Lecture 5 Part 1 - Security IS Security definitions and issues

Security An organization may be required by organizational policy or compliance to the law to have an information security program in place. A security program may be put in place to insure against identified problems or risks.

Security The goal of a security program is to provide assurance that there exists security to: Provide for timely and reliable availability of information and systems Preserve confidentiality of data Safeguard integrity of data

Those Involved with Security Executives authorize plans, ensure security and privacy protections are integrated, and accept risks to information systems in the organization Managers (information owners) develop requirements, assess information sensitivity and privacy needs, develop security plans and work with IT and security on monitoring IT staff provide, document and monitor technical security controls and are considered the owners of the infrastructure of information systems

Those Involved with Security Security staff manage the security program, assess risks, consult and review the security plan and privacy impact assessments (as documents) and manage the monitoring and compliance of reporting activities Auditors review security programs and systems for compliance according to organizational policy or legal requirement Supervisors assure staff compliance with security and privacy training and awareness requirements

A Security Program Combines People, Processes and Technology

Security Controls A security control is a specific action or procedure that is provided to protect confidentiality, integrity and availability of information/systems. Security controls are described in International Organization for Standardization Example: ISO 17799, a document describing IT security

Security Controls Management Controls Focus on the management of the computer security system and the management of risk for a system Operational Controls Focus on mechanisms that primarily are implemented and executed by people (as opposed to systems) Technical Controls Focus on security controls that the computer system executes

Security Types Three security types; Physical controls Administrative controls Computational controls

Physical Controls Physical security These controls ensure that hardware is secure. They check for equipment malfunction. May include access to hardware and an example might be the restriction of access to a computer room to operational personnel or the taking of back-up copies of files in case of accidents. Hardware controls should take account of fire and environmental hazards.

Administrative Controls Administrative disciplines, standards and procedures These controls are formalized standards, rules, procedures and control disciplines to ensure that the organization's other controls are properly executed and enforced. Examples of these controls are: segregation of functions written policies and procedures supervision

Administrative Controls Controls over the system implementation process Implementation controls audit the system development process at various points in time to ensure that the project in hand is being properly controlled and managed. An example of such a control is a 'sign-off' at the end of each stage of the development process where a developer offers a section of the project to a user or manager to sign off, thereby documenting their approval of the development stage offered.

Administrative Controls Computer operations controls These controls apply to the work of the computer department and help to ensure that programmed procedures are consistently and correctly applied to the storage and retrieval of data. They include, for example, controls over set-up, operations software, computer operations and backup and recovery procedures.

Computational Controls Software controls These controls monitor the use of system software and prevent unauthorized access to software programs. System software controls govern the software for the operating system. Program security controls are used to prevent unauthorized changes to programs on the system.

Computational Controls Internal system security Validation and verification checks on input data, authorization procedures for some types of input data, the provision of an audit trail of file changes and the use of control totals. It may be necessary to include such things as encryption, which is coding, of data held on files, multi-level password systems including the use of magnetic keys, voice recognition access and the monitoring of the identity and access time of each user on the system.

Computational Controls Data security controls Data security controls ensure that data files on disk or tape are not subject to unauthorized access, change or destruction. These controls are needed for when the data is in use (active) and when being held for storage.

Computational Controls Application controls Application controls are specific controls within each computer application. Objectives: Completeness of input Accuracy of input Validity of data Maintenance (where data on files continue to be correct and current).

Computational Controls Application controls are usually in one of three categories: Input controls Processing controls Output controls

Audits Auditing information systems An information system audit identifies all of the controls that govern individual information systems and assess their effectiveness.

Audits For this the auditor must make value judgements about operations, physical facilities, telecommunications, control systems, data security objectives, organizational structure, personnel, manual procedures and individual applications.

Audits The audit is a matter of collecting and analyzing the details on an information system including user and system documentation, sample inputs, sample outputs, documentation on integrity controls (to compare the details) and anything else that might be lying around that might give an indication of how the system is being used.

