Risks, Controls and Security Measures

Slides:



Advertisements
Similar presentations
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Advertisements

Crime and Security in the Networked Economy Part 4.
Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.
4/15: Security & Controls in IS Systems Vulnerabilities Controls: what to use to guard against vulnerabilities –General controls –Application controls.
Chapter 17 Controls and Security Measures
Security+ Guide to Network Security Fundamentals
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Lecture 10 Security and Control.
Lecture 10 Security and Control.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Chapter 9 - Control in Computerized Environment ATG 383 – Spring 2002.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Chapter 10: Electronic Commerce Security. Electronic Commerce, Seventh Annual Edition2 Impact of Security on E-Commerce In 2006 an estimated $913 million.
Chapter Extension 23 SSL/TLS and //https © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
Stephen S. Yau CSE465 & CSE591, Fall Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,
1 Senn, Information Technology, 3 rd Edition © 2004 Pearson Prentice Hall James A. Senn’s Information Technology, 3 rd Edition Chapter 14 Issues in Information.
Lecture 11 Reliability and Security in IT infrastructure.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Chapter 19 Security.
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
11.1 Copyright © 2005 Pearson Education Canada Inc. Management Information Systems, Second Canadian Edition Chapter 11: Information Systems Security, Quality,
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
Securing Information Systems
7.1 © 2007 by Prentice Hall 10 Chapter Securing Information Systems.
CHAPTER 3 Information Privacy and Security. CHAPTER OUTLINE  Ethical Issues in Information Systems  Threats to Information Security  Protecting Information.
7.1 © 2007 by Prentice Hall 7 Chapter Securing Information Systems.
1 I.Assets and Treats Information System Assets That Must Be Protected People People Hardware Hardware Software Software Operating systems Operating systems.
1 Chapter 9 E- Security. Main security risks 2 (a) Transaction or credit card details stolen in transit. (b) Customer’s credit card details stolen from.
Tutorial Chapter 5. 2 Question 1: What are some information technology tools that can affect privacy? How are these tools used to commit computer crimes?
1.Too many users 2.Technical factors 3.Organizational factors 4.Environmental factors 5.Poor management decisions Which of the following is not a source.
Risks, Security, and Disaster Recovery
C8- Securing Information Systems
Center of Excellence for IT at Bellevue College. Cyber security and information assurance refer to measures for protecting computer systems, networks,
Security. Topics: Security What are the threats that affect information security? – For each threat, identify controls that can be used to mitigate risks.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
Types of Electronic Infection
ACM 511 Introduction to Computer Networks. Computer Networks.
INFORMATION SYSTEM : SECURITY MEASURES Nurul Filzah Bt Hussain Muhammad Lokman Nurhakim Bin Hamin Nor Afina Binti Nor Aziz
Oz – Foundations of Electronic Commerce © 2002 Prentice Hall Security and Privacy Issues.
SESSION 14 INFORMATION SYSTEMS SECURITY AND CONTROL.
Prepared by Natalie Rose1 Managing Information Resources, Control and Security Lecture 9.
Zulhizam Bin Ebrahim Mohd Shamir Bin Abd Azia Muhammad Salehin Bin Suhaimi
What is risk online operation:  massive movement of operation to the internet has attracted hackers who try to interrupt such operation daily.  To unauthorized.
IT in Business Issues in Information Technology Lecture – 13.
CPS ® and CAP ® Examination Review OFFICE SYTEMS AND TECHNOLOGY, Fifth Edition By Schroeder and Graf ©2005 Pearson Education, Inc. Pearson Prentice Hall.
1 Network and E-commerce Security Nungky Awang Chandra Fasilkom Mercu Buana University.
Introduction to Information Security
Chap1: Is there a Security Problem in Computing?.
Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills.
E-commerce Security By John Doran. What is e-commerce?  the buying and selling of products or services over the internet [3].  Most e-commerce transactions.
CPT 123 Internet Skills Class Notes Internet Security Session B.
“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.
Management Information Systems by Prof. Park Kyung-Hye Chapter 14 (15th Week) Risks, Security, and Disaster Recovery 14.
Securing Information Systems
Information Systems Security
INFORMATION SYSTEMS SECURITY AND CONTROL.
Chapter 17 Risks, Security and Disaster Recovery
BY GAWARE S.R. DEPT.OF COMP.SCI
Securing Information Systems
IT effective auditing in MIS and prevention
Systems Design Chapter 6.
INFORMATION SYSTEMS SECURITY and CONTROL
Electronic Payment Security Technologies
Module 4 System and Application Security
Presentation transcript:

Risks, Controls and Security Measures Chapter 17 Risks, Controls and Security Measures

Learning Objectives When you finish this chapter, you will: Be able to identify the main types of risks to information systems. List various types of attacks on networked systems Identify types of controls required to ensure the integrity of data entry and processing and uninterrupted e-commerce.

