Presentation is loading. Please wait.

Presentation is loading. Please wait.

Today’s Lecture Covers < Chapter 6 - IS Security

Published byMitchell Singleton Modified over 9 years ago

Similar presentations

Presentation on theme: "Today’s Lecture Covers < Chapter 6 - IS Security"— Presentation transcript:

1 Today’s Lecture Covers < Chapter 6 - IS Security Dsheehy@grantthornton.ca

2 Security The system is protected against unauthorized physical and logical access.

3 A typical network today? INTERNET External Router Corporate Backbone Human Resources Payroll - Accounting e-Business Network Human Resources AP Cyberwall Payroll - Accounting AP Cyberwall IP Firewall DMZ IP Firewall DMZ Internal Firewall DMZ Systems

4 Control over Info Transmission < procedures to protect in bound information and outbound information < network design should incorporate information integrity, confidentiality and availability requirements for transmissions < network implementation and config mgt needs to be controlled

5 Control over Data Mgt roles and responsibilities for data mgt needed database design and implementation needs to address security, integrity and control requirements also incorporate reliability and availability requirements

6 Control over End-Using Computing procedures to ensure that end-users conform with organizational strategy stds for development, acquisition, documentation and operation of applications procedures. Effective support and training monitoring end-using computing

7 <The issue of IT Security < must id risks and design effective security processes and practices < not too much security - causes rule breaking to do job < balance between enabling staff and others to access easily and efficiently and controlling that access

8 Security Controls- to prevent unauthorized access to IS by outsiders unauthorized access to IS by insiders interruptions in processing at application (into each program) and general level (e.g., electronic access, physical security, back-up and recovery and contingency planning)

9 To meet Security Objectives < need an integrated approach: < develop policies < assign roles and responsibilities and communicate them < design a security control framework < implement on risk-prioritized and timely basis < monitor

10 Broad Organizational Issues policies and stds risk assessment plan, design, test and implement user and mgt involvement monitor and update

11 Policies & Stds responsibility of all personnel roles and responsibilities for security administrator classify systems and data in terms of sensitivity role of I/A

12 Risk Assessment analyze risks and exposures assess what is acceptable need to understand potential losses

13 Plan Design Test and Implement assess what is needed test - ensure authorized accepted/unauthorized rejected access time is reasonable audit trails are adequate

14 Monitoring and Update need logs need to ensure controls up to date adequate resources

15 Physical Access Controls - Safeguard against physical abuse, damage and destruction. Isolation and restriction - use locks, effective key management, video, sensing devices

16 Communication Access Controls Firewalls - hardware and software between 2 networks, all traffic must go through it, only authorized traffic may pass, and is protected from tampering Simplifies security mgt - only have to manage single point

17 Communication Access Controls can hide internal network since no direct outside connection can limit damage of security breaches do not protect against insider attacks often ineffective with viruses do not protect against other connections that bypass firewall

18 Communication Access Controls Packet filter gateway - router between 2 gateways, either forwards or blocks them (less secure than firewall) Application gateway - all packets are addressed to a user layer application at the gateway that relays them between 2 communication points

19 Communication Access Controls use proxies to prevent a direct connection between external and internal networks acts as middleman - decides whether traffic is secure between the hosts, forwards only secure traffic Stateful inspection - all packets queried + application, user and transportation method queried - both the state of the transmission and context in which used cannot deviate from expectations ; otherwise rejected

20 Dial-Up Lines Modem lines create problems use callback modems, terminal authentication devices (id terminal as authentic before connecting), passwords, encryption, human hook-ups, warnings and look at communication bills

21 Encryption coding messages rely on mathematical algorithms private key system - receiver must know what key is used to encipher message. Such keys must be protected public key system - use 2 keys encipher is made public different key used to decipher

22 Electronic Access Controls- first classify info sensitivity - need to classify information as to confidentiality and access rights access time requirements - classify according to range of tolerable access times- for example many users may need to access certain files at a particular time authorized users - based on need to know basis

23 Access management identification process - use userids personal characteristic userids - name - easy transferred but easy to guess.. also little privacy functional characteristic id - based on job, no need for personal id, more privacy - someone transfers however, must give new id no association ids - arbitrary - best privacy and can use if transferred

24 Access management authentication - obtaining proof that user is who says he/she is plastic magnetic-strip cards - atm cards, carry fixed password (PIN), can be stolen/duplicated smart cards- contain processor that allows card to interact with number of control devices and define boundary of each specific access biometric devices - fingerprints, hand geometry, eye retina patterns

25 Access management passwords - traditional for log-on procedure system-generated- randomly generated are less hard to guess- problem is are not really random and are meaningless to users - therefore write them down makes easier to find user- selected - has meaning but often easier to guess word association password - use cue lists that only user should know - too much computer space req'd, must be uniform

26 Access management Increased use of single-sign on- authenticate once across multiple platforms must be very careful due to potential access hazard Could also use profile management - allocate standard access privileges to users based on their group, rather than individual basis reduces admin costs and allows easier access and rule setting

27 Access management access control software- allows controlled access - locks out illegimate users

Download ppt "Today’s Lecture Covers < Chapter 6 - IS Security"

Similar presentations

Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.

Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.
Information Systems Audit Program (cont.). PHYSICAL SECURITY CONTROLS.

Information Systems Audit Program (cont.). PHYSICAL SECURITY CONTROLS.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
HIPAA Security Standards What’s happening in your office?

HIPAA Security Standards What’s happening in your office?
Chapter 17 Controls and Security Measures

Chapter 17 Controls and Security Measures
Information Security Policies and Standards

Information Security Policies and Standards
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.

Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.
Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.

Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Chapter 12 Network Security.

Chapter 12 Network Security.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Business Data Communications, Fourth Edition Chapter 10: Network Security.

Business Data Communications, Fourth Edition Chapter 10: Network Security.
Circuit & Application Level Gateways CS-431 Dick Steflik.

Circuit & Application Level Gateways CS-431 Dick Steflik.
Chapter 16 Security. 2 Chapter 16 - Objectives u The scope of database security. u Why database security is a serious concern for an organization. u The.

Chapter 16 Security. 2 Chapter 16 - Objectives u The scope of database security. u Why database security is a serious concern for an organization. u The.

Similar presentations

Ads by Google