Presentation is loading. Please wait.

Presentation is loading. Please wait.

4/15: Security & Controls in IS Systems Vulnerabilities Controls: what to use to guard against vulnerabilities –General controls –Application controls.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "4/15: Security & Controls in IS Systems Vulnerabilities Controls: what to use to guard against vulnerabilities –General controls –Application controls."— Presentation transcript:

1 4/15: Security & Controls in IS Systems Vulnerabilities Controls: what to use to guard against vulnerabilities –General controls –Application controls Internet & eCommerce controls –Firewalls –Encryption –Authentication Assessments & Audits

2 Systems Vulnerabilities Ex: DDoS attacks in February 2000 Why worry? –Financial impact of downtime is staggering: Type of LossBrokerage siteAuction site (8 hrs)(22 hrs) Direct revenues loss$204,000$341,652 Compensatory loss$0$943,521 Lost future revenues$4,810,320$1,024,955 Worker downtime loss$117,729$46,097 Delay-to-market$60,000$358,734 Total impact$5,220,159$2,773,416

3 How are systems vulnerable? If destroyed –Systems cannot be replicated manually –Systems are not easily understood or audited –Systems’ records can be permanently lost Hardware: fire, earthquake, etc. Software: electrical problems, bugs Personnel actions: user errors, maliciousness Access: program changes, data changes Data & services: telecommunication failures

4 So what if it’s vulnerable? Use a risk assessment to decide if the costs of protecting against the vulnerability outweigh the potential losses from it. Ex. Online Order Processing Risk Assessment ExposureProb. (%)Loss range / avg. ($) Exp. ann. loss($) Power failure30%$5,000 – 200,000 $102,500 $30,750 Embezzlement5%$1,000 – 50,000 $25,500 $1,275 User error98%$200 - 40,000 $20,100 $19,698

5 Example of vulnerabilities: hackers Hackers –“A person who gains unauthorized access to a computer network for profit, criminal mischief, or personal pleasure.” –Create computer viruses, DDoS attacks, etc.

6 Examples of vulnerabilities: viruses “Rogue software programs that are difficult to detect and spread rapidly, destroying data or disrupting processing & memory systems.” Chernobyl (CIH) virusChernobyl (CIH) Badtrans.B virusBadtrans.B Nimda virusNimda Antivirus software is a necessity. –Virus definitions MUST BE UPDATED FREQUENTLY (min. every 2 weeks).

7 Concerns for systems builders Disaster –Build backup facilities –Build fault-tolerant systems Have extra hardware, software, power, processing capability in case something fails –Contract with a disaster recovery firm Security –“Policies procedures, and technical measures used to prevent unauthorized access, alteration, theft, or physical damage to IS.” Errors: prevention

8 Systems quality issues: software Software bugs –“Program code defects or errors.” –Main Sources: decision code, poor design specs. Maintenance –50% of ITS staff time is spent “maintaining” existing systems. –Why? Organizational changes Software complexity Faulty systems analysis discovered too late

9 Systems quality issue: data quality Most common source of IS failure “Bad data”: –Input improperly or incorrectly –Faulty processing or database design FBI’s computerized criminal-records system –Estimated that 54% of records are wrong, incomplete, or ambiguous.

10 Controls: Guards against Errors “All of the methods, policies, and procedures that ensure protection of the organization’s assets, accuracy and reliability of its records, and operational adherence to management standards.” Two types of IS controls: –General controls –Application Controls

11 General controls “Overall controls that establish a framework for controlling the design, security, and use of computer programs in the organization.” Implementation controls Software controls Hardware controls Computer operations controls Data security controls Administrative controls

12 General controls Implementation controls –“The audit of the systems development process at various points to make sure that it is properly controlled and managed” –Controlling the systems development process

13 General controls Software controls –“Controls to ensure the security and reliability of software.” –Control access and use of computer programs.

14 General controls Hardware controls –“Controls to ensure the physical security and correct performance of computer hardware.” –Physical security: locking doors to computer rooms Ensuring correct humidity & temperature of computer rooms Etc.

15 General controls Computer operations controls –“Procedures to ensure that programmed procedures are consistently and correctly applied to data storage and processing.” –Examples: Backing up and recovering files Controlling setup of computer processing jobs Etc.

