Prentice Hall 2009
Q1 – What are the threats to information security? This chart shows some of the security problems a company may experience and the possible sources of the problems. Fig 12-1 Security Problems and Sources © Pearson Prentice Hall 2009
Q1 – What are the threats to information security? There are three components of a sound organizational security program: Senior management must establish a security policy and manage risks. Safeguards of various kinds must be established for all five components of an IS as the figure below demonstrates. The organization must plan its incident response before any problems occur. Fig 12-2 Security Safeguards as They Relate to the Five Components © Pearson Prentice Hall 2009
Q2 – What is senior management’s security role? Q1 – What are the threats to information security? Q2 – What is senior management’s security role? Q3 – What technical safeguards are available? Q4 – What data safeguards are available? Q5 – What human safeguards are available? Q6 – How should organizations respond to security incidents? Q7 – What is the extent of computer crime? © Pearson Prentice Hall 2009
Q2 – What is senior management’s security role? The NIST Handbook of Security Elements lists the necessary elements of an effective security program as this figure shows. Fig 12-3 Elements of Computer Security © Pearson Prentice Hall 2009
Q2 – What is senior management’s security role? Senior managers should ensure their organization has an effective security policy that includes these elements: A general statement of the organization’s security program Issue-specific policies like personal use of email and the Internet System-specific policies that ensure the company is complying with laws and regulations. Senior managers must also manage risks associated with information systems security. Risk is the likelihood of an adverse occurrence. You can reduce risk but always at a cost. The amount of money you spend on security influences the amount of risk you must assume. Uncertainty is defined as the things we do not know that we do not know. © Pearson Prentice Hall 2009
Q2 – What is senior management’s security role? When you’re assessing risks to an information system you must first determine: What the threats are. How likely they are to occur. The consequences if they occur. The figure below lists the factors you should include in a risk assessment. Once you’ve assessed the risks to your information system, you must make decisions about how much security you want to pay for. Each decision carries consequences. Some risk is easy and inexpensive. Some risk is expensive and difficult. Managers have a fiduciary responsibility to the organization to adequately manage risk. Fig 12-4 Risk Assessment Factors © Pearson Prentice Hall 2009
Q3 – What technical safeguards are available? Q1 – What are the threats to information security? Q2 – What is senior management’s security role? Q3 – What technical safeguards are available? Q4 – What data safeguards are available? Q5 – What human safeguards are available? Q6 – How should organizations respond to security incidents? Q7 – What is the extent of computer crime? © Pearson Prentice Hall 2009
Q3 – What technical safeguards are available? You can establish five technical safeguards for the hardware and software components of an information system as this figure shows. Identification and authentication includes passwords (what you know), smart cards (what you have), and biometric authentication (what you are). Since users must access many different systems, it’s often more secure, and easier, to establish a single sign-on for multiple systems. Wireless systems pose additional threats. Wired Equivalent Privacy (WEP)-first developed Wi-Fi Protected Access (WPA)-more secure Wi-Fi Protected Access (WPA2)-newest and most secure Fig 12-5 Technical Safeguards © Pearson Prentice Hall 2009
Q3 – What technical safeguards are available? Encryption is the second safeguard you can establish for an IS. The chart below and on the next slide describe each of them. Fig 12-6 Basic Encryption Techniques © Pearson Prentice Hall 2009
Q3 – What technical safeguards are available? Fig 12-6 Basic Encryption Techniques (continued) © Pearson Prentice Hall 2009
Q3 – What technical safeguards are available? This diagram describes how digital signatures are used to authenticate messages and ensure they aren’t altered during transmission. Digital certificates are used in conjunction with digital signatures for added security. Certificate authorities are independent third-party companies that supply public keys used with the certificates. Fig 12-7 Digital Signatures for Message Authentication © Pearson Prentice Hall 2009
Q3 – What technical safeguards are available? Firewalls, the third technical safeguard, should be installed and used with every computer that’s connected to any network, especially the Internet. The diagram shows how perimeter and internal firewalls are special devices that help protect a network. Packet-filtering firewalls are programs on general-purpose computers or on routers that examine each packet entering the network. Access control lists (ACLs) are used in conjunction with firewalls and determine which packets can enter a network. The ACLs also control which Web sites users can access. Fig 12-8 Use of Multiple Firewalls © Pearson Prentice Hall 2009
Q3 – What technical safeguards are available? Malware Protection is the fourth technical safeguard. We’ll concentrate on spyware and adware here. Spyware are programs that may be installed on your computer without your knowledge or permission. Adware is a benign program that’s also installed without your permission. It resides in your computer’s background and observes your behavior. If your computer displays any of the symptoms in this figure, you may have one of these types of malware on your computer. Fig 12-9 Spyware & Adware Symptoms © Pearson Prentice Hall 2009
Q3 – What technical safeguards are available? Here are a few ways you can safeguard your computer against malware: Install antivirus and antispyware programs. Scan your computer frequently for malware. Update malware definitions often or use an automatic update process. Open email attachments only from known sources and even then be wary. Promptly install software updates from legitimate sources like Microsoft for your operating system or McAfee for your spyware programs. Browse only in reputable Internet neighborhoods. Malware is often associated with rogue Web sites. © Pearson Prentice Hall 2009
