1 Chapter 15 Managing Information Resources & Security

2 Learning Objectives  Recognize the difficulties in managing information resources.  Understand the role of the IS department and its relationships with end-users.  Discuss the role of the chief information officer.  Recognize information systems’ vulnerability and the possible damage from malfunctions.  Describe the major methods of defending information systems.  Describe the security issues of the Web and electronic commerce.  Distinguish between security auditing and disaster recovery planning and understand the economics of security.  Describe the Euro 2002 issue.

3 Case: Cyber Crime  On Feb. 6, the biggest EC sites were hit by cyber crime. Yahoo!, eBay, Amazon.com, E*Trade  The attacker(s) used a method called denial of service (DOS). By hammering a Web site’s equipment with too many requests for information, an attacker can effectively clog a system.  The total damage worldwide was estimated at $5-10 billion (U.S.). The alleged attacker, from the Philippines, was not prosecuted because he did not break any law in the Philippines.

4 Lessons Learned from the Case  Information resources that include computers, networks, programs, and data are vulnerable to unforeseen attacks.  Many countries do not have sufficient laws to deal with computer criminals.  Protection of networked systems can be a complex issue.  Attackers can zero on a single company, or can attack many companies, without discrimination.  Attackers use different attack methods.  Although variations of the attack methods are known, the defence against them is difficult and/or expensive.

5 Information Resources Management  Information resources management (IRM) encompasses all activities related to the planning, organizing, acquiring, maintaining, securing, and controlling of IT resources.  The management of information resources is divided among the information services department (ISD) and the end-users. The name of the ISD depends on the IT role, its size, and so forth. The director of IS is sometimes called the chief information officer (CIO). It is extremely important to have good relations between the ISD & end- users.

6 End-User Computing Let them sink or swim. Don’t do anything—let the end- user beware. Use the stick. Establish policies and procedures to control end-user computing so that corporate risks are minimized. Use the carrot. Create incentives to encourage certain end-user practices that reduce organizational risks. Offer support. Develop services to aid end-users in their computing activities. Generally, the IS organization takes one of the following four approaches toward end-user computing:

7 Steering Committees The corporate steering committee is a group of managers and staff representing various organizational units. The committee’s major tasks are:  Direction setting  Staffing  Rationing  Communication  Structuring  Evaluating

8 SLAs & Information Centers  Service Level agreements (SLAs) are formal agreements regarding the division of computing responsibility among end-users and the ISD. Such divisions are based on a small set of critical computing decisions made by end-user management.  Information centers (IC), also known as the user’s service or help center, concentrate on end-user support with PCs, client/server applications, and the Internet/intranet. The IC is set up to help users get certain systems built quickly.

9 The “New IT Organization” Rockart et al. (1996) proposed the following eight imperatives for ISDs the “New IT organization“:  Achieve two-way strategic alignment  Develop effective relations with line management  Quickly develop and implement new systems  Build and manage infrastructures  Reskill the IT organization  Manage vendor relationships  Build high performance  Redesign and manage the “federal” IT organization

10 The Role of the CIO  The CIO is taking increasing responsibility for defining strategic future.  The increased networked environment may lead to disillusionment with IT.  The CIO needs to understand that the Web-based era is more about fundamental business change than technology.  The CIO needs to argue for a greater measures of central coordination.  The IT asset-acquisition process must be improved by the CIO.  The CIO is responsible for developing new Web-based business models.  The CIO is becoming a business visionary.

11 Key Terminology Backup Decryption Encryption Exposure Fault tolerance IS controls Integrity (of data) Risk Threats (or hazards) Vulnerability

12 Security Threats

13 Cyber Crime  Crimes can be performed by outsiders who penetrate a computer system (hackers) or by insiders who are authorized to use the computer system but are misusing their authorization. A cracker is a malicious hacker, who may represent a serious problem for a corporation.  Two basic methods of attack are used in deliberate attacks on computer systems: data tampering programming fraud, e.g. Viruses

14 U.S. Federal Statutes  According to the FBI, an average white-collar crime involves $23,000; but an average computer crime involves about $600,000.  The following U.S. federal statutes deal with computer crime; Counterfeit Access Device and Computer Fraud Act of 1984 Computer Fraud and Abuse Act of 1986 Computer Abuse Amendment Act of 1994 (prohibits transmission of viruses) Computer Security Act of 1987 Electronic Communications Privacy Act of 1986 Electronic Funds Transfer Act of 1980 Video privacy protection act of 1988

15 Defending Information Systems  Hundreds of potential threats exist.  Computing resources may be situated in many locations.  Many individuals control information assets.  Computer networks can be outside the organization and difficult to protect.  Rapid technological changes make some controls obsolete as soon as they are installed.  Many computer crimes are undetected for a long period of time.  People tend to violate security procedures because they are inconvenient. Defending information systems is not a simple or inexpensive task for the following reasons:

16 Defense Strategies  The following are the major objectives of defense strategies:  Prevention & deterrence  Detection  Limitation  Recovery  Correction

17 Types of Defense Controls The defense controls are divided into two major categories: General controls Protect the system regardless of the specific application. Application controls Safeguards that are intended to protect specific applications.

18 Types of Controls  General Controls Physical controls Access controls Biometric controls Data security controls Communications (networks) controls Administrative controls  Application Controls Input controls Processing controls Output controls

19 Security Measures  An access control system guards against unauthorized dial-in attempts. The use of preassigned personal identification number (PIN).  Modems. It is quite easy for attackers to penetrate them and for employees to leak secret corporate information to external networks.  Encryption is used extensively in EC for protecting payments and privacy.  Troubleshooting packages such as cable tester can find almost any fault that can occur with LAN cabling.

