Chapter 13: Data Security & Disaster Recovery Database Management Systems.

Slides:

Advertisements

Similar presentations

IT Security Policy Framework

Advertisements

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group

Control and Accounting Information Systems

Database Administration and Security Transparencies 1.

EDiscovery and Records Management. Records Management- Historical Perspective- Paper Historically- Paper was the “Corporate Memory” – a physical entity.

Information Security Policies Larry Conrad September 29, 2009.

Security Controls – What Works

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

Risks, Controls and Security Measures

1 Minggu 7, Pertemuan 13 Security Matakuliah: T0206-Sistem Basisdata Tahun: 2005 Versi: 1.0/0.0.

Disaster Prevention and Recovery Presented By: Sean Snodgrass and Theodore Smith.

Chapter 8 Security Transparencies © Pearson Education Limited 1995, 2005.

Chapter 16 Security. 2 Chapter 16 - Objectives u The scope of database security. u Why database security is a serious concern for an organization. u The.

Complete Data Protection from [INSERT SOFTWARE NAME] Insert logo.

Lead Black Slide. © 2001 Business & Information Systems 2/e2 Chapter 14 Managing Information Systems and Technology.

Electronic Banking BY Bahaa Abas Noor abo han. Definition * e-banking is defined as: …the automated delivery of new and traditional banking products and.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Introduction to Network Defense

Cybercrime Outlook on African banks Adwo Heintjes Global Head IT Audit & Ops Rabobank.

Chapter 19 Security Transparencies. 2 Chapter 19 - Objectives Scope of database security. Why database security is a serious concern for an organization.

Compliance: A Traditional Risk-Based Audit Approach GR-ISSA Lloyd Guyot, MCS GSEC Sarbanes-Oxley USA PATRIOT Act Gramm-Leach-Bliley … more November, 2005.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

No one questions that Microsoft can write great software. Customers want to know if we can be innovative, scalable, reliable in the cloud. (1996) 450M+

© Pearson Education Limited, Chapter 5 Database Administration and Security Transparencies.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Module 3 Develop the Plan Planning for Emergencies – For Small Business –

Lead Black Slide Powered by DeSiaMore1. 2 Chapter 14 Managing Information Systems and Technology.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

Chapter 12 by Lisa Reeves Bertin Securing Information in a Network.

8.1 © 2007 by Prentice Hall Minggu ke 6 Chapter 8 Securing Information Systems Chapter 8 Securing Information Systems.

Risk Assessment. InfoSec and Legal Aspects Risk assessment Laws governing InfoSec Privacy.

ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:

Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

IT Strategy for Business © Oxford University Press 2008 All rights reserved Chapter 12 IT Security Strategies.

CIA Annual Meeting LOOKING BACK…focused on the future.

Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.

IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines.

CSCI 3140 Module 6 – Database Security Theodore Chiasson Dalhousie University.

Working with HIT Systems

SECURITY OF DATA By: ADRIAN PERHAM. Issues of privacy; Threats to IT systems; Data integrity; Standard clerical procedures; Security measures taken to.

Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.

Information Systems, Security, and e-Commerce* ACCT7320, Controllership C. Bailey *Ch in Controllership : The Work of the Managerial Accountant,

Security Policies. Threats to security and integrity  Threats to information systems include  Human error –keying errors, program errors, operator errors,

Chap1: Is there a Security Problem in Computing?.

Energize Your Workflow! ©2006 Merge eMed. All Rights Reserved User Group Meeting “Energize Your Workflow” May 7-9, Security.

Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills.

Chapter 7 1Artificial Intelligent. OBJECTIVES Explain why information systems need special protection from destruction, error, and abuse Assess the business.

Chapter 15 Managing Information. Agenda Chief Information Officer IS Department and End Users Control & Security Contingency Management.

Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Corporate Governance and Information Security (InfoSec)

Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.

Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.

Chapter 3: Business Continuity Planning. Planning for Business Continuity Assess risks to business processes Minimize impact from disruptions Maintain.

MIS5001: Information Technology Management Ethics and Continuity Management Larry Brandolph

Deck 5 Accounting Information Systems Romney and Steinbart Linda Batch February 2012.

CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)

The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law

Securing Information Systems

Information Systems Security

Risk management.

Data and database administration

E-BANKING RISK MANAGEMENT

Chapter 17 Risks, Security and Disaster Recovery

Securing Information Systems

Chapter 3: IRS and FTC Data Security Rules

INFORMATION SYSTEMS SECURITY and CONTROL

Security week 1 Introductions Class website Syllabus review

Presentation transcript:

Chapter 13: Data Security & Disaster Recovery Database Management Systems

2 Agenda Data security threat locations & consequences. Data Security Management: Controls Data Security Plan Information Privacy Security in MS Access & SQL Server Global state of data security (PWC survey) Database back-up & recovery Virginia ILIE, Ph.D.

3 Data Security What is happening?  Stolen customer/student/health records.  Online fraud  Corporate espionage  Phising….viruses….how long can this list get? FBI report: 3,000 clandestine organizations in the US with a sole purpose: steal secrets and acquire technology for foreign organizations. Virginia ILIE, Ph.D.

