Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Security Management

Published byJuliet Payne Modified over 7 years ago

Similar presentations

Presentation on theme: "Computer Security Management"— Presentation transcript:

1 Computer Security Management
Session 1 How IT Affects Risks and Assurance EECS David C. Chan

2 David Chan EECS David C. Chan

3 What We Will Cover Nature, types and use of information
System assurance criteria System assurance responsibilities System components Types of systems EECS David C. Chan

4 Enterprise Systems and ERPs
Integrate business processes and information from all of an organization’s functional areas. Helps coordinate the operation of business functions and provide a central information resource for the organization. Enterprise Resource Planning (ERP) Systems: Software packages that can be used for the core systems necessary to support enterprise systems. EECS David C. Chan

5 Integrate Business Process Functionality
When purchasing office equipment an enterprise system might: Provide an electronic order form. Apply business rules. Route the order for approvals. Send the order to a buyer. Connect to the vendor. Use data to receive goods, project funding requirements, compare to budget, and analyze vendor performance. EECS David C. Chan

6 Processing Modes Batch, periodic update, easier to control but less efficient. Online input but batch update Online input and update, usually requires a database. EECS David C. Chan

7 Information Ownership and Classification
Each information system and the information should be assigned to a senior manager to own Owner accountable for information reliability including classifying information based on risk and affording the respective protection EECS David C. Chan

8 Information Assurance
“Information assurance is the bedrock upon which enterprise decision-making is built. Without assurance, enterprises cannot feel certain that the information upon which they base their mission-critical decisions is reliable, confidential, secure and available when needed.” - Information Systems Audit and Control Association (ISACA) EECS David C. Chan

9 System Assurance Criteria
Completeness Authorization Accuracy Timeliness Occurrence EECS David C. Chan

10 Completeness All transactions are recorded.
Accounting reports are complete. Customer statements are complete. Management information is complete. Statutory reports are complete. Applies to input, processing and output. EECS David C. Chan

11 Authorization Only authorized transactions are processed.
Reports are produced only for authorized users. Proper authorization for access to information to ensure integrity and confidentiality. EECS David C. Chan

12 Accuracy Transactions are recorded accurately. Reports are accurate.
Information in storage is maintained and checked regularly to ensure accuracy. EECS David C. Chan

13 Timeliness Transactions are recorded on a timely basis.
Reports are current. Information in storage is regularly checked for currency. EECS David C. Chan

14 Occurrence Only real transactions are recorded.
Accounting balances reflect real assets, liabilities and equity. Underlying assumptions can realistically occur, e.g., valuation. EECS David C. Chan

15 Components of System Infrastructure Software People Procedures
Information EECS David C. Chan

16 IT Infrastructure Network Hardware Real estate
EECS David C. Chan

17 Software System software e.g., operating system, database management system. Application software. EECS David C. Chan

18 People Management Systems developers (analysts and programmers)
Systems administrators who control servers and workstations. Systems operations staff. Users EECS David C. Chan

19 IT Organization Chief Information Officer
Systems development and maintenance System operations Quality assurance – may be part of systems development in a small organization Security- may be part of operation in a small organization. EECS David C. Chan

20 Information System Roles and Responsibilities
Chief information officer (CIO) – Oversees all uses of IT and ensures the strategic alignment of IT with business goals and objectives Chief knowledge officer (CKO) - Responsible for collecting, maintaining, and distributing the organization’s knowledge Chief privacy officer (CPO) – Responsible for ensuring the ethical and legal use of information Explain to your students that job titles, roles, and responsibilities often differ dramatically from organization to organization Excellent resource on how people are Microsoft’s greatest assets The CIO typically reports directly to the Chief Executive Officer (CEO) CIOs must possess a solid and detailed understanding of every aspect of an organization coupled with tremendous insight into the capability of IT CIOs must have strong business skills and strong IT skills Can you name any famous CEOs? Jack Welch, General Electric (retired) Jeff Bezos, Amazon.com Bill Gates, Microsoft Michael Dell, Dell computers Can you name any famous CIOs? Most students will be familiar with many famous CEOs but not CIOs, CPOs, CSOs, CKOs, or CTOs The CKO is quickly becoming a visible career target. The Institute for Intellectual Capital Research in Hamilton, ON interviewed 53 executive search firms and concluded that the CKO position will become commonplace. EECS David C. Chan

