1. Lecture 5 Part 1 - Security
IS Security definitions and issues

2. Security
An organization may be required by organizational policy or compliance to the law to have an information security program in place.
A security program may be put in place to insure against identified problems or risks.

3. Security
The goal of a security program is to provide assurance that there exists security to:
Provide for timely and reliable availability of information and systems
Preserve confidentiality of data
Safeguard integrity of data

4. Those Involved with Security
Executives authorize plans, ensure security and privacy protections are integrated, and accept risks to information systems in the organization
Managers (information owners) develop requirements, assess information sensitivity and privacy needs, develop security plans and work with IT and security on monitoring
IT staff provide, document and monitor technical security controls and are considered the owners of the infrastructure of information systems

5. Those Involved with Security
Security staff manage the security program, assess risks, consult and review the security plan and privacy impact assessments (as documents) and manage the monitoring and compliance of reporting activities
Auditors review security programs and systems for compliance according to organizational policy or legal requirement
Supervisors assure staff compliance with security and privacy training and awareness requirements

6. A Security Program Combines People, Processes and Technology

7. Security Controls
A security control is a specific action or procedure that is provided to protect confidentiality, integrity and availability of information/systems.
Security controls are described in International Organization for Standardization
Example: ISO 17799, a document describing IT security

8. Security Controls Management Controls
Focus on the management of the computer security system and the management of risk for a system
Operational Controls
Focus on mechanisms that primarily are implemented and executed by people (as opposed to systems)
Technical Controls
Focus on security controls that the computer system executes

9. Security Types Three security types; Physical controls
Administrative controls
Computational controls

10. Physical Controls Physical security
These controls ensure that hardware is secure.
They check for equipment malfunction.
May include access to hardware and an example might be the restriction of access to a computer room to operational personnel or the taking of back-up copies of files in case of accidents.
Hardware controls should take account of fire and environmental hazards.

11. Administrative Controls
Administrative disciplines, standards and procedures
These controls are formalized standards, rules, procedures and control disciplines to ensure that the organization's other controls are properly executed and enforced. Examples of these controls are:
segregation of functions
written policies and procedures
supervision

12. Administrative Controls
Controls over the system implementation process
Implementation controls audit the system development process at various points in time to ensure that the project in hand is being properly controlled and managed.
An example of such a control is a 'sign-off' at the end of each stage of the development process where a developer offers a section of the project to a user or manager to sign off, thereby documenting their approval of the development stage offered.

13. Administrative Controls
Computer operations controls
These controls apply to the work of the computer department and help to ensure that programmed procedures are consistently and correctly applied to the storage and retrieval of data.
They include, for example, controls over set-up, operations software, computer operations and backup and recovery procedures.

14. Computational Controls
Software controls
These controls monitor the use of system software and prevent unauthorized access to software programs.
System software controls govern the software for the operating system.
Program security controls are used to prevent unauthorized changes to programs on the system.

15. Computational Controls
Internal system security
Validation and verification checks on input data, authorization procedures for some types of input data, the provision of an audit trail of file changes and the use of control totals.
It may be necessary to include such things as encryption, which is coding, of data held on files, multi-level password systems including the use of magnetic keys, voice recognition access and the monitoring of the identity and access time of each user on the system.

16. Computational Controls
Data security controls
Data security controls ensure that data files on disk or tape are not subject to unauthorized access, change or destruction. These controls are needed for when the data is in use (active) and when being held for storage.

17. Computational Controls
Application controls
Application controls are specific controls within each computer application.
Objectives:
Completeness of input
Accuracy of input
Validity of data
Maintenance (where data on files continue to be correct and current).

18. Computational Controls
Application controls are usually in one of three categories:
Input controls
Processing controls
Output controls

19. Audits Auditing information systems
An information system audit identifies all of the controls that govern individual information systems and assess their effectiveness.

20. Audits For this the auditor must make value judgements about
operations,
physical facilities,
telecommunications,
control systems,
data security objectives,
organizational structure,
personnel,
manual procedures and individual applications.

21. Audits
The audit is a matter of collecting and analyzing the details on an information system including
user and system documentation,
sample inputs,
sample outputs,
documentation on integrity controls (to compare the details) and
anything else that might be lying around that might give an indication of how the system is being used.