Learning Objectives Know the principles of how organizations develop recovery plans. Be able to explain the economic aspects of pursuing information security.

Why do we care? Nearly 20,000 digital attacks* occurred in January 2003 At this rate, we could see 180,000 attacks resulting in $80-100 billion in damages *mi2g Ltd., a digital risk management firm.

Goals of Information Security Reduce the risk of systems and organizations ceasing operations Maintain information confidentiality Ensure the integrity and reliability of data resources Ensure uninterrupted availability of data resources and online operations Ensure compliance with national security laws and privacy policies and laws

Risks to Information Systems Causes of systems downtime Number-one is hardware failure Fire and theft are the next two contributors Risks to Hardware Natural disasters Blackouts and brownouts Vandalism

Risks to Information Systems Risks to Applications and Data Theft of information Data alteration, data destruction, and defacement Computer viruses and Logic Bombs Nonmalicious mishaps

Risks to Information Systems Figure 17.2 Frequency of security breaches in a 12-month period based on a survey of 745 professionals

Risks to Online Operations Denial of Service (DoS) Too many requests are received to log on to a Web site’s pages If perpetrated from multiple computers it is called distributed denial of service (DDoS) Spoofing Deception of users to make them think they are logged on at one site while they actually are on another

Controlling Information System Risks Controls: Constraints imposed on a user or a system to secure systems against risks. Figure 17.3 Common controls to protect systems from risk

Controlling Information System Risks Program Robustness and Data Entry Controls Provide a clear and sound interface with the user Menus and limits / data input constraints Backup Periodic duplication of all data Access Controls Ensure that only authorized people can gain access to systems and files Access codes and passwords Biometric An access control unique in physical, measurable characteristic of a human being that is used to identify a person

Controlling Information System Risks Atomic Transactions Ensures that transaction data are recorded properly in all the pertinent files to ensure integrity

Controlling Information System Risks Audit Trails Built into an IS so that transactions can be traced to people, times, and authorization information

Encryption Authentication Process of ensuring that the sender and receiver of a message is indeed that person Original message – plaintext Coded message – ciphertext Messages scrambled on sending end; descramble to plain text on receiving end

Encryption Strength Figure 17.6 Estimated time needed to break encryption keys, using $100,000 worth of computer equipment

Encryption Distribution Restrictions Public Key encryption Symmetric Both sender and recipient use same key Key is referred to as secret key Asymmetric (also called public key encryption) Sender is able to communicate key to recipient before message is sent

Encryption

Encryption Secure Sockets Layer and Secure Hypertext Transport Protocol ensure online transactions are secure Pretty Good Privacy – Network Associates product that allows individuals to register for public and private keys

Digital signatures and Digital Certificates Electronic Signatures Digital Signatures Different each time you send a message Digital Certificates Computer files that serve as the equivalent of ID cards

Firewalls Software whose purpose is to manage access to computing resources Early firewalls used combination of hardware and software While firewalls are used to keep unauthorized users out, they are also used to keep unauthorized software or instructions away Computer viruses and other rogue software Proxy Servers act as a buffer between internal and external networks

Security Standards The Orange Book (DOD)- Four security levels Decision A: Verify Protection Decision B: Mandatory Protection Decision C: Discretionary Protection Decision D: Minimal Protection or No Protection The ISO Standard Common set of requirements for IT product security functions and for assurance measures during security evaluation Permits comparability between results of independent security tests

The Downside of Security Controls Security measures slow data communications and require discipline that is not easy to maintain Passwords Encryption Firewalls Drains personnel resources as well…

Chief Security Officers

Recovery Measures The Business Recovery Plan – Nine steps proposed for development Obtain management’s commitment to the plan Establish a planning committee Perform risk assessment and impact analysis Prioritize recovery needs Select a recovery plan Select vendors Develop and implement the plan Test the plan Continually test and evaluate

Recovery Measures Outsourcing the Recovery Plan Some companies may choose not to develop their own recovery plan Small companies may not be able to afford an expensive recovery plan May opt for a Web-based service

Median Amounts of IT Security Budgets by Industry

The Economic Aspect of Security Measures Two types of costs to consider when determining how much to spend on data security: The cost of potential damage The cost of implementing a preventive measure

The Economic Aspect of Security Measures Figure 17.12 The total cost to the enterprise is lowest at “Optimum.” No less, and no more, should be spent on information security measures.