Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 12 Information Security Management

Published bySamson Armstrong Modified over 9 years ago

Similar presentations

Presentation on theme: "Chapter 12 Information Security Management"— Presentation transcript:

1 Chapter 12 Information Security Management
Jason C. H. Chen, Ph.D. Professor of MIS School of Business Administration Gonzaga University Spokane, WA 99258

2 Could Someone Be Getting To Our Data?
Stealing only from weddings of club members Knowledge: How to access system and database and SQL Access: Passwords on yellow stickies; many copies of key to server building Suspect: Greens keeper guy’s “a techno-whiz,” created report for Anne, knows SQL and how to access database

3 Chapter Preview This chapter describes common sources of security threats and explains management’s role in addressing those threats. It defines the major elements of an organizational security policy. It presents the most common types of technical, data, and human security safeguards. We then discuss how organizations should respond to security incidents, and, finally, examine common types of computer crime. Primary focus is on management’s responsibility for the organization’s security policy and for implementing human security safeguards. We approach this topic from the standpoint of a major organization that has professional staff in order to learn the tasks that need to be accomplished. Both MRV and FlexTime need to adapt the full- scale security program to their smaller requirements and more limited budget.

4 Study Questions Q1: What is the goal of information systems security? Q2: How should you respond to security threats? Q3: How should organizations respond to security threats? Q4: What technical safeguards are available? Q5: What data safeguards are available? Q6: What human safeguards are available? Q7: 2022?

5 Q1: What Is the Goal of Information Systems Security?

6 Q1: What Is the Goal of Information Systems Security?
The IS Security Threat/Loss Scenario Threat is a person or organization that seeks to obtain data or other asset illegal, without the owner’s permission and often without the owner’s knowledge Vulnerability is an opportunity for threats to gain access to individual or organizational assets Safeguard is someone measure that individuals or organizations take to block the threat from obtaining the asset Target is the asset that is desired by the threat

7 Fig 12-1 Threat/Loss Scenario

8 Safeguards There are three components of a sound organizational security program: Senior management must establish a security policy and manage risks. Safeguards of various kinds must be established for all five components of an IS as the figure below demonstrates. The organization must plan its incident response before any problems occur. Fig 12-extra Security Safeguards as They Relate to the Five Components

9 Examples of Threat/Loss
Fig 12-2 Examples of Threat/Loss

10 What Are the Sources of Threats?
Security threats arise from three sources: Human error and mistakes, Computer crime, and Natural events and disasters.

11 Human Errors and Mistakes
Human errors and mistakes include: Accidental problems caused by both employees and nonemployees. An employee misunderstands operating procedures and accidentally deletes customer records. An employee, while backing up a database, inadvertently installs an old database on top of the current one. Category also includes poorly written application programs and poorly designed procedures. Physical accidents, such as driving a forklift through the wall of a computer room.

12 Computer Crime Employees and former employees who intentionally destroy data or other system components Hackers who break into a system; virus and worm writers who infect computer systems Outside criminals who break into a system to steal for financial gain Terrorism

13 Q/A Which of the following is most likely to be the result of hacking?
A) certain Web sites being blocked from viewing for security reasons B) small amounts of spam in your inbox C) an unexplained reduction in your account balance D) pop-up ads appearing frequently Answer: _____ C

14 Natural Events and Disasters
Fires, floods, hurricanes, earthquakes, tsunamis, avalanches, and other acts of nature Includes the initial loss of capability and service, and losses stemming from actions to recover from the initial problem

15 Fig 12-3 Security Problems and Sources

16 What Types of Security Loss Exists?
Unauthorized Data Disclosure Pretexting Phishing Spoofing IP spoofing spoofing Drive-by sniffers Hacking Natural disasters

17 Incorrect Data Modification
Procedures not followed or incorrectly designed procedures Increasing a customer’s discount or incorrectly modifying employee’s salary Placing incorrect data on company Web site Improper internal controls on systems System errors Faulty recovery actions after a disaster

18 Faulty Service Incorrect data modification Systems working incorrectly
Procedural mistakes Programming errors IT installation errors Usurpation Denial of service (unintentional) Denial-of-service attacks (intentional)

19 Loss of Infrastructure
Human accidents Theft and terrorist events Disgruntled or terminated employees Natural disasters

20 How Big Is the Computer Security Problem?
Fig 12-4 Sample Arrests and Convictions Reported by the US Department of Justice

21 Percent of Security Incidents
Fig Percent of Security Incidents

22 Goal of Information Systems Security
Threats can be stopped, or at least threat loss reduced Safeguards are expensive and reduce work efficiency Find trade-off between risk of loss and cost of safeguards