21 Information Systems Roles and Responsibilities
Learning Outcomes 1-2 Chief security officer (CSO) – Responsible for ensuring the safety of IT resources including data, hardware, software, and people Chief technology officer (CTO) – Responsible for ensuring the throughput, speed, accuracy, availability, and reliability of IT While many companies may not have a different individual for each of these positions, they must have top managers who take responsibility for all of these areas. Define the difference between the CIO, CTO, CSO, CPO, and CKO CIO oversees all uses of IT and ensures the strategic alignment of IT with business goals and objectives CTOs are similar to CIOs, except CIOs take on the additional responsibility for effectiveness of ensuring that IT is aligned with the organization's strategic initiatives CTOs ensure the efficiency of IT CPOs are the newest senior executive position, and many CPOs are lawyers by training CKO is one of the most recent positions added to the executive leadership team Define the general organizational structure between CIO, CTO, CSO, CPO, and CKO? This structure will vary from organization to organization A great debate is to have the entire class decide on an organizational structure, including the CFO and CEO for a fictitious company EECS David C. Chan

22 Management Responsibilities
Management includes executives and managers in business functions and corporate functions (like CFO). Define information requirement Assess significance of information Take ownership of business and functional systems like enterprise resource planning system. EECS David C. Chan

23 Management Responsibilities
Design and implement internal controls (using staff who are control experts). Review system information for reliability. Define system reliability criteria in relation to business requirements. Provide information assurance to senior executives. EECS David C. Chan

24 User Responsibilities
Control information under their custody in accordance with corporate policy and procedures. Inform management of irregularities and exceptions. Use information systems only for corporate purposes. EECS David C. Chan

25 Procedures System operations procedures User procedures
EECS David C. Chan

26 Information Ownership and Classification
Each information system and the information should be assigned to a senior manager to own Owner accountable for information reliability including classifying information based on risk and affording the respective protection EECS David C. Chan

27 Management Checklist Assign business executives to own information systems and infrastructure. Establish corporate policies and standards for information risk assessment. Establish a process for periodic risk assessment, internal control formulation and internal control reporting to senior management and the board of directors. EECS David C. Chan

28 Management Checklist Involve the board of directors in IT governance and ensure this is addressed at least twice a year in board meetings. Establish a policy on the use of I & IT in the organization with respect to how to use IT as a business enabler and the approval process for IT investment. EECS David C. Chan

29 Management Checklist Develop an IT strategy to be congruent with the business strategy. The IT strategy should consider the applicability of new technology. Develop a process to continuously assess the cost effectiveness of IT applications. Ensure that the job description and performance contract of each executive includes the appropriate I & IT assurance accountability. EECS David C. Chan

30 Management Checklist Establish an IT steering committee consisting of a cross section of senior executives including the CIO to carry out IT governance. EECS David C. Chan

Download ppt "Computer Security Management"

Similar presentations

A presentation for CIOs. What are the biggest challenges that face a modern CIO? (Lets list them…)

A presentation for CIOs. What are the biggest challenges that face a modern CIO? (Lets list them…)
Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,

Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,
Organizing Information Technology Resources

Organizing Information Technology Resources
© Prentice Hall 2002 15.1 CHAPTER 15 Managing the IS Function.

© Prentice Hall CHAPTER 15 Managing the IS Function.
© Pearson Prentice Hall 2009

© Pearson Prentice Hall 2009
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
CHAPTER 05 Organizational Structures That Support Strategic Initiatives McGraw-Hill/Irwin Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights.

CHAPTER 05 Organizational Structures That Support Strategic Initiatives McGraw-Hill/Irwin Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.

NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
1 Chapter 10 Organizing Information Technology Resources.

1 Chapter 10 Organizing Information Technology Resources.
IT Governance and Management

IT Governance and Management
Principles of Information Systems, Seventh Edition2 An organization’s TPS must support the routine, day-to- day activities that occur in the normal course.

Principles of Information Systems, Seventh Edition2 An organization’s TPS must support the routine, day-to- day activities that occur in the normal course.
Chapter 10 Information Systems Management. Agenda Information Systems Department Plan the Use of IT Manage Computing Infrastructure Manage Enterprise.

Chapter 10 Information Systems Management. Agenda Information Systems Department Plan the Use of IT Manage Computing Infrastructure Manage Enterprise.
IT Governance: Simultaneously Empowers and Controls Source: IT Governance, Chapter 1.

IT Governance: Simultaneously Empowers and Controls Source: IT Governance, Chapter 1.
Chapter One Overview SECTION 1.1 – INFORMATION SYSTEMS IN BUSINESS

Chapter One Overview SECTION 1.1 – INFORMATION SYSTEMS IN BUSINESS
Chapter 10 Managing the Delivery of Information Services.

Chapter 10 Managing the Delivery of Information Services.
Examine Quality Assurance/Quality Control Documentation

Examine Quality Assurance/Quality Control Documentation
Information Technology Audit

Information Technology Audit
Peer Information Security Policies: A Sampling Summer 2015.

Peer Information Security Policies: A Sampling Summer 2015.

Similar presentations

Ads by Google