4 Data Security: Threats Location Virginia ILIE, Ph.D.

5 Data Security: Consequences Loss of privacy (personal data) Loss of confidentiality (corporate data) Loss of data integrity Loss of availability Loss of money Above all: Loss of Credibility, Reputation… Virginia ILIE, Ph.D.

6 Authorization table for subjects (e.g. “Salespeople”) Authorization table for objects (e.g. “Orders”) Data Security Controls: Authorization Restrict access to data & actions that people can take on the data. Virginia ILIE, Ph.D.

7 Data Security Controls: Authentication What is authentication?  First line of defense: Passwords.  Two factor authentication–e.g. Token/Card plus PIN.  Three factor authentication–e.g. Token/Card, PIN, biometrics. Advantages and disadvantages of each? Virginia ILIE, Ph.D.

8 Data Security Controls: Encryption - The encoding of the data by a special algorithm that renders the data unreadable by any program without the decryption key. - Commonly used in online transactions. - Two key-encryption: employs a public & private key. Virginia ILIE, Ph.D.

9 Data Security Controls: Non-Computer-Based Controls Physical access controls  Equipment locking, check-out procedures, security cameras Personnel controls  The “Insider threat”  84% of attacks originate from current/former employees (40% originate from hackers). Source: CIO Magazine. Maintenance controls  Maintenance agreements, access to source code, quality and availability standards Virginia ILIE, Ph.D.

10 Client/Server Security Network security controls. Server security controls. Client workstation security controls. Virginia ILIE, Ph.D.

11 Data Security Plan Identify assets and estimate their value: hardware, software, data, networks Threat assessment Vulnerability assessment Calculate the impact of each threat/vulnerability on each asset (qualitatively or quantitatively) Select and apply appropriate controls based on the value of the asset:  Computer-based controls  Non-computer based controls Evaluate effectiveness of the control measures Virginia ILIE, Ph.D.

12 Data Security Plan: Outcomes Managerial Decisions:  Accept the risk  Mitigate the risk  Ignore the risk Virginia ILIE, Ph.D.

13 Security in MS Access: Use of a Password Virginia ILIE, Ph.D.

14 MS Access Permissions Virginia ILIE, Ph.D.

15 MS Access Permissions Virginia ILIE, Ph.D.

16 Security in SQL Server: Permissions Virginia ILIE, Ph.D.

17 Global State of Data Security Global survey of about 8,000 IT & security executives (PricewaterhouseCoopers, 2005, 2006, 2007) 63 countries and 6 continents, 7200 respondents. ____% reported they had a security strategy in place. ____% said they are considering security in the year(s) to come. Virginia ILIE, Ph.D.

18 Security: Strategic vs. Tactical Data Security is a “wildfire”  “ When you spend all that time fighting fires, you don’t even have time to come up with new ways to build things so that they don’t burn down” (Security analyst PWC). Reactive versus Proactive approach to managing data security. Bias toward technology.  Technology is largely reactive! Virginia ILIE, Ph.D.

19 Data Security: Industry Analysis Financial sector versus others. Why the gap? Virginia ILIE, Ph.D.

20 What about Security in India?

Trends  CISOs and CSOs employed continues to rise.  More firms conduct enterprise risk assessments. Encryption is at an all-time high - 72% of firms use it (2007) compared to 48% (2006). Security investment must shift from the tactical, technology- heavy approach to an intelligence-centric, risk analysis and mitigation philosophy. Address the human element not only the technological one. 21 Virginia ILIE, Ph.D.

22 Data Security Many times it is a LEGAL requirement. Sarbanes-Oxley act of 2002 (section 404) Health Insurance Portability and Accountability Act (HIPAA). State Security Breach Notification Laws The Family Educational Rights and Privacy Act (FERPA) Virginia ILIE, Ph.D.

23 Compliance? Percentage of US organizations admitting they are in compliance with security practices in 2006: SOX: 28% HIPAA: 40% California breach notification act: 15% Other state/local privacy regulations: 32% Is the door open for criminal charges & lawsuits & fines & and more? Virginia ILIE, Ph.D.

24 Database Backup & Recovery Backup vs. Recovery  WHY?  Human error or sabotage  Hardware failure  Invalid data  Application program errors  Viruses  Natural disasters and more… Virginia ILIE, Ph.D.

25 Database Backup & Recovery Back-up Strategies:  Full shut-down  Selective shut-down  Incremental back-up Recovering Strategies:  Disk Mirroring: Allows for fastest recovery. Great for applications that require high data availability.  Restore/Rerun Not a very good solution. Virginia ILIE, Ph.D.

26 Database Backup & Recovery Virginia ILIE, Ph.D.

27 Disaster Recovery “The best way of crisis management is preparation” (Mitroff, 2005) Have a clear plan that can be implemented in case of disaster.  Establish secure back-up center at an off-site location.  Schedule periodic back-ups at that location.  Establish recovery team and procedures. Virginia ILIE, Ph.D.

28 Cost of Downtime Estimated cost of downtime by Availability Estimated cost of downtime by type of business Virginia ILIE, Ph.D.

29 Next… Discuss some of the articles related to data security implementation in organizations… Emphasis is on how security controls implementation is managed in organizations. Virginia ILIE, Ph.D.