23 Q2: How Should You Respond to Security Threats?
Fig 12-6 Personal Security Safeguards

24 Q/A Cookies enables one to access Web sites without having to sign in every time. Answer: ____ TRUE

25 Q3. How Should Organizations Respond to Security Threats?
NIST Handbook of Security Elements Fig 12-7 Management Guidelines for IS Security

26 What Are the Elements of a Security Policy?
Elements of Security Policy Managing Risks General statement of organization’s security program Issue-specific policy System-specific policy Risk — threats & consequences we know about Uncertainty — things we do not know that we do not know

27 What Are the Elements of a Security Policy?
Security policy has three elements: A general statement of organization’s security program. This statement becomes the foundation for more specific security measures. Management specifies the goals of security program and assets to be protected. Statement designates a department for managing security program and documents. In general terms, it specifies how the organization will ensure enforcement of security programs and policies. Issue-specific policy. Personal use of computers at work and privacy. System-specific policy. What customer data from order-entry system will be sold or shared with other organizations? Or, what policies govern the design and operation of systems that process employee data? Addressing such policies are part of standard systems development process.

28 Q/A Which of the following is an example of a system-specific security policy? A) limiting the personal use of an organization's computer systems B) deciding what customer data from the order-entry system will be shared with other organizations C) designating a department for managing an organization's IS security D) inspecting an employee's personal for compliance with company policy Answer: ____ B

29 Risk—likelihood of an adverse occurrence
How Is Risk Managed? Risk—likelihood of an adverse occurrence Management cannot manage threats directly, but can limit security consequences by creating a backup processing facility at a remote location. Companies can reduce risks, but always at a cost. It is management’s responsibility to decide how much to spend, or stated differently, how much risk to assume. Uncertainty refers to lack of knowledge especially about chance of occurrence or risk of an outcome or event. An earthquake could devastate a corporate data center built on a fault that no one knew about. An employee finds a way to steal inventory using a hole in the corporate Web site that no expert knew existed.

30 Risk Assessment and Management
Tangible consequences Intangible consequences Likelihood Probable loss Risk-Management Decisions Given probable loss, what to protect? Which safeguards inexpensive and easy? Which vulnerabilities expensive to eliminate? How to balance cost of safeguards with benefits of probable loss reduction? 

31 Factors to Consider in Risk Assessment and Risk Management Decisions
When you’re assessing risks to an information system you must first determine: What the threats are. How likely they are to occur. The consequences if they occur. The figure below lists the factors you should include in a risk assessment. Once you’ve assessed the risks to your information system, you must make decisions about how much security you want to pay for. Each risk-management decision carries consequences. Some risk is easy and inexpensive. Some risk is expensive and difficult. Managers have a fiduciary responsibility to the organization to adequately manage risk. Fig 12-Extra Risk Assessment Factors

32 Factors to Consider in Risk Assessment: Brief Summary
Safeguard is any action, device, procedure, technique, or other measure that reduces a system’s vulnerability to a threat. No safeguard is ironclad; there is always a residual risk that it will not protect the assets in all circumstances. Vulnerability is an opening or a weakness in security system. Some vulnerabilities exist because there are no safeguards or because existing safeguards are ineffective. Consequences are damages that occur when an asset is compromised. Consequences can be tangible or intangible. Tangible consequences, those whose financial impact can be measured. Intangible consequences, such as the loss of customer goodwill due to an outage, cannot be measured.

33 Factors to Consider in Risk Assessment: Brief Summary (Final Two Factors in Risk Assessment)
Likelihood is the probability that a given asset will be compromised by a given threat, despite the safeguards. Probable loss is the “bottom line” of risk assessment. To obtain a measure of probable loss, companies multiply likelihood by cost of the consequences. Probable loss also includes a statement of intangible consequences.

34 Q/A Which of the following is an example of an intangible consequence?
A) a dip in sales because supplies were not replenished B) a loss of customer goodwill due to an outage C) a drop in production due to plant maintenance D) a financial loss due to high input costs Answer: ____ B

35 Q4: What Technical Safeguards Are Available?
Fig 12-8 Technical Safeguards

36 List of Primary Technical Safeguards
You can establish five technical safeguards for the hardware and software components of an information system as the Figure 12-8 shows. 1. Identification and authentication includes (1) passwords (what you know), (2) smart cards (what you have), and (3) biometric authentication (what you are). (4) Single sign-on for multiple systems (Kerberos) Since users must access many different systems, it’s often more secure, and easier, to establish it Authenticates users without sending passwords across network. “Tickets” enable users to obtain services from multiple networks and servers. Windows, Linux, Unix employ Kerberos

