Presentation is loading. Please wait.

Presentation is loading. Please wait.

Principles of Information System Security: Text and Cases

Published byCharleen Melton Modified over 9 years ago

Similar presentations

Presentation on theme: "Principles of Information System Security: Text and Cases"— Presentation transcript:

1 Principles of Information System Security: Text and Cases
Gurpreet Dhillon PowerPoint Prepared by Youlong Zhuang University of Missouri-Columbia

2 Principles of Information System Security: Text and Cases
Chapter Seven Planning for Information System Security

3 Copyright 2006 John Wiley & Sons, Inc.
Learning Objectives Clarify misconceptions about security policies Realize the position of policies with respect to strategies and corporate plans Differentiate the three classes of IS security decisions Understand the four core IS planning prinples Copyright 2006 John Wiley & Sons, Inc.

4 Security Strategy Levels
Strategy refers to managerial processes Policy refers to contingent decisions Programme is about a time-phased action sequence Operating procedure is used for repetitive actions with predetermined outcome Copyright 2006 John Wiley & Sons, Inc.

5 Security Strategy Levels Figure 7.1
Copyright 2006 John Wiley & Sons, Inc.

6 Security Strategy Levels (cont’d)
Corporate security strategy determines key decisions regarding investment, divestment, diversification, and integration of computing resources Business security strategy looks into the threats and weaknesses of the IT infrastructure Operational security strategy provides detailed deployment of the procedures Copyright 2006 John Wiley & Sons, Inc.

7 Security Strategy Levels (cont’d)
“good managers don’t make policy decisions” Develop a broad security vision that brings the issue of security to the centre stage and binds it to the organizational objectives Traditional security policy lacks consistency with the organizational purpose Copyright 2006 John Wiley & Sons, Inc.

8 Classes of Security Decisions in Firms, Table 7.1
Copyright 2006 John Wiley & Sons, Inc.

9 Classes of Security Decisions in Firms, Table 7.1 (cont’d)
Copyright 2006 John Wiley & Sons, Inc.

10 Copyright 2006 John Wiley & Sons, Inc.
Strategic Decisions Choose the right kind of environment War environment – physical security Bribery is common – undermine control structures Relate to the nature and scope of a firm’s relationship to other firms and contexts US based firm – Sarbanses-Oxley Act Copyright 2006 John Wiley & Sons, Inc.

11 Strategic Decisions (cont’d)
Are investments in security products and services paying off? Both security investments and breaches are up Security investment may be in the wrong places The benefits of security investment may be intangible Copyright 2006 John Wiley & Sons, Inc.

12 Strategic Decisions (cont’d)
Key decisions about security objectives should be identified Setting security objectives and goals Resource allocation for security strategy Infrastructure expansion strategy Research and development for future operations Copyright 2006 John Wiley & Sons, Inc.

13 Double Loop Learning, Figure 7.2
Copyright 2006 John Wiley & Sons, Inc.

14 Double Loop Security Design Process, Figure 7.3
Copyright 2006 John Wiley & Sons, Inc.

15 Administrative Decisions
Create adequate structures and processes to realize adequate information handling Is beyond the realm of traditional IS security Increasingly becoming more central to planning and organizing for security Copyright 2006 John Wiley & Sons, Inc.

16 Administrative Decisions (cont’d)
Organizational Structure of information flows Authority and responsibility structures Structure of resource conversions Establishing high integrity business processes Resource acquisition Financing security operations Return on security investments Facility management Copyright 2006 John Wiley & Sons, Inc.

17 Operational Decisions
Optimize work patterns for efficiency gains Ensure business process integrity Schedule resource application Supervision and control Copyright 2006 John Wiley & Sons, Inc.

18 Operational Decisions (Cont’d)
Identifying operating objectives and goals Costing security initiatives Operational control strategies Policies and operating procedures for various functions R=P*C (R is risk, P is probability, C is cost) Copyright 2006 John Wiley & Sons, Inc.

19 Prioritizing Decisions
Identify a broad range of objectives for IS security Objectives can be classified into fundamental and means Objectives are hard to rank, and context specific Copyright 2006 John Wiley & Sons, Inc.

20 A Network of IS Security Means and Fundamental Objectives, Figure 7.4
Copyright 2006 John Wiley & Sons, Inc.

21 Security Planning Process
Systematically identify and address a range of performance gaps Build proper security into the organization Involve stakeholder Understand what stakeholders want Copyright 2006 John Wiley & Sons, Inc.

22 Security Planning Process (cont’d)
Peter Checkland’s Soft System Methodology (SSM) Ideal situation (systems thinking) Real world situation (real world thinking) Compare the conceptual models with the problem situation The application is iterative, not always sequential Copyright 2006 John Wiley & Sons, Inc.

23 Orion Security Strategy Model
SSM is used to manage IS security in a healthcare environment Users feel responsible for IS security in their given work area It offers an opportunity to tap into the knowledge of the users It increases awareness of the range of security issues among co workers Security is integrated into the organizational mindset Copyright 2006 John Wiley & Sons, Inc.

