Presentation is loading. Please wait.

Presentation is loading. Please wait.

Managing Information Systems Information Systems Security and Control Part 2 Dr. Stephania Loizidou Himona ACSC 345.

Published byClifford Quinn Modified over 9 years ago

Similar presentations

Presentation on theme: "Managing Information Systems Information Systems Security and Control Part 2 Dr. Stephania Loizidou Himona ACSC 345."— Presentation transcript:

1 Managing Information Systems Information Systems Security and Control Part 2 Dr. Stephania Loizidou Himona ACSC 345

2 Dr. S. Loizidou - ACSC3452 Objectives  Demonstrate that Information System vulnerabilities can be controlled  Demonstrate the ways in which Information Systems can be controlled in an organisation  Demonstrate some of the technologies that can be used to control Information Systems vulnerabilities

3 Dr. S. Loizidou - ACSC3453 Controlling Information Systems  Recall there are numerous threats to Information Systems –Hardware failures –Software failures –Upgrade issues –Disasters –Malicious intent

4 Dr. S. Loizidou - ACSC3454 Controlling Information Systems  To minimise likelihood of threats, must control the environment in which Information Systems are developed and deployed  Controls put in place to: –Manually control environment of Information Systems –Automatically add controls to Information Systems

5 Dr. S. Loizidou - ACSC3455 Controlling Information Systems  Implemented through –Policies –Procedures –Standards  Control must be thought about through all stages of Information Systems analysis, construction, deployment operations and maintenance

6 Dr. S. Loizidou - ACSC3456 Controlling Information Systems  What sort of controls can be put in place?

7 Dr. S. Loizidou - ACSC3457 Controls  General controls –Controls for design, security and use of Information Systems throughout the organisation  Application controls –Specific controls for each application –User functionality specific

8 Dr. S. Loizidou - ACSC3458 General Controls  Implementation controls –Audit system development –Ensure properly managed and controlled –Ensure user involvement –Ensure procedures and standards are in use  Software controls –Authorised access to systems

9 Dr. S. Loizidou - ACSC3459 General Controls  Hardware controls –Physically secure hardware –Monitor for and fix malfunction –Environmental systems and protection –Backup of disk-based data

10 Dr. S. Loizidou - ACSC34510 General Controls  Computer operations controls –Day-to-day operations of Information Systems –Procedures –System set-up –Job processing –Backup and recovery procedures

11 Dr. S. Loizidou - ACSC34511 General Controls  Data security controls –Prevent unauthorised access, change or destruction –When data is in use or being stored –Physical access to terminals –Password protection –Data level access controls

12 Dr. S. Loizidou - ACSC34512 General Controls  Administrative controls –Ensure organisational policies, procedures and standards and enforced –Segregation of functions to reduce errors and fraud –Supervision of personal to ensure policies and procedures are being adhered to

13 Dr. S. Loizidou - ACSC34513 Application Controls  Input controls –Data is accurate and consistent on entry –Direct keying of data, double entry or automated input –Data conversion, editing and error handling –Field validation on entry –Input authorisation and auditing –Checks on totals to catch errors

14 Dr. S. Loizidou - ACSC34514 Application Controls  Processing controls –Data is accurate and complete on processing –Checks on totals to catch errors –Compare to master records to catch errors –Field validation on update

15 Dr. S. Loizidou - ACSC34515 Application Controls  Output controls –Data is accurate, complete and properly distributed on output –Checks on totals to catch errors –Review processing logs –Track recipients of data

16 Dr. S. Loizidou - ACSC34516 Protecting Information Systems  What sorts of technology can we use to implement Information Systems controls?

17 Dr. S. Loizidou - ACSC34517 Protecting Information Systems  Information Systems, especially TPS, require high degrees of availability  Technology is available to ensure systems are available and contain accurate information

18 Dr. S. Loizidou - ACSC34518 High Availability Computing  Systems available for most of the time (some downtime allowed) –Recover quickly from crash / downtime –Redundant servers and clustering –Mirroring of data and networked storage –Load balancing –Scalable and robust infrastructure –Disaster recovery planning

19 Dr. S. Loizidou - ACSC34519 Fault Tolerant Computing  Systems available all the time (no downtime allowed) –Specialist hardware  HP NonStop (Tandem), Stratos –Detect and correct faults in hardware and software to keep processing

20 Dr. S. Loizidou - ACSC34520 Network Security  Permanent (open) network connectivity: Internet, Extranet, wireless –Firewall: proxy or stateful inspection –Firewalls must be managed and part of security policy –Encryption: public key, SSL of S-HTTP –Authentication and integrity –Digital signatures and certificates

21 Dr. S. Loizidou - ACSC34521 Developing Control  Lots of threats to Information Systems  Lots of controls required  Decision on which controls to use based upon likelihood of threat and cost  Risk assessment –Likely frequency of threat –Cost of damage –Cost of implementation

22 Dr. S. Loizidou - ACSC34522 HOMEWORK

23 Dr. S. Loizidou - ACSC34523 HOMEWORK

Download ppt "Managing Information Systems Information Systems Security and Control Part 2 Dr. Stephania Loizidou Himona ACSC 345."

Similar presentations

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
Computer Fraud Chapter 5.

Computer Fraud Chapter 5.
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.

Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.
Auditing Computer Systems

Auditing Computer Systems
Managing Information Systems Information Systems Security and Control Part 1 Dr. Stephania Loizidou Himona ACSC 345.

Managing Information Systems Information Systems Security and Control Part 1 Dr. Stephania Loizidou Himona ACSC 345.
9 - 1 Computer-Based Information Systems Control.

9 - 1 Computer-Based Information Systems Control.
4/15: Security & Controls in IS Systems Vulnerabilities Controls: what to use to guard against vulnerabilities –General controls –Application controls.

4/15: Security & Controls in IS Systems Vulnerabilities Controls: what to use to guard against vulnerabilities –General controls –Application controls.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
THE AUDITING OF INFORMATION SYSTEMS

THE AUDITING OF INFORMATION SYSTEMS
Chapter 9 - Control in Computerized Environment ATG 383 – Spring 2002.

Chapter 9 - Control in Computerized Environment ATG 383 – Spring 2002.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.

Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
Chapter 10 Information Systems Controls for System Reliability—Part 3: Processing Integrity and Availability Copyright © 2012 Pearson Education, Inc.

Chapter 10 Information Systems Controls for System Reliability—Part 3: Processing Integrity and Availability Copyright © 2012 Pearson Education, Inc.
1 Chapter 8 Securing Information Systems. Outline Security Threats (External: malware, spoofing/phishing, sniffing, & data theft: Internal: unauthorized.

1 Chapter 8 Securing Information Systems. Outline Security Threats (External: malware, spoofing/phishing, sniffing, & data theft: Internal: unauthorized.
Securing Information Systems

Securing Information Systems
Disaster Planning and Security Policies. Threats to data DeliberateTerrorism Criminal vandalism/sabotage White collar crime Accidental Floods and fire,

Disaster Planning and Security Policies. Threats to data DeliberateTerrorism Criminal vandalism/sabotage White collar crime Accidental Floods and fire,

Similar presentations

Ads by Google