37 List of Primary Technical Safeguards (cont.)
Identification and authentication (cont.) (5) Wireless systems pose additional threats. VPNs and special security servers Wired Equivalent Privacy (WEP)-first developed Wi-Fi Protected Access (WPA)-more secure Wi-Fi Protected Access (WPA2)-newest and most secure Note: 4 &5 are for System Access Protocols

38 Q/A T/F A magnetic strip holds far more data than a microchip.
Answer: _______ FALSE

39 2. Encryption Encryption is the second safeguard you can establish for an IS. The chart below and on the next slide describe each of them. Asymmetric encryption is simpler and much faster than asymmetric encryption. Answer: FALSE Fig 12-9 Basic Encryption Techniques

40 Essence of HTTPS (SSL or TLS)
Fig The Essence of HTTPS (SSL or TLS)

41 Which of the following observations concerning Secure Socket Layer (SSL) is true?
A) It uses only asymmetric encryption. B) It is a useful hybrid of symmetric and asymmetric encryption techniques. C) It works between Levels 2 and 3 of the TCP-OSI architecture. D) It is a stronger version of HTTPS. Answer:____ B You are transferring funds online through the Web site of a reputed bank. Which of the following displayed in your browser's address bar will let you know that the bank is using the SSL protocol? A) http B) www C) https D) .com Answer: ____ C

42 3. Firewalls Firewalls, the third technical safeguard, are computing devices that prevent unauthorized network access. They should be installed and used with every computer that’s connected to any network, especially the Internet. The diagram shows how perimeter and internal firewalls are special devices that help protect a network. Packet-filtering firewalls are programs on general-purpose computers or on routers that examine each packet entering the network. Fig (extra) Use of Multiple Firewalls

43 Symptoms of Adware and Spyware
This slide is for lecture Malware Protection is the fourth technical safeguard. We’ll concentrate on spyware and adware here. Spyware are programs that may be installed on your computer without your knowledge or permission. Adware is a benign program that’s also installed without your permission. It resides in your computer’s background and observes your behavior. If your computer displays any of the symptoms in this figure, you may have one of these types of malware on your computer. Fig 12-8 Spyware & Adware Symptoms

44 4. Malware Protection Malware Protection (fourth technical safeguard):
Spyware - resides in background, unknown to user; observes user’s actions and keystrokes, monitors computer activity, and reports user’s activities to sponsoring organizations. Some captures keystrokes to obtain user names, passwords, account numbers, and other sensitive information. Some support marketing analyses, observing what users do, Web sites visited, products examined and purchased, and so forth. Adware - does not perform malicious acts or steal data. It watches user activity and produces pop-up ads. Adware can change user’s default window or modify search results and switch user’s search engine. Beacons – tiny files that gather demographic information (e.g., gender, age income). The information is refreshed in real time and sold to other company.

45 4. Malware Types and Spyware and Adware Symptoms (cont.)
Spyware & Adware Symptoms Viruses Payload Trojan horses Worms Beacons If your computer displays any of the symptoms in this figure, you may have one of these types of malware on your computer. Fig Spyware & Adware Symptoms

46 Malware Safeguards Antivirus and antispyware programs Scan frequently
Update malware definitions Open attachments only from known sources Install software updates Browse only reputable Internet neighborhoods

47 Bots, Botnets, and Bot Herders
Surreptitiously installed, takes actions unknown and uncontrolled by user or administrator Some very malicious, others annoying Botnet a network of bots created and managed by an individual or organization that infects networks with a bot program Bot herder individual or organization that controls the botnet Serious problems for commerce and national security It is believed that a unit of the North Korean Army served as a bot herder for a botnet that caused denial of service attacks on Web servers in South Korea and in the United States in July, 2009.

48 5. Design Secure Applications
Design secure application is the last (fifth) technical safeguard. You should ensure that any information system developed for you and your department includes security as one of the application requirements.

49 Q5: What Data Safeguards Are Available?
Data safeguards are measures used to protect databases and other organizational data. An organization should follow the safeguards listed in this figure. Remember, data and the information from it are one of the most important resources an organization has. Fig Data Safeguards

50 Some Important Data Safeguards
Should protect sensitive data by storing it in encrypted form When data are encrypted, a trusted party should have a copy of encryption key. This safety procedure is called key escrow Periodically create backup copies of database contents DBMS and all devices that store database data should reside in locked, controlled-access facilities Physical security was a problem that MRV had when it lost its data. Organizations may contract with other companies to manage their databases, inspect their premises, and interview its personnel to make sure they practice proper data protections.