Q3 – What technical safeguards are available? The survey results in this chart show how serious the malware problem is and yet how unaware most people are about the effects. You should understand the malware problem, realize how frequently it occurs, and follow safeguards to protect your computer and system from it. Designing secure applications with as few bugs as possible is the last safeguard. Fig 12-10 Malware Survey Results © Pearson Prentice Hall 2009
Q4 – What data safeguards are available? Q1 – What are the threats to information security? Q2 – What is senior management’s security role? Q3 – What technical safeguards are available? Q4 – What data safeguards are available? Q5 – What human safeguards are available? Q6 – How should organizations respond to security incidents? Q7 – What is the extent of computer crime? © Pearson Prentice Hall 2009
Q4 – What data safeguards are available? To protect databases and other data sources, an organization should follow the safeguards listed in this figure. Remember, data and the information from it are one of the most important resources an organization has. Fig 12-11 Data Safeguards © Pearson Prentice Hall 2009
Q5 – What human safeguards are available? Q1 – What are the threats to information security? Q2 – What is senior management’s security role? Q3 – What technical safeguards are available? Q4 – What data safeguards are available? Q5 – What human safeguards are available? Q6 – How should organizations respond to security incidents? Q7 – What is the extent of computer crime? © Pearson Prentice Hall 2009
Q5 – What human safeguards are available? Human safeguards for employees are some of the most important safeguards an organization can deploy. They should be coupled with effective procedures to help protect information systems. This figure shows the safeguards for in-house employees. Fig 12-12 Security Policy for In-house Staff © Pearson Prentice Hall 2009
Q5 – What human safeguards are available? An organization needs human safeguards for nonemployees whether they are temporary employees, vendors, business partners, or the public. Here are a few suggestions: Ensure any contracts between the organization and other workers include security policies. Third-party employees should be screened and trained the same as direct employees. Web sites used by third-party employees and the public should be hardened against misuse or abuse. Protect outside users from internal security problems. If your system gets infected with a virus, you should not pass it on to others. © Pearson Prentice Hall 2009
Q5 – What human safeguards are available? Account administration is the third type of human safeguard and has three components—account management, password management, and help-desk policies. Account management focuses on Establishing new accounts Modifying existing accounts Terminating unnecessary accounts. Password management requires that users Immediately change newly created passwords Change passwords periodically Sign an account acknowledgment form like the one in this figure. Fig 12-13 Sample Account Acknowledgement Form © Pearson Prentice Hall 2009
Q5 – What human safeguards are available? Help-desks have been a source of problems for account administration because of the inherent nature of their work. It is difficult for the help-desk to determine exactly with whom they’re speaking. Users call up for a new password without the help-desk having a method of definitively identifying who is on the other end of the line. There must be policies in place to provide ways of authenticating users like asking questions only the user would know the answers to. Users have a responsibility to help the help-desk by responsibly controlling their passwords. © Pearson Prentice Hall 2009
Q5 – What human safeguards are available? Effective system procedures can help increase security and reduce the likelihood of computer crime. As this figure shows, procedures should exist for both system users and operations personnel that cover normal, backup, and recovery procedures. Security monitoring is the last human safeguard. It includes: Activity log analyses Security testing Investigating and learning from security incidents. Fig 12-14 Systems Procedures © Pearson Prentice Hall 2009
Q6 – How should organizations respond to security incidents? Q1 – What are the threats to information security? Q2 – What is senior management’s security role? Q3 – What technical safeguards are available? Q4 – What data safeguards are available? Q5 – What human safeguards are available? Q6 – How should organizations respond to security incidents? Q7 – What is the extent of computer crime? © Pearson Prentice Hall 2009
Q6 – How should organizations respond to security incidents? No system is fail-proof. Every organization must have an effective plan for dealing with a loss of computing systems. This figure describes disaster preparedness tasks for every organization, large and small. The last item that suggests an organization train and rehearse its disaster preparedness plans is very important. Fig 12-15 Disaster Preparedness Tasks © Pearson Prentice Hall 2009
Q6 – How should organizations respond to security incidents? Along with disaster preparedness plans, every organization should think about how it will respond to security incidences that may occur, before they actually happen. The figure below lists the major factors that should be included in any incident response. Fig 12-16 Factors in Incident Response © Pearson Prentice Hall 2009
Q7 – What is the extent of computer crime? Q1 – What are the threats to information security? Q2 – What is senior management’s security role? Q3 – What technical safeguards are available? Q4 – What data safeguards are available? Q5 – What human safeguards are available? Q6 – How should organizations respond to security incidents? Q7 – What is the extent of computer crime? © Pearson Prentice Hall 2009
Q7 – What is the extent of computer crime? The full extent of computer crime is unknown. There is no national census because many organizations are reluctant to report losses for fear of alienating customers, suppliers, and business partners. A 2006 survey estimated that the total loss due to computer crime is at least $52.5 billion. This chart shows the top four sources of computer crime and the total dollar loss. Fig 12-17 Computer Crime, 2006 FBI/CSI Survey © Pearson Prentice Hall 2009