Issues and Considerations of Security Management Access control Awareness and training Audit and accountability Certification, accreditation, and security assessments Configuration management Contingency planning Identification and authentication Incident response

Issues and Considerations of Security Management Maintenance Media protection Physical and environmental protection Planning Personnel security Risk assessment System and services acquisition System and communications protection System and information integrity

Security During the Life Cycle Security is less expensive if it is planned and implemented from the start; it is more costly to add security features to a system after it has been designed. If not addressed in the initial phases, security controls added at the last minute can diminish performance and delay implementation.

Risks Risk management is the total process of identifying, controlling, and minimizing the impact of uncertain events against an information resource. The risk management process can be broken down into three main areas: Risk assessment Risk mitigation On-going evaluation

Risks Examples of types of vulnerabilities include: Poorly communicated or implemented policy Poorly trained personnel Misconfigured systems or controls Poorly designed and implemented commercial off-the shelf (COTS) or custom components Lack of access controls Lack of physical controls Lack of visitor policy

Consequences The consequences of ignoring risk – or having inadequate security may result in: Loss of data Disclosure of sensitive information Disruption or denial of service Loss of competitive edge Monetary loss Damage to reputation or public trust Lawsuits Death (in extreme cases)

Management Responsibilities for Risk Document the criticality and sensitivity of the information in the risk assessment Define and document the appropriate controls needed to mitigate the risk Use the appropriate security requirements Develop Plans of Action and Milestones to mitigate risks Monitor and reassess risks, security and related policy regularly

Steps for Managers to Take Step 1: Develop policy statement Step 2: Conduct Business Impact Assessment Step 3: Identify preventive controls Step 4: Develop recovery strategies Step 5: Develop IT contingency plans Step 6: Conduct plan testing, training and exercises for staff Step 7: Maintain the plan

Part 2 IS and the Legal System

Information Systems Management and the Law The law is the set of rules that can be enforced in a court. There are many sets of laws and they exist in a jurisdiction.

What is Regulation? Regulations for technology are often associated with the Data Protection Act and trading acts. You could say that regulation in information systems comes mainly from individual contracts set up by organizations.

What is Compliance? Where there are regulations – either by law or company policy, compliance could be seen as observance of the official requirements of the regulations. The act or process of complying with a demand or recommendation that comes from regulation is usually a task for a member of management.

Legal Issues The laws associated with information technology have many aspects. We can look at commonly discussed legal issues related to information systems or IT: Contracts Outsourcing Software licensing Data protection Acceptable use Intellectual property rights Computer fraud Taxation

Contracts Contracts are legal documents defining the legal implications of buying, selling or becoming involved with products and services of – in this MIS context – hardware and software systems and the issues surrounding them. Contracts can take many forms – what follows is a general, basic description of a contract.

Contracts The structure of a contract in our context is, generally: The date on which the contract was entered into The names and addresses of those entering the contract A description of what the contract is about – having titles such as ‘Background’ or ‘Whereas’ Definitions of terms used in the contract Provisions made by one party (e.g. Supplier) What must be paid to the provider (supplier)

Hardware Procurement Contract The details for a hardware procurement contract might include: A description of the hardware A warranty for the quality of the hardware Delivery dates Price Acceptance testing (description) Future maintenance description Training

Software Procurement Contract Software purchase is much more complex in terms of contract design. The software may be developed specifically for the organization or be ready to sell ‘off-the shelf’.

Software Procurement Contract What type of software will be provided, what the software is required to do, whether there is a maintenance feature to the deal, what provision there is for the cessation of the supply company and many other aspects of law surrounding the idea of ‘keeping the software working’.

A Contract for Outsourcing It is difficult to specify a typical contract for product or service outsourcing, but – very generally – a contract for software services, as an example, may contain: The statement of requirements The technical solution An output specification

A Contract for Outsourcing Similar to hardware, software and services procurement, there is often a special contract that is applied to outsourcing called a Service Level Agreement (SLA). An SLA often has the details of: Service levels to be achieved Targets for service levels Mechanisms for monitoring and reporting service levels against those targets Consequences of failure to meet targets

Software Licensing One might view software licensing as another form of contract. A licence should confirm that the software supplier owns the copyright in the software or has the right to licence it to the organization. Usually, the software supplier is not selling ownership of software to an organization but the permission to use it as they wish. This leaves the supplier able to provide copies of the software to other people or organizations.

