Download presentation
Presentation is loading. Please wait.
Published byAubrie Manning Modified over 9 years ago
1
Viewing Information Systems Security
2
The basic objectives of Information Security are the same as the basic objectives of EDP auditing. They are: 1.To Control the loss of assets. 2.To ensure the integrity and reliability of data. 3.To improve the efficiency / effectiveness of Information Systems Applications To accomplish these objectives, the manager must make certain that the risks to information systems are identified and that appropriate security controls are used to eliminate or reduce the risks.
3
Risks The dangers to information systems are the people, hardware, software, data and other assets with which they are associated necessitate security controls. These dangers include onatural disasters, othieves, oindustrial spies, odisgruntled employees, ocomputer viruses, oaccidents, and oeven poorly trained or naive employees.
4
Risks Threats and Vulnerabilities Risks By Risk they mean potential loss to the firm. Potential risk refers to, potential monetary losses whether those losses are direct or indirect.. The monetary losses may result from total loss, partial damage, or even the temporary loss of an information systems asset. Threats When EDP auditors use the term Threat, they refer to people actions, events or other situations that could trigger losses. Eg. For a website hacking is regarded as a threat aided by Internet Viruses and worms.
5
Vulnerabilities When auditors use the term Vulnerability, they mean flaws, problems or other conditions that make a system open to threats. A firm’s potential risk of losing all of its microcomputers occurs when the threat of a thief stealing the microcomputers becomes possible, eg. Example, when inadequate lock and alarm systems are used in the building in the building in which the PCs are housed.
6
Controls Controls are countermeasures to threats. Controls are the tools that are used to counter risks from people, actions, events or situations that can threaten an information system. Types of Controls Physical Controls – are controls that use physical protection measures. It might include door locks, keyboard locks, fire doors and sump pumps, controls over the access and use of computer facilities and equipment and controls for prevention of theft. Electronic Controls – are controls that use electronic measures to identify or prevent threats. Electronic controls might include motion sensors. It also includes intruder detection and biological access controls – biometric systems, such as log-in IDs, passwords, badges, hand and voice retina print access controls.
7
Software Controls – are program code control used in IS Applications to identify, prevent or recover from errors, unauthorised access and other threats. Management Controls – often result from setting, implementing, and enforcing policies and procedures. Employees may be required to back up or archive their data at regular intervals and to take back up or copies of data files to secure, off-site locations for storage. Management may enforce policies that require employees to take their vacation time or ensure separation of duties to reduce the threat of embezzlement. Required employee training may be used to reduce data entry errors, or background checks may be required for employees who have certain levels of access to information systems.
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.