22. Issues and Considerations of Security Management
Access control
Awareness and training
Audit and accountability
Certification, accreditation, and security assessments
Configuration management
Contingency planning
Identification and authentication
Incident response

23. Issues and Considerations of Security Management
Maintenance
Media protection
Physical and environmental protection
Planning
Personnel security
Risk assessment
System and services acquisition
System and communications protection
System and information integrity

24. Security During the Life Cycle
Security is less expensive if it is planned and implemented from the start; it is more costly to add security features to a system after it has been designed.
If not addressed in the initial phases, security controls added at the last minute can diminish performance and delay implementation.

25. Risks
Risk management is the total process of identifying, controlling, and minimizing the impact of uncertain events against an information resource.
The risk management process can be broken down into three main areas:
Risk assessment
Risk mitigation
On-going evaluation

26. Risks Examples of types of vulnerabilities include:
Poorly communicated or implemented policy
Poorly trained personnel
Misconfigured systems or controls
Poorly designed and implemented commercial off-the shelf (COTS) or custom components
Lack of access controls
Lack of physical controls
Lack of visitor policy

27. Consequences
The consequences of ignoring risk – or having inadequate security may result in:
Loss of data
Disclosure of sensitive information
Disruption or denial of service
Loss of competitive edge
Monetary loss
Damage to reputation or public trust
Lawsuits
Death (in extreme cases)

28. Management Responsibilities for Risk
Document the criticality and sensitivity of the information in the risk assessment
Define and document the appropriate controls needed to mitigate the risk
Use the appropriate security requirements
Develop Plans of Action and Milestones to mitigate risks
Monitor and reassess risks, security and related policy regularly

29. Steps for Managers to Take
Step 1: Develop policy statement
Step 2: Conduct Business Impact Assessment
Step 3: Identify preventive controls
Step 4: Develop recovery strategies
Step 5: Develop IT contingency plans
Step 6: Conduct plan testing, training and exercises for staff
Step 7: Maintain the plan

30. Part 2
IS and the Legal System

31. Information Systems Management and the Law
The law is the set of rules that can be enforced in a court. There are many sets of laws and they exist in a jurisdiction.

32. What is Regulation?
Regulations for technology are often associated with the Data Protection Act and trading acts.
You could say that regulation in information systems comes mainly from individual contracts set up by organizations.

33. What is Compliance?
Where there are regulations – either by law or company policy, compliance could be seen as observance of the official requirements of the regulations.
The act or process of complying with a demand or recommendation that comes from regulation is usually a task for a member of management.

34. Legal Issues
The laws associated with information technology have many aspects. We can look at commonly discussed legal issues related to information systems or IT:
Contracts
Outsourcing
Software licensing
Data protection
Acceptable use
Intellectual property rights
Computer fraud
Taxation

35. Contracts
Contracts are legal documents defining the legal implications of buying, selling or becoming involved with products and services of – in this MIS context – hardware and software systems and the issues surrounding them.
Contracts can take many forms – what follows is a general, basic description of a contract.

36. Contracts The structure of a contract in our context is, generally:
The date on which the contract was entered into
The names and addresses of those entering the contract
A description of what the contract is about – having titles such as ‘Background’ or ‘Whereas’
Definitions of terms used in the contract
Provisions made by one party (e.g. Supplier)
What must be paid to the provider (supplier)

37. Hardware Procurement Contract
The details for a hardware procurement contract might include:
A description of the hardware
A warranty for the quality of the hardware
Delivery dates
Price
Acceptance testing (description)
Future maintenance description
Training

38. Software Procurement Contract
Software purchase is much more complex in terms of contract design. The software may be developed specifically for the organization or be ready to sell ‘off-the shelf’.

39. Software Procurement Contract
What type of software will be provided, what the software is required to do, whether there is a maintenance feature to the deal, what provision there is for the cessation of the supply company and many other aspects of law surrounding the idea of ‘keeping the software working’.

40. A Contract for Outsourcing
It is difficult to specify a typical contract for product or service outsourcing, but – very generally – a contract for software services, as an example, may contain:
The statement of requirements
The technical solution
An output specification

41. A Contract for Outsourcing
Similar to hardware, software and services procurement, there is often a special contract that is applied to outsourcing called a Service Level Agreement (SLA).
An SLA often has the details of:
Service levels to be achieved
Targets for service levels
Mechanisms for monitoring and reporting service levels against those targets
Consequences of failure to meet targets

42. Software Licensing
One might view software licensing as another form of contract.
A licence should confirm that the software supplier owns the copyright in the software or has the right to licence it to the organization.
Usually, the software supplier is not selling ownership of software to an organization but the permission to use it as they wish. This leaves the supplier able to provide copies of the software to other people or organizations.

