Presentation is loading. Please wait.

Presentation is loading. Please wait.

 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood Chapter 6 6 – 1 Information Security.

Published byClaribel Stanley Modified over 9 years ago

Similar presentations

Presentation on theme: " 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood Chapter 6 6 – 1 Information Security."— Presentation transcript:

1  2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood Chapter 6 6 – 1 Information Security

2  2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood Learning Objective 1 6 – 2 Describe general approaches to analyzing vulnerabilities and threats in information systems.

3  2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood Overview 6 – 3 The term information security involves protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide – Confidentiality: preserving authorized restrictions on access and disclosure. Integrity: guarding against improper information modification or destruction. Availability: ensuring timely and reliable access.

4  2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood Overview 6 – 4 The information security management system (ISMS) is an organizational internal control process that controls the special risks associated with information within the organization. The ISMS has the basic elements of any information system, such as hardware, databases, procedures, and reports. The ISMS is part of the larger enterprise risk management (ERM) process by which management balances risk versus opportunities.

5  2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood The Information Security Management System Life Cycle 6 – 5 Life-Cycle PhaseObjective Systems Analysis Analyze system vulnerabilities in terms of relevant threats and their associated loss exposure. Systems Design Design security measures and contingency plans to control the identified loss exposures. Systems Implementation Implement the security measures as designed. Systems Operation, Evaluation, and Control Operate the system and assess its effectiveness and efficiency. Make changes as circumstances require.

6  2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood The Information Security in the Organization 6 – 6 The information security system must be managed by a chief security officer (CSO). This individual should report directly to the board of directors in order to maintain complete independence. A primary duty of the CSO is to present reports to the BOD for approval covering each phase of the life cycle: Life-Cycle PhaseReport to BOD Systems Analysis Summary of all relevant loss exposures Systems DesignDetailed plans for controlling and managing losses Systems Implementation Specifics on security system performance, including an itemization of losses and security breaches, analysis of compliance, and costs of operating the security system Systems Operation, Evaluation, and Control

7  2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood Analyzing Vulnerabilities and Threats 6 – 7 Two Basic Approaches: 1. Quantitative approach to risk assessment 2. Qualitative approach to risk assessment

8  2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood Analyzing Vulnerabilities and Threats 6 – 8 Quantitative Approach to Risk Assessment - each loss exposure is computed as the product of the cost of an individual loss times the likelihood of its occurrence. Difficulties: Identifying the relevant costs per loss and the associated likelihoods can be difficult. Estimating the likelihood of a given failure requires predicting the future, which is very difficult.

9  2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood Analyzing Vulnerabilities and Threats 6 – 9 Qualitative Approach to Risk Assessment – lists out the system’s vulnerabilities and threats and subjectively ranks them in order of their contribution to the company’s total loss exposures.

10  2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood Analyzing Vulnerabilities and Threats 6 – 10 Regardless of the method used, an analysis must include loss exposure for the following areas: Business interruption Loss of software Loss of hardware Loss of facilities Loss of service and personnel Loss of reputation

11  2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood 6 – 11 Learning Objective 2 Identify active and passive threats to information systems.

12  2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood Vulnerabilities and Threats 6 – 12 A vulnerability is a weakness in a system. A threat is a potential exploitation of a vulnerability.

13  2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood Vulnerabilities and Threats 6 – 13 Two categories of threats: Active threats include information systems fraud and computer sabotage. Passive threats include system faults, as well as natural disasters (e.g., earthquakes, floods, fires, and hurricanes). System faults represent component equipment failures such as disk failures, power outages, etc.

14  2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood Individuals Posing a Threat to the Information System 6 – 14 There are three groups of individuals that could carry out an attack on an information system: 1. Computer and information systems personnel are often given a wide range of access privileges to sensitive data and programs. 2. Users are given narrow access, but can still find ways to commit fraud. 3. Intruders and attackers are given no access, but are highly capable.

15  2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood Individuals Posing a Threat to the Information System 6 – 15 Computer and Information Systems Personnel include: Computer maintenance personnel Programmers Network operators Information systems administrative personnel Data control clerks

16  2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood Individuals Posing a Threat to the Information System 6 – 16 Users are composed of heterogeneous groups of people. Their functional area does not lie in data processing or information technology. An intruder is anyone who accesses equipment, electronic data, files, or any kind of privileged information without proper authorization.

17  2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood Individuals Posing a Threat to the Information System 6 – 17 A hacker is an intruder who uses electronic and other means to break into or attack information systems for fun, challenge, profit, revenge, or other nefarious motives. Not all hackers are malicious White hat hackers legitimately probe systems for weaknesses to help with security. Black hat hackers attack systems for illegitimate reasons. Grey hat hackers are white hat hackers who skirt the edges of the law.

18  2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood Individuals Posing a Threat to the Information System 6 – 18 Hacker Methods Social Engineering Pretexting, Phishing Malware Trojan horse, keyboard loggers, backdoor, botnet, Denial-of-Service (DoS) Viruses, Spyware, Logic Bombs, Worms Direct Observation Shoulder surfing, dumpster diving, cloned cell phone Exploits Code injection, vulnerability scanner

19  2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood Methods of Attack by Information Systems Personnel and Users 6 – 19

20  2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood Methods of Attack by Information Systems Personnel and Users 6 – 20 Input manipulation is used in most cases of insider computer fraud. Program alteration is one of the least common methods. Direct file alteration occurs when individuals find ways to bypass the normal process for inputting data into computer programs.