Software Licensing Usually a contract is drawn up – called the licence agreement, since the licence is really a legal agreement between the software supplier and a client. There are variations in such agreements; Is the licence restricted to one office, one department, one organization or can the software be lent to ‘sister companies? …/ continued

Software Licensing Is there a user restriction? Does the agreement allow up to, say 20 users? Do extra users require individual licences or another group licence? Are there time constraints? One year? Two Years? Are there any other restrictions?

Data Protection As an organization processing data one must ensure that the processing is lawful. The data must have been obtained fairly and lawfully. When obtaining data from a third party you must inform the subject of the data that you have data pertaining to them, telling the subject why you are using the data and how you will use them.

Data Protection Personal data must be: Fairly and lawfully processed Processed for limited purposes Adequate, relevant and not excessive Accurate Not kept longer than necessary Processed in accordance with the data subject’s rights Secure Not transferred to countries without adequate protection

Acceptable Use Employees use computers for their information work – they may also use their employer’s computers for personal matters, such as booking a cheap flight, buying books and gifts and sending e-mails to friends and family.

Acceptable Use Misuse might be seen as an excessive waste of staff time and resources, actions exposing the organization to claims for discrimination, harassment, defamation or worse, failure to include information that results in criminal liability. (On the employer’s side;) health and safety requirements for screens and other computer equipment must be met

Acceptable Use Usage policies Computer usage policies are very often established because employers can be held responsible for wrongful actions carried out by employees in the course of their employment.

Acceptable Use Common usage problems are: Racial harassment Sexual harassment Downloading pornography Defamation of management, customers or competitors, Breach of confidence Copyright infringement Hacking (into systems) Breaches of the Data protection Act

Intellectual Property Rights Rights on intellectual property are laws related, in the current context of information systems in organizations, to software licensing. Types of intellectual property: Patents Design Copyright Database right Trade marks

Computer Fraud Many Management Information Systems service providers see the responsibility of avoiding this fraud to belong to the organization itself. Corporate governance is the term for the idea that an organization ‘watches out’ for computer fraud.

Taxation E-commerce means that organizations can trade across borders. There is a Communications Regulations Bill 2007, which may amend the state law on e-commerce.

Taxation Issues for taxation in e-commerce include: Identification of a transaction Identification of the parties to a transaction Verification of the details of the transaction Application of the correct taxing rules and remittance to the taxing authority Generation of an audit trail. The country of the supplier, generally, has the government to which the tax laws apply.

Part 3 Human Computer Interface Interacting with Computers.

Interacting with Computers What we are looking at with this topic, largely, is Human-Computer Interaction or, in a narrower field, GUIs (Graphical User Interfaces).

Interacting with Computers Interacting with computers is improved by ‘good usability’. A computer system has usability – whether it is easily usable or difficult to use is measurable. Usability, like many features of systems, can be ‘designed in’…

Design Principles for Usability Principles for good design of this sort include: Early focus on the users Iterative design Integrative design (Help for users, training, documentation, etc in parallel to the technical design)

Usability Early focus on users Bring the design team into direct contact with the users right from the start. Get the user involved so they can instill their knowledge into the design process.

Usability Collect the users’ thoughts (interviews, questionnaires…) Collect the user’s mistakes, Collect the user's attitudes.

Usability Iterative design Incorporate the results from the tests into the next prototype Set goals for the system Get feedback on evaluation

Usability Evaluation criteria easy to use user friendly easy to operate simple responsive flexible

Usability Integrated design Build the online help, prepare training, documentation AND process modules (coded programs) at the same time.

Usability Definitions Usability is task related, people related and function related. It has cognitive, behavioral, and communicative components. To be truly usable a system must be compatible not only with the characteristics of human perception and action but, and most critically, with user's cognitive skills in communication, understanding, memory and problem solving.

Usability Definitions Designing a usable system requires: understanding of the intended users. the amount of time they expect to use the system. how their needs change as they gain experience.

Usability Design Early focus on the user What: understand the users’ cognition, behavior and attitude in relation to the goals of the organization How: interviews, observations, discussions, working with the users.