51 Q6: Human Safeguards for Employees
Human safeguards for employees are some of the most important safeguards an organization can deploy. They should be coupled with effective procedures to help protect information systems. This figure shows the safeguards for in-house employees. Fig Human Safeguards for Employees (In-house Staff)

52 Human Safeguards for Nonemployee Personnel
Least privileged accounts Contract personnel Specify security responsibilities Public Users Hardening site Require vendors and partners to perform appropriate screening and security training Specify security responsibilities for work to be performed

53 Account Administration
Account Management Standards for new user accounts, modification of account permissions, removal of unneeded accounts. Password Management Users should change passwords frequently Help Desk Policies

54 Account Administration
Account management (administration) is the third type of human safeguard and has three components—account management, password management, and help-desk policies. Account management focuses on Standards for new user accounts, modification of account permissions, removal of unneeded accounts Password management requires that users Immediately change newly created passwords Change passwords periodically Help Desk Policies Fig Sample Account Acknowledgement Form

55 Systems Procedures Effective system procedures can help increase security and reduce the likelihood of computer crime. As this figure shows, procedures should exist for both system users and operations personnel that cover normal, backup, and recovery procedures. Security monitoring is the last human safeguard. It includes: Activity log analyses Security testing Investigating and learning from security incidents. Fig Systems Procedures

56 Security Monitoring Functions
Activity log analyses Firewall, DBMS, Web server In-house and external Security testing Investigation of incidents Create “honeypots”

57 Responding to Security Incidents
Human error & Computer crimes Procedures for how to respond to security problems, whom to contact, data to gather, and steps to reduce further loss Centralized reporting of all security incidents Incident-response plan (see next slide) Emergency procedures

58 Incident-Response Plan
Along with disaster preparedness plans, every organization should think about how it will respond to security incidences that may occur, before they actually happen. The figure below lists the major factors that should be included in any incident response. Fig 12 (extra) Factors in Incident Response

59 Major Disaster-Preparedness Tasks
No system is fail-proof. Every organization must have an effective plan for dealing with a loss of computing systems. This figure describes disaster preparedness tasks for every organization, large and small. The last item that suggests an organization train and rehearse its disaster preparedness plans is very important. Fig Disaster Preparedness Tasks

60 Disaster-Recovery Backup Sites
Hot site Utility company that can take over another company’s processing with no forewarning. Hot sites are expensive; organizations pay $250,000 or more per month for such services. Cold sites Provide computers and office space. They are cheaper to lease, but customers install and manage systems themselves. The total cost of a cold site, including all customer labor and other expenses, might not necessarily less than the cost of a hot site.

61 Q7: 2022? Challenges likely to be iOS and other intelligent portable devices Harder for the lone hacker to find vulnerability to exploit Continued investment in safeguards Continued problem of electronically porous national borders

62 End of Chapter 12

Download ppt "Chapter 12 Information Security Management"

Similar presentations

Information Security Management by David Kroenke

Information Security Management by David Kroenke
Information Security Management Chapter 12. 12-2 “We Have to Design It for Privacy and Security.” Copyright © 2014 Pearson Education, Inc. Publishing.

Information Security Management Chapter “We Have to Design It for Privacy and Security.” Copyright © 2014 Pearson Education, Inc. Publishing.
© Pearson Prentice Hall 2009 12-1 Using MIS 2e Chapter 12 Information Security Management If you don’t do security right, nothing else matters. David Kroenke.

© Pearson Prentice Hall Using MIS 2e Chapter 12 Information Security Management If you don’t do security right, nothing else matters. David Kroenke.
2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.

2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.
Information Security Management Chapter 12. 12-2 “We Have to Design It for Privacy and Security. ” Tension between Maggie and Ajit regarding terminology.

Information Security Management Chapter “We Have to Design It for Privacy and Security. ” Tension between Maggie and Ajit regarding terminology.
Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.

Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.
© Pearson Prentice Hall 2009 12-1 Using MIS 2e Chapter 12 Information Security Management David Kroenke.

© Pearson Prentice Hall Using MIS 2e Chapter 12 Information Security Management David Kroenke.
Information Security Management

Information Security Management
Lecture 10 Security and Control.

Lecture 10 Security and Control.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
1 Management Information Systems Information Security Management Chapter 12.

1 Management Information Systems Information Security Management Chapter 12.
1 Using Management Information Systems David Kroenke Information Security Management Chapter 11.

1 Using Management Information Systems David Kroenke Information Security Management Chapter 11.
Chapter 12 Information Security Management © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.

Chapter 12 Information Security Management © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
Introduction Security is a major networking concern. 90% of the respondents to the 2004 Computer Security Institute/FBI Computer Crime and Security Survey.

Introduction Security is a major networking concern. 90% of the respondents to the 2004 Computer Security Institute/FBI Computer Crime and Security Survey.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Similar presentations

Ads by Google