20 Security Measures (cont.)  Payload security involves encryption or other manipulation of data being sent over networks.  Commercial Products. Hundreds of commercial security products exist on the market.  Intrusion Detecting. It is worthwhile to place an intrusion detecting device near the entrance point of the Internet to the intranet.  A Firewall is commonly used as a barrier between the secure corporate intranet, or other internal networks, and the Internet.

21 IT Auditing  In the information system environment, auditing can be viewed as an additional layer of controls or safeguards. It involves a periodical examination and check of financial and accounting records and procedures.  Two types of auditors (and audits): Internal An internal auditor is usually a corporate employee who is not a member of the ISD. External An external auditor is a corporate outsider.

22 Auditors attempt to answer questions such as: 1.Are there sufficient controls in the system? 2.Which areas are not covered by controls? 3.Which controls are not necessary? 4.Are the controls implemented properly? 5.Are the controls effective; do they check the output of the system? 6.Is there a clear separation of duties of employees? 7.Are there procedures to ensure compliance with the controls? 8.Are there procedures to ensure reporting and corrective actions in case of violations of controls?

23 How is Auditing Executed? IT auditing procedures can be classified into three categories: Auditing around the computer - verifying processing by checking for known outputs using specific inputs. Auditing through the computer - inputs, outputs, and processing are checked. Auditing with the computer - using a combination of client data, auditor software, and client and auditor hardware.

24 Disaster Recovery Plan  A disaster recovery plan is essential to any security system.  Here are some key thoughts about disaster recovery by Knoll (1986): The purpose of a recovery plan is to keep the business running after a disaster occurs. Recovery planning is part of asset protection. Planning should focus first on recovery from a total loss of all capabilities. Proof of capability usually involves some kind of what-if analysis that shows that the recovery plan is current. All critical applications must be identified and their recovery procedures addressed in the plan.

25 Backup Location  In the event of a major disaster, it is often necessary to move a centralized computing facility to a far-away backup location.  External hot-site vendors provide access to a fully configured backup data center. E.g., When an earthquake hit San Francisco in 1989, Charles Schwab & Co. was ready. Within a few minutes, the company’s disaster plan was activated. Programmers, engineers, and backup computer tapes were flown to New Jersey, where Comdisco Disaster Recovery Service provided a hot site.

26 Case: Disaster Planning at Reuters Problem:  Reuters is a multinational information-delivery corporation.  If Reuters’ information system were to fail outright, it would take more than 15 brokerage houses with it. The costs, not to mention the legal ramifications, would be tremendous. Solution:  Reuters implemented an Internet disaster recovery plan with SunGard Corp.  The company now operates 3 redundant Web sites in different locations from coast to coast.  If all 3 were to fail, a hot site would be used to ensure continuous operation.

27 Risk Management

28 Risk-Management  A risk-management approach helps identify threats and selects cost-effective security measures.  Risk-management analysis can be enhanced by the use of DSS software packages. Calculations can be used to compare the expected loss with the cost of preventing it.  A business continuity plan outlines the process in which businesses should recover from a major disaster.

29 IT Security in the 21 st Century  Increasing the Reliability of Systems. The objective relating to reliability is to use fault tolerance to keep the information systems working, even if some parts fail.  Intelligent Systems for Early Detection. Detecting intrusion in its beginning is extremely important, especially for classified information and financial data.  Intelligent Systems in Auditing. Intelligent systems are used to enhance the task of IS auditing.

30 IT Security in the 21 st Century (cont.)  Artificial Intelligence in Biometrics. Expert systems, neural computing, voice recognition, and fuzzy logic can be used to enhance the capabilities of several biometric systems.  Expert Systems for Diagnosis, Prognosis, and Disaster Planning. Expert systems can be used to diagnose troubles in computer systems and to suggest solutions.  Smart Cards. Smart card technology can be used to protect PCs on LANs.  Fighting Hackers. Several new products are available for fighting hackers.

31 Case: The Euro Conversion Some major IT issues involved in the Euro conversion are;  Time and cost estimates are difficult.  The decision on a conversion date was delegated to individual companies, and it varies.  Legal requirements force organizations to keep accounting data in their original form. This will create problems for comparisons over time.  It is necessary to convert the code and the existing applications that involve currencies.  It is necessary to change all the data and data files in the organizations’ databases.

32 Case: The Euro Conversion (cont.) In order to execute the conversion properly a CIO must…  Coordinate the execution with the business side of the enterprise, creating a joint team with members of the ISD & other functional units.  Outsourcing some of the tasks is advisable.  Business impact analysis should be done first.  Both business and IT strategies for the conversion must be done, coordinated, and assessed periodically.  A proper project management process must be conducted.  A proper testing program must be prepared and properly implemented.  A deployment strategy for the conversion should be determined.

33 Managerial Issues  To whom should the ISD report?  Who needs a CIO?  End-users are friends, not enemies, of the IS department.  Ethical Issues.

34 Managerial Issues (cont.)  Responsibilities for security should be assigned in all areas.  Security awareness programs are important for any organization, especially if it is heavily dependent on IT.  Auditing information systems should be institutionalized into the organizational culture.  Organizing the ISD in a multinational corporation is a complex issue.