43. Software Licensing
Usually a contract is drawn up – called the licence agreement, since the licence is really a legal agreement between the software supplier and a client.
There are variations in such agreements;
Is the licence restricted to one office, one department, one organization or can the software be lent to ‘sister companies?
…/ continued

44. Software Licensing
Is there a user restriction? Does the agreement allow up to, say 20 users? Do extra users require individual licences or another group licence?
Are there time constraints? One year? Two Years?
Are there any other restrictions?

45. Data Protection
As an organization processing data one must ensure that the processing is lawful.
The data must have been obtained fairly and lawfully.
When obtaining data from a third party you must inform the subject of the data that you have data pertaining to them, telling the subject why you are using the data and how you will use them.

46. Data Protection Personal data must be: Fairly and lawfully processed
Processed for limited purposes
Adequate, relevant and not excessive
Accurate
Not kept longer than necessary
Processed in accordance with the data subject’s rights
Secure
Not transferred to countries without adequate protection

47. Acceptable Use
Employees use computers for their information work – they may also use their employer’s computers for personal matters, such as booking a cheap flight, buying books and gifts and sending s to friends and family.

48. Acceptable Use Misuse might be seen as an
excessive waste of staff time and resources,
actions exposing the organization to claims for discrimination, harassment, defamation or worse,
failure to include information that results in criminal liability.
(On the employer’s side;) health and safety requirements for screens and other computer equipment must be met

49. Acceptable Use Usage policies
Computer usage policies are very often established because employers can be held responsible for wrongful actions carried out by employees in the course of their employment.

50. Acceptable Use Common usage problems are: Racial harassment
Sexual harassment
Downloading pornography
Defamation of management, customers or competitors,
Breach of confidence
Copyright infringement
Hacking (into systems)
Breaches of the Data protection Act

51. Intellectual Property Rights
Rights on intellectual property are laws related, in the current context of information systems in organizations, to software licensing.
Types of intellectual property:
Patents
Design
Copyright
Database right
Trade marks

52. Computer Fraud
Many Management Information Systems service providers see the responsibility of avoiding this fraud to belong to the organization itself.
Corporate governance is the term for the idea that an organization ‘watches out’ for computer fraud.

53. Taxation E-commerce means that organizations can trade across borders.
There is a Communications Regulations Bill 2007, which may amend the state law on e-commerce.

54. Taxation Issues for taxation in e-commerce include:
Identification of a transaction
Identification of the parties to a transaction
Verification of the details of the transaction
Application of the correct taxing rules and remittance to the taxing authority
Generation of an audit trail.
The country of the supplier, generally, has the government to which the tax laws apply.

55. Part 3
Human Computer Interface
Interacting with Computers.

56. Interacting with Computers
What we are looking at with this topic, largely, is Human-Computer Interaction or, in a narrower field, GUIs (Graphical User Interfaces).

57. Interacting with Computers
Interacting with computers is improved by ‘good usability’.
A computer system has usability – whether it is easily usable or difficult to use is measurable.
Usability, like many features of systems, can be ‘designed in’…

58. Design Principles for Usability
Principles for good design of this sort include:
Early focus on the users
Iterative design
Integrative design (Help for users, training, documentation, etc in parallel to the technical design)

59. Usability Early focus on users
Bring the design team into direct contact with the users right from the start.
Get the user involved so they can instill their knowledge into the design process.

60. Usability Collect the users’ thoughts (interviews, questionnaires…)
Collect the user’s mistakes,
Collect the user's attitudes.

61. Usability Iterative design
Incorporate the results from the tests into the next prototype
Set goals for the system
Get feedback on evaluation

62. Usability Evaluation criteria easy to use user friendly
easy to operate
simple
responsive
flexible

63. Usability Integrated design
Build the online help, prepare training, documentation AND process modules (coded programs) at the same time.

64. Usability Definitions
Usability is task related, people related and function related. It has cognitive, behavioral, and communicative components.
To be truly usable a system must be compatible not only with the characteristics of human perception and action but, and most critically, with user's cognitive skills in communication, understanding, memory and problem solving.

65. Usability Definitions
Designing a usable system requires:
understanding of the intended users.
the amount of time they expect to use the system.
how their needs change as they gain experience.