16 General controls Data security controls –“Controls to ensure that data files on either disk or tape are not subject to unauthorized access, change, or destruction.” –Keeping data safe & secure Restricting physical access to terminals to authorized users System passwords Additional password sets for specific data or applications

17 General controls Administrative controls –“Formalized standards, rules, procedures, and disciplines to ensure that the organization’s controls are properly executed and enforced.” –Making sure that the people do what they’re supposed to do. –Examples: Segregation of functions: –No one position has total access to, responsibility for, or control of data Written policies & procedures for controlling IS operations

18 Application controls “Specific controls within each separate computer application, such as payroll or order processing.” Input controls –Check data coming into system. –Control totals count # of transactions or fields before processing –Edit checks can fix errors in inputs before processing Processing controls Output controls

19 Application controls Input controls Processing controls –Establish that data are complete & accurate during processing –Run control totals reconcile the input control totals with the totals of items that have updated a file. –Computer matching highlights unmatched items between what was input and what was processed. –Edit checks can highlight errors before processing is finalized. Output controls

20 Application controls Input controls Processing controls Output controls –Ensure that results of processing are accurate, complete, and properly distributed.

21 Internet & eCommerce controls Threats are greater because of greater access to systems by anonymous outsiders. Firewalls: proxy & stateful inspection Encryption Authentication: digital signatures, digital certificates

22 Internet controls: Firewalls Prevent access by unauthorized users to a private network from the outside, usually the Internet. Proxy firewalls –Accept data from outside, then pass a copy (not the original files) along to the internal destination. –Can work similarly going from inside to outside. Stateful inspection firewalls –Checks each type of packet that comes in, and lets it pass if it is an approved type.

23 Internet controls: Encryption Coding and scrambling of messages to prevent unauthorized access to or understanding of the data being transmitted. Public key encryption: uses two “keys”, one public, one private. Sender Recipient Scrambled message Public key Private key

24 Internet controls: Authentication Digital signatures –Not fully developed yet, some governmental approval –Unique digital code attached to message to identify user, like a signature Digital certificates –Uses a third party (ex. Verisign) to guarantee identity of userVerisign

25 Do your controls work well? Use an MIS audit. –“Identifies all the controls that govern individual information systems and assesses their effectiveness.” The audit: –Lists and ranks all the control weaknesses, –Estimates the probability of occurrence, and –Assesses financial & organizational impact of each threat.

Download ppt "4/15: Security & Controls in IS Systems Vulnerabilities Controls: what to use to guard against vulnerabilities –General controls –Application controls."

Similar presentations

14.1 © 2004 by Prentice Hall INFORMATIONSYSTEMS SECURITY AND CONTROL.

14.1 © 2004 by Prentice Hall INFORMATIONSYSTEMS SECURITY AND CONTROL.
Information Technology Control Day IV Afternoon Sessions.

Information Technology Control Day IV Afternoon Sessions.
1 MIS 2000 Class 22 System Security Update: Winter 2015.

1 MIS 2000 Class 22 System Security Update: Winter 2015.
Crime and Security in the Networked Economy Part 4.

Crime and Security in the Networked Economy Part 4.
Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.

Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.
Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.

Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.
Auditing Computer Systems

Auditing Computer Systems
Managing Information Systems Information Systems Security and Control Part 1 Dr. Stephania Loizidou Himona ACSC 345.

Managing Information Systems Information Systems Security and Control Part 1 Dr. Stephania Loizidou Himona ACSC 345.
Chapter 17 Controls and Security Measures

Chapter 17 Controls and Security Measures
Lecture 10 Security and Control.

Lecture 10 Security and Control.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Database Integrity, Security and Recovery Database integrity Database integrity Database security Database security Database recovery Database recovery.

Database Integrity, Security and Recovery Database integrity Database integrity Database security Database security Database recovery Database recovery.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
IS Security Control & Management. Overview n Why worry? n Sources, frequency and severity of problems n Risks to computerized vs. manual systems n Purpose.

IS Security Control & Management. Overview n Why worry? n Sources, frequency and severity of problems n Risks to computerized vs. manual systems n Purpose.
Risks, Controls and Security Measures

Risks, Controls and Security Measures
Chapter 9 - Control in Computerized Environment ATG 383 – Spring 2002.

Chapter 9 - Control in Computerized Environment ATG 383 – Spring 2002.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Managing Information Systems Information Systems Security and Control Part 2 Dr. Stephania Loizidou Himona ACSC 345.

Managing Information Systems Information Systems Security and Control Part 2 Dr. Stephania Loizidou Himona ACSC 345.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Similar presentations

Ads by Google