Usability Design Interactive design Integrated Design What: the problems encountered are to be corrected and measure again. How: an evolving system – prototyping. Integrated Design What: a parallel development of interface, help, documentation, training and measurement.

Measurable Human Factors Goals for usability Time needed to learn - how long does it take for typical users to learn to use the commands relevant to a set of tasks? Speed of performance - how long does it take to carry out the benchmark set of tasks? Rate of errors by users - how many and what kinds of errors are made in carrying out the benchmark set of tasks? …/continued

Measurable Human Factors Subjective satisfaction - how much did the users like using aspects of the system? Retention over time - how well do users maintain their knowledge?

Cognitive Engineering Learning is a relatively permanent change in behavior resulting from conditions of practice. Human learning then is the association of one item with another item (Associated learning). Pairs of stimuli are introduced, a mental association is made for them, and the stimuli then become interrelated. Future learning can then depend upon past learning (Constructivism). People develop new cognitive structures by using metaphors to cognitive structures they have already learned.

Cognitive Engineering The metaphor is a model or structure or conceptual framework which helps bridge any gap between what the person (user) knows and what is to be learned. Metaphors spontaneously generated by users will predict the ease with which they an master a computer system. If this is indeed the case then systems designers must understand and employ the use of metaphors in system designs.

Cognitive Engineering Eight recommendations to aid both the user and designer in build effective systems Find and use appropriate metaphors in teaching the naive user a computer system. A metaphor must have a suitable domain for a given system and given user population. Given a choice between two metaphors choose the one which is most like the way the system works. Assure that the correct attitude is presented. Costs of ignoring this recommendation range from user dissatisfaction and reduced productivity to sabotage.

Cognitive Engineering When more than one metaphor is need to represent a system, choose metaphors that are similar enough, but not to similar that confusion results. Consider the probable consequences to users and system designers of each metaphor used. This is the evolving state from novice to user. Two path are possible: one leading to directly to the system, the other to a new metaphor. The limits of the metaphor should be pointed out to the user.

Cognitive Engineering The intent of the metaphor in the beginning is to aid understanding and usability; for the continual user it is no longer necessary. The metaphor is used also as a motivator, at first to get the user to use the system, then to make him productive and keep his interest. Provide the user with an exciting metaphor for routine work and eventually present the user with advanced scenarios requiring different action.

Cognitive Engineering Learning is a relatively permanent change in behavior resulting from: Elaboration, association, practice, rehearsal. Metaphor - a mental model, structure, or framework which help bridge any gap between what a person knows and what is being attempted to be learned.

Cognitive Engineering Goals To understand the fundamental principles of human action and performance relevant to the principles of system design. To devise physical systems that are pleasant to use. Psychological variables - goals, intentions and attitudes Physical variables - pertain to to system.

Human-Computer Dialogue Computer based systems should be easy to learn and remember, effective, and pleasant to use. These are testable usability behavioral measures.

Cognitive Engineering Nine basic categories of usability problems: Simple and natural dialogue: The dialogue should be simple and clearly stated. It should not contain any irrelevant information. The information should appear in a natural and logical order. Speak the user's language: the dialogue should be expressed in the terminology familiar to the user rather than in system oriented terms. Minimize the user's memory load: instructions should be visible, easily retrievable, and simplified. Presentation load should be reduced when ever possible (i.e. users should not have to remember file names when they are retrievable). Be consistent: the terminology and concepts should always be used in the same manner.

Cognitive Engineering Provide feedback: the system should provide feedback as to what is transpiring within a reasonable time. Provide clearly marked exits: clearly marked exits should be provided to the user in case of mistakes. Provide shortcuts: system flexibility for the novice and expert. Menus for the novice and commands for the experts. Provide Good Error Messages: The error messages should be constructive and provide meaningful suggestions to the user of what to do next. Error Prevention: A careful design that prevents error messages form occurring in the first place.

Cognitive Engineering Conclusion: The identification of specific, and potential usability problems in a human computer dialogue design is difficult. Usability goals should be defined and incorporated into the design. Designers may have difficulties in applying design principles unless they have simple basic requirements for the design product.

End of Lecture 5