66. Usability Design Early focus on the user
What: understand the users’ cognition, behavior and attitude in relation to the goals of the organization
How: interviews, observations, discussions, working with the users.

67. Usability Design Interactive design Integrated Design
What: the problems encountered are to be corrected and measure again.
How: an evolving system – prototyping.
Integrated Design
What: a parallel development of interface, help, documentation, training and measurement.

68. Measurable Human Factors
Goals for usability
Time needed to learn - how long does it take for typical users to learn to use the commands relevant to a set of tasks?
Speed of performance - how long does it take to carry out the benchmark set of tasks?
Rate of errors by users - how many and what kinds of errors are made in carrying out the benchmark set of tasks?
…/continued

69. Measurable Human Factors
Subjective satisfaction - how much did the users like using aspects of the system?
Retention over time - how well do users maintain their knowledge?

70. Cognitive Engineering
Learning is a relatively permanent change in behavior resulting from conditions of practice.
Human learning then is the association of one item with another item (Associated learning).
Pairs of stimuli are introduced, a mental association is made for them, and the stimuli then become interrelated.
Future learning can then depend upon past learning (Constructivism).
People develop new cognitive structures by using metaphors to cognitive structures they have already learned.

71. Cognitive Engineering
The metaphor is a model or structure or conceptual framework which helps bridge any gap between what the person (user) knows and what is to be learned.
Metaphors spontaneously generated by users will predict the ease with which they an master a computer system.
If this is indeed the case then systems designers must understand and employ the use of metaphors in system designs.

72. Cognitive Engineering
Eight recommendations to aid both the user and designer in build effective systems
Find and use appropriate metaphors in teaching the naive user a computer system. A metaphor must have a suitable domain for a given system and given user population.
Given a choice between two metaphors choose the one which is most like the way the system works.
Assure that the correct attitude is presented. Costs of ignoring this recommendation range from user dissatisfaction and reduced productivity to sabotage.

73. Cognitive Engineering
When more than one metaphor is need to represent a system, choose metaphors that are similar enough, but not to similar that confusion results.
Consider the probable consequences to users and system designers of each metaphor used. This is the evolving state from novice to user. Two path are possible: one leading to directly to the system, the other to a new metaphor.
The limits of the metaphor should be pointed out to the user.

74. Cognitive Engineering
The intent of the metaphor in the beginning is to aid understanding and usability; for the continual user it is no longer necessary. The metaphor is used also as a motivator, at first to get the user to use the system, then to make him productive and keep his interest.
Provide the user with an exciting metaphor for routine work and eventually present the user with advanced scenarios requiring different action.

75. Cognitive Engineering
Learning is a relatively permanent change in behavior resulting from:
Elaboration, association, practice, rehearsal.
Metaphor - a mental model, structure, or framework which help bridge any gap between what a person knows and what is being attempted to be learned.

76. Cognitive Engineering
Goals
To understand the fundamental principles of human action and performance relevant to the principles of system design.
To devise physical systems that are pleasant to use.
Psychological variables - goals, intentions and attitudes
Physical variables - pertain to to system.

77. Human-Computer Dialogue
Computer based systems should be easy to learn and remember, effective, and pleasant to use.
These are testable usability behavioral measures.

78. Cognitive Engineering
Nine basic categories of usability problems:
Simple and natural dialogue: The dialogue should be simple and clearly stated. It should not contain any irrelevant information. The information should appear in a natural and logical order.
Speak the user's language: the dialogue should be expressed in the terminology familiar to the user rather than in system oriented terms.
Minimize the user's memory load: instructions should be visible, easily retrievable, and simplified. Presentation load should be reduced when ever possible (i.e. users should not have to remember file names when they are retrievable).
Be consistent: the terminology and concepts should always be used in the same manner.

79. Cognitive Engineering
Provide feedback: the system should provide feedback as to what is transpiring within a reasonable time.
Provide clearly marked exits: clearly marked exits should be provided to the user in case of mistakes.
Provide shortcuts: system flexibility for the novice and expert. Menus for the novice and commands for the experts.
Provide Good Error Messages: The error messages should be constructive and provide meaningful suggestions to the user of what to do next.
Error Prevention: A careful design that prevents error messages form occurring in the first place.

80. Cognitive Engineering
Conclusion:
The identification of specific, and potential usability problems in a human computer dialogue design is difficult.
Usability goals should be defined and incorporated into the design.
Designers may have difficulties in applying design principles unless they have simple basic requirements for the design product.

81. End of Lecture 5