21  2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood Methods of Attack by Information Systems Personnel and Users 6 – 21 Data theft is a serious problem. Sabotage poses a serious danger to information systems. Misappropriation or theft of information occurs when employees use company computers’ resources for their own personal use or their own business.

22  2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood 6 – 22 Learning Objective 3 Identify key aspects of an information security system.

23  2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood Methods of Attack by Information Systems Personnel and Users 6 – 23 Security measures focus on preventing and detecting threats. Contingency plans focus on correcting the effects of threats. The basic elements of internal control (control environment, risk assessment, control activities, information and communication, and monitoring) are important to the ISMS.

24  2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood The Control Environment 6 – 24 Establishing a good control environment depends on seven factors: Management philosophy and operating style Organizational structure Board of directors and its committees Methods of assigning authority and responsibility Management control activities Internal audit function Personnel policies and practices External influences

25  2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood Controls for Active Threats 6 – 25 The layered approach to access control involves erecting multiple layers of controls that separate the would-be perpetrator from his or her potential target. Site-access controls – physically separates unauthorized individuals from information systems resources. System-access controls – authenticate users with user IDs, passwords, IP addresses, and hardware devices. File-access controls – prevent unauthorized access to data and program files.

26  2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood Controls for Passive Threats 6 – 26 Preventative controls: Fault-tolerance systems use redundant components to take over when one part of the system fails, so the system can continue operating with little or no interruption.

27  2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood Controls for Passive Threats 6 – 27 Corrective controls: File backups – A full backup backs up all files on a given disk. Each file contains an archive bit that is set to 0. An incremental backup backs up only those files that have been modified since the last full or incremental backup. A differential backup is the same as an incremental backup, and only the archive bits are not reset to 0.

28  2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood Internet Security 6 – 28 Operating System Vulnerabilities: Virtualization Hypervisor Web server vulnerabilities Private network vulnerabilities Vulnerabilities from server and communication programs

29  2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood Internet Security 6 – 29 Cloud Computing Cloud is a synonym for the Internet Cloud computing is the use of cloud-based services and data storage. Software as a Service (SaaS) Grid computing involves clusters of interlinked computers that share common workloads. General Security Procedures

30  2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood 6 – 30 Learning Objective 4 Discuss contingency planning and other disaster risk management practices.

31  2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood Disaster Risk Management 6 – 31 Disaster risk management is essential to ensure continuity of operations in the event of a catastrophe. Prevention Contingency planning

32  2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood Disaster Risk Management 6 – 32 Disaster prevention is the first step in managing disaster risk. Frequencies of disaster causes: Natural disasters30% Deliberate actions45% Human error25% Disasters can be mitigated or avoided by a good security policy.

33  2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood Disaster Risk Management 6 – 33 Contingency Planning for Disasters A disaster recovery plan must be implemented at the highest levels in the company. The first step in developing a disaster recovery plan is obtaining the support of senior management and setting up a planning committee.

34  2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood Disaster Risk Management 6 – 34 The design of a disaster recovery plan should include three major components: 1. Assess the company’s critical needs. 2. List priorities for recovery. 3. Establish strategies and procedures.

35  2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood Disaster Risk Management 6 – 35 A complete set of recovery strategies should take into account the following considerations: Emergency response center Escalation procedures Alternate processing arrangements Personnel relocation and replacements plans Salvage plan Plan for testing and maintaining the system

36  2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood Information Security Standards 6 – 36 ISO/IEC 27000 12 Categories: 1. Risk assessment 2. Security policies 3. Organization and governance of IS 4. Asset management 5. Human resources 6. Physical and environmental security 7. Communications and operations management 8. Access control 9. IS acquisition, development, & maintenance 10. IS incident management 11. Business continuity management 12. Compliance

37  2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood Information Security Standards 6 – 37 COBIT framework is divided into four domains: 1. Plan and Organize 2. Acquire and Implement 3. Deliver and Support 4. Monitor and Evaluate COSO’s Internal Control – Integrated Framework: Guidance on Monitoring Internal Control.

38  2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood Business Continuity Planning and Disaster Recovery Standards 6 – 38 A business continuity plan is a strategy to mitigate disruption to business operations in the event of a disaster. In the U.S., various economic sectors and industries are subject to BCP compliance standards: Security of Federal Automated Information Resources Financial Institution Safeguards Sound Practices for Management and Supervision Specification for Business Continuity Management

39  2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood 6 – 39 End of Chapter 6

Download ppt " 2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood Chapter 6 6 – 1 Information Security."

Similar presentations

Ethics, Privacy and Information Security

Ethics, Privacy and Information Security
Bodnar/Hopwood AIS 7th Ed1 Chapter 5 u TRANSACTION PROCESSING AND INTERNAL CONTROL PROCESS.

Bodnar/Hopwood AIS 7th Ed1 Chapter 5 u TRANSACTION PROCESSING AND INTERNAL CONTROL PROCESS.
Computer Fraud Chapter 5.

Computer Fraud Chapter 5.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems

Control and Accounting Information Systems
Control and Accounting Information Systems

Control and Accounting Information Systems
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.

Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.
Agenda COBIT 5 Product Family Information Security COBIT 5 content

Agenda COBIT 5 Product Family Information Security COBIT 5 content
Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.

Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.
Auditing Computer Systems

Auditing Computer Systems
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
The Islamic University of Gaza

The Islamic University of Gaza
Security Controls – What Works

Security Controls – What Works
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Introducing Computer and Network Security

Introducing Computer and Network Security
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

Similar presentations

Ads by Google