Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security Management

Published byDerrick Lewis Modified over 9 years ago

Similar presentations

Presentation on theme: "Information Security Management"— Presentation transcript:

1 Information Security Management
Chapter 11 Information Security Management

2 Agenda Security Threats Security Program Sources Problems
Senior Management’s Security Role Technical Safeguard Data Safeguard Human Safeguard Disaster Preparedness Incident Response

3 Sources of Security Threats
Human error and mistakes Employees and non-employees Accidental problems Poorly written application programs Poorly designed procedures Malicious human activity Employees, former employees, hackers, and outside criminals Intentionally destroy data or other systems components Steal for financial gain Terrorism Natural events and disasters Acts of nature Loss of capability, service, and recovery

4 Problems of Security Threats
Unauthorized data disclosure Incorrect data modification Faulty service Denial of service Loss of infrastructure

5 Unauthorized Data Disclosure
Pretexting: someone pretending to be someone else Phishing: someone pretending a legitimate company and obtaining confidential data by Spoofing: IP spoofing and spoofing Sniffing: intercepting computer communication Drive-by sniffers: intercepting unprotected wireless network

6 Incorrect Data Modification
Human error employees follow procedures incorrectly procedures have been incorrectly designed Hacking

7 Faulty Service Incorrect system operation Usurpation
Human procedure mistake Usurpation Unauthorized program in a computer system

8 Denial of Service Human error Malicious hacker Natural disasters

9 Loss of Infrastructure
Human accidents Theft and terrorist events Natural disasters

10 Security Program Senior management involvement
Security policy Cost and benefit analysis Safeguards of various kinds Technical protection: hardware and software Data protection: data Human protection: people and procedure Incident response Program response to security incident

11 Security Elements By National Institute of Standards and Technology (NIST) Support the mission of the organization An integral element of sound management Cost effective Explicit security responsibilities and accountability Comprehensive and integrated approach Periodically reassessing Constrained by social factor

12 Senior Management Role
Security policy General policy: goals and assets Issue-specific policy: computer and usage System-specific policy: specific information systems Risk management and assessment Assets and vulnerability Threats Likelihood of an adverse occurrence Consequences Safeguard and cost Probable loss

13 Technical Safeguard Identification and authentication Encryption
Digital signature Firewall Malware protection Design secure application

14 Identification and Authentication
User name Authentication Pass word (what you know) Smart card (what you have) Biometric authentication: fingerprints, facial features, retinal scans (what you are) Single sign-on for multiple systems (Kerberos) Wireless: WPA (Wi-Fi Protected Access) and WPA2

15 Encryption Symmetric encryption: one key
Asymmetric encryption: public key and private key Secure Socket Layer (SSL) and Transport Layer Security (TLS): only client verify true Web site Digital signature Hashing Message digest (check digits) Digital certificate and certificate authorities

16 Firewall Definition Device Type
A computing device to prevent unauthorized network access Device A special-purpose computer A program on a general-purpose computer or on a router Type Perimeter firewall Internal firewall Packet-filtering firewall Access control list (ACL)

17 Use of Multiple Firewalls

18 Malware Malware: viruses, worms, Trojan horses, spyware, and adware
Spyware: programs installed without the user’s knowledge for spying Adware: installed without the user’s permission for observing user behavior and popping up ads

19 Spyware and Adware Symptoms
Slow system start up Sluggish system performance Many pop-up ads Browser homepage changes, taskbar, and other interfaces Unusual hard disk activity

20 Malware Safeguard Install antivirus and antispyware programs
Scan computer frequently Update malware definitions Open attachments only from known sources Promptly install software updates from legitimate sources Browse only in reputable Internet neighborhoods

21 Data Safeguard Specifying user rights and responsibilities
User account and password Store sensitive data in encrypted form Regular backup and practice recovery Backup copy at remote location Reside in locked, controlled-access facilities

22 Human Safeguard for Employee
Position definition Job tasks and responsibilities Least possible privilege Documenting security sensitivity for each position Hiring and Screening Interviews, references, and background investigations Dissemination and enforcement Security policies, procedures, and responsibilities awareness Training Security responsibility, accountability, and compliance Termination Termination policies and procedures Remove accounts and passwords Recover keys for encrypted data

