Information System Security and Control

Slides:



Advertisements
Similar presentations
1 E-business Security and Control 2 Opening Case: Visa 10 commandments for online merchants – Maintaining a network firewall – Keeping security patches.
Advertisements

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
4 Information Security.
Computer Fraud Chapter 5.
Computer Fraud Chapter 5.
Department of Revenue Lessons for Management by Department of Revenue Internal Audit.
1 Pertemuan 10 Membuat dan mengelola resiko dan kriminalitas sistem informasi Matakuliah: H0472 / Konsep Sistem Informasi Tahun: 2006 Versi: 1.
Information Technology Control Day IV Afternoon Sessions.
Information Systems Audit Program (cont.). PHYSICAL SECURITY CONTROLS.
Crime and Security in the Networked Economy Part 4.
Auditing Computer-Based Information Systems
Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.
Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.
Auditing Computer Systems
Managing Information Systems Information Systems Security and Control Part 1 Dr. Stephania Loizidou Himona ACSC 345.
9 - 1 Computer-Based Information Systems Control.
©1999 Addison Wesley Longman Slide 13.1 Information System Security and Control 13.
Chapter 17 Controls and Security Measures
Security+ Guide to Network Security Fundamentals
THE AUDITING OF INFORMATION SYSTEMS
Chapter 9 - Control in Computerized Environment ATG 383 – Spring 2002.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Sixth Edition 1 M a n a g e m e n t I n f o r m a t i o n S y s t e m s M a n a g I n g I n f o r m a t i o n T e c h n o l o g y i n t h e E – B u s i.
Managing Information Systems Information Systems Security and Control Part 2 Dr. Stephania Loizidou Himona ACSC 345.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Auditing Auditing & Automated Systems Chapter 22 Auditing & Automated Systems Chapter 22.
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
Eleventh Edition 1 Introduction to Information Systems Essentials for the Internetworked E-Business Enterprise Irwin/McGraw-Hill Copyright © 2002, The.
Chapter 10 Information Systems Controls for System Reliability—Part 3: Processing Integrity and Availability Copyright © 2012 Pearson Education, Inc.
Protecting ICT Systems
CHAPTER 4 Information Security. CHAPTER OUTLINE 4.1 Introduction to Information Security 4.2 Unintentional Threats to Information Security 4.3 Deliberate.
Thomas Levy. Agenda 1.Aims: CIAN 2.Common Business Attacks 3.Information Security & Risk Management 4.Access Control 5.Cryptography 6.Physical Security.
Overview of Systems Audit
Evolving IT Framework Standards (Compliance and IT)
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Prepared by: Dinesh Bajracharya Nepal Security and Control.
Asset & Security Management Chapter 9. IT Asset Management (ITAM) Is the process of tracking information about technology assets through the entire asset.
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.
Information Collection, Storage and Sharing. The use of computers have made it easier than before, to collect, store and share large amounts of information.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Information Systems Security Operational Control for Information Security.
A Level ICT Unit Implementing CBIS’s. Support Installing a new system is disruptive and the support program will need to be planned well in advance.
What does secure mean? You have been assigned a task of finding a cloud provider who can provide a secure environment for the launch of a new web application.
Information Systems Security Operations Security Domain #9.
Chapter Eight CBIS and Checklists. General Controls 12 controls Planning, controls, standards, security Continuous updating –e.g., C&L 66% of firms inadequate.
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
Appendix C: Designing an Operations Framework to Manage Security.
SECURITY OF DATA By: ADRIAN PERHAM. Issues of privacy; Threats to IT systems; Data integrity; Standard clerical procedures; Security measures taken to.
Learning Objectives Demonstrate why info systems are vulnerable to destruction, error, abuse, quality control problemsDemonstrate why info systems are.
Security Policies. Threats to security and integrity  Threats to information systems include  Human error –keying errors, program errors, operator errors,
CONTROLLING INFORMATION SYSTEMS
IT-Secrurity Cookbook Enter your login: Enter your password:
Protecting Data. Privacy Everyone has a right to privacy Data is held by many organisations –Employers –Shops –Banks –Insurance companies –etc.
© 2003 McGraw-Hill Australia Pty Ltd, PPTs t/a Accounting Information & Reporting Systems by A. Aseervatham and D. Anandarajah. Slides prepared by Kaye.
Welcome to the ICT Department Unit 3_5 Security Policies.
Information Security and Privacy in HRIS
Cybersecurity: Risk Management
Information Systems Security
Review of IT General Controls
Planning and Security Policies
Systems Design Chapter 6.
INFORMATION SYSTEMS SECURITY and CONTROL
Information Systems Security and Control
Mohammad Alauthman Computer Security Mohammad Alauthman
Presentation transcript:

Information System Security and Control

Information System Security and Control Threat of Project Failure Threat of Accidents and Malfunctions Threat of Computer Crime Factors That Increase the Risks Methods for Minimizing Risks

Introductory Case: London Ambulance Service Wow, what a mess! What did they do wrong? Did they do anything right? Was this a system that should have even been attempted?

Threat of Project Failure When can projects fail? INITIATION The reasons for building the system have too little support. The system seems too expensive. DEVELOPMENT It is too difficult to define the requirements. The system is not technically feasible. The project is too difficult is too difficult for technical staff assigned. IMPLEMENTATION The system requires too great a change from existing work practices. Potential users dislike the system or resist using it. Too little effort is put into the implementation. OPERATION AND MAINTENANCE System controls are insufficient. Too little effort goes into supporting effective use. The system is not updated as business needs change.

Threat of Project Failure Remember this? What do you think the curve would look like for cost of failure?

Threat of Accidents and Malfunctions Operator error Hardware malfunction Intel Pentium bug Was like the embedded chip issue for Y2K Software bugs Data errors Damage to physical facilities We’ll talk more about this for disaster recovery Inadequate system performance London ambulance case

Threat of Computer Crime Theft Physical (esp. laptops) Case of a laptop taken from the Pentagon in a conference room… Recently heard about Silicon Valley exec who lost laptop CCI insurance Logical Unauthorized use Fraudulent data entry Unauthorized use/modification of data Sabotage and Vandalism Trap door, Trojan Horse, Virus

Factors that Increase Risk Nature of Complex Systems Human Limitations Pressures in the Business Environment

Methods for Minimizing Risks Controlling System Development and Modifications Providing Security Training Maintaining Physical Security Controlling Access to Data, Computers, and Networks Controlling Transaction Processing Motivating Efficient and Effective Operation Auditing the Information System Preparing for Disasters

Minimize Risks…

Build the system correctly… Software change control

Train the users about security…

Maintain physical security…

Prevent unauthorized access to hardware and software… Manual data handling Access privileges Access control What you know What you have Where you are Who you are

Prevent unauthorized access to hardware and software… Be aware of network issues Encrypt if necessary

Perform transactions correctly… Segregation of duties Data validation Error correction Backup & recovery

Innovate for efficiency… Monitor systems Look for opportunities Look for incentives Look for disincentives

Audit your system… Trust but verify…

Prepare for disasters… Remember Murphy's Law