23 Human Safeguard for Non Employee
Temporary personnel, vendors, partner personnel, and the public Require vendors and partners to perform appropriate screening and security training Harden (extraordinary measures to reduce a system’s vulnerability) the Web site or other facility against attack

24 Account Administration
User accounts Creation of new user accounts, modification of existing account permissions, and removal of unneeded accounts Password Change password Use proper password Help-desk policies and procedures for user’s forgetting password

25 Systems Procedures Users and operations personnel
Procedures for normal, backup, and recovery operations

26 Systems Monitoring Log analysis Security testing
Investigating and learning from security incident In-house IT personal and outside security consultants Updating security: new technology and requirement

27 Disaster Preparedness
Locate infrastructure in safe location Identify mission-critical systems Identify resources needed to run those systems Prepare remote backup facility Hot sites: providing remote processing centers run by commercial disaster-recovery services Cold site: providing office space, but customers themselves provide and install the equipment needed to continue operations Train and rehearse

28 Incident Response Have a plan
Critical personnel and off-hours contact information Centralized reporting Prepare specific response for speed Practice

29 Discussion Ethic guide (343a-b) Problem solving (351a-b)
Address the proper ethic issues of a online retailer related to its customer’s information. Problem solving (351a-b) Address the security issues of hiring a white hat hacker. Security guide (357a-b) Address the meta security issues of any organization. Reflection guide (361a-b) Address the future of IT and IS five years latter.

30 Case Study Case 11-1 Antiphishing Tactics ( ): 2 only

31 Points to Remember Security Threats Security Program Sources Problems
Senior Management’s Security Role Technical Safeguard Data Safeguard Human Safeguard Disaster Preparedness Incident Response

Download ppt "Information Security Management"

Similar presentations

Let’s Talk About Cyber Security

Let’s Talk About Cyber Security
Information Security Management Chapter 12. 12-2 “We Have to Design It for Privacy and Security.” Copyright © 2014 Pearson Education, Inc. Publishing.

Information Security Management Chapter “We Have to Design It for Privacy and Security.” Copyright © 2014 Pearson Education, Inc. Publishing.
© Pearson Prentice Hall 2009 12-1 Using MIS 2e Chapter 12 Information Security Management If you don’t do security right, nothing else matters. David Kroenke.

© Pearson Prentice Hall Using MIS 2e Chapter 12 Information Security Management If you don’t do security right, nothing else matters. David Kroenke.
1 MIS 2000 Class 22 System Security Update: Winter 2015.

1 MIS 2000 Class 22 System Security Update: Winter 2015.
Information Security Management Chapter 12. 12-2 “We Have to Design It for Privacy and Security. ” Tension between Maggie and Ajit regarding terminology.

Information Security Management Chapter “We Have to Design It for Privacy and Security. ” Tension between Maggie and Ajit regarding terminology.
Chapter 4 McGraw-Hill/Irwin Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved. Ethics and Information Security.

Chapter 4 McGraw-Hill/Irwin Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved. Ethics and Information Security.
© Pearson Prentice Hall 2009 12-1 Using MIS 2e Chapter 12 Information Security Management David Kroenke.

© Pearson Prentice Hall Using MIS 2e Chapter 12 Information Security Management David Kroenke.
Chapter 8 Chapter 8 Digital Defense: Securing Your Data and Privacy

Chapter 8 Chapter 8 Digital Defense: Securing Your Data and Privacy
© 2007 Prentice Hall, Inc.1 Using Management Information Systems David Kroenke Information Security Management.

© 2007 Prentice Hall, Inc.1 Using Management Information Systems David Kroenke Information Security Management.
Security, Privacy, and Ethics Online Computer Crimes.

Security, Privacy, and Ethics Online Computer Crimes.
Chapter 12 Information Security Management

Chapter 12 Information Security Management
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
Lecture 10 Security and Control.

Lecture 10 Security and Control.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
1 Management Information Systems Information Security Management Chapter 12.

1 Management Information Systems Information Security Management Chapter 12.
1 Using Management Information Systems David Kroenke Information Security Management Chapter 11.

1 Using Management Information Systems David Kroenke Information Security Management Chapter 11.
Chapter 12 Information Security Management © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.

Chapter 12 Information Security Management © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Similar presentations

Ads by Google