24 A High Level View of the Orion Strategy, Figure 7.5
Copyright 2006 John Wiley & Sons, Inc.

25 Orion Strategy Process
It is conceptualized at two planes of reality Level 1: This is the physical world, where all actions and processes can be seen and measured Level 2: This is the abstract or the conceptual level. Idealized processes and work situations exist at this level Copyright 2006 John Wiley & Sons, Inc.

26 Orion Strategy Process (cont’d)
It has seven steps Activity 1: Acknowledgement of possible security vulnerability Collect perceptions of the problem situation No analysis is undertaken per se Copyright 2006 John Wiley & Sons, Inc.

27 Orion Strategy Process (cont’d)
Activity 2: Identify risks and current security situation Draw a detailed picture of the current situation Focus on the existing structures and processes Review security reports Study outcomes of traditional risk analysis Copyright 2006 John Wiley & Sons, Inc.

28 Orion Strategy Process (cont’d)
Activity 3: Identifying the ideal security situation Develop hypothesis concerning the nature and scope of improvements Stakeholders participate to identify both ‘feasible’ and ‘desirable’ options It is rooted in the ideal world Copyright 2006 John Wiley & Sons, Inc.

29 Orion Strategy Process (cont’d)
Activity 4: Model ideal information systems security A conceptual modeling step Define performance measures Monitor activities in accordance with the defined metrics Take control actions Copyright 2006 John Wiley & Sons, Inc.

30 Orion Strategy Process (cont’d)
Activity 5: Comparison of ideal with current Conceptual model as a base for structured questioning Comparing history with model prediction General overall comparison Model overlay May lead to multiple reiterations of activities 3 and 4 Copyright 2006 John Wiley & Sons, Inc.

31 Orion Strategy Process (cont’d)
Activity 6: Identify and analyze measures to fill gaps Review a wider context of the problem domain for possible alternative solutions Make sure no alternatives are dismissed Copyright 2006 John Wiley & Sons, Inc.

32 Orion Strategy Process (cont’d)
Activity 7: Establish and implement security plan Consider recommendations developed in Activity 6 and formulate solutions Devise an implementation plan Identify detailed tasks Establish criteria to subsequently measure success Copyright 2006 John Wiley & Sons, Inc.

33 IS Security Planning Process Framework, Figure 7.6
Copyright 2006 John Wiley & Sons, Inc.

34 IS Security Planning Principles
1. A well conceived corporate plan establishes a basis for developing a security vision Objective is for the smooth running of the business Proper organizational and contextual analysis IS security on centre stage Copyright 2006 John Wiley & Sons, Inc.

35 IS Security Planning Principles (cont’d)
2. A secure organization lays emphasis on the quality of its operations Considering threats and countermeasures is not enough Quality is an elusive phenomenon ‘rationalist approaches’ are a serious security concern Copyright 2006 John Wiley & Sons, Inc.

36 IS Security Planning Principles (cont’d)
3. A security policy denotes specific responses to specific recurring situations and hence cannot be considered as a top level document Corporate planning should recognize secure information systems as an enabler of businesses Responsibilities for development should be delegated to the lowest appropriate level Copyright 2006 John Wiley & Sons, Inc.

37 IS Security Planning Principles (cont’d)
4. Information system security is of significance if there is a concurrent security evaluation procedure Check deviance of specific responses for particular actions Quality, performance, and security is defined in terms of conformity to auditable process Copyright 2006 John Wiley & Sons, Inc.

38 Copyright 2006 John Wiley & Sons, Inc.
All rights reserved. Reproduction or translation of this work beyond that permitted in section 117 of the 1976 United States Copyright Act without express permission of the copyright owner is unlawful. Request for further information should be addressed to the Permission Department, John Wiley & Sons, Inc. The purchaser may make back-up copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages caused by the use of these programs or from the use of the information herein. Copyright 2006 John Wiley & Sons, Inc.

Download ppt "Principles of Information System Security: Text and Cases"

Similar presentations

ACCOUNTING INFORMATION SYSTEMS

ACCOUNTING INFORMATION SYSTEMS
MODERN AUDITING 7th Edition

MODERN AUDITING 7th Edition
© 2005 John Wiley & Sons PPT 1-1 Strategic Market Management By David A. Aaker Vice-Chairman, Prophet Professor Emeritus, University of California at Berkeley.

© 2005 John Wiley & Sons PPT 1-1 Strategic Market Management By David A. Aaker Vice-Chairman, Prophet Professor Emeritus, University of California at Berkeley.
Planning and Strategic Management

Planning and Strategic Management
Principles of Information System Security: Text and Cases

Principles of Information System Security: Text and Cases
Chapter 81 Creating a Production Process Chapter 8 Achieving Quality Through Continual Improvement Claude W. Burrill / Johannes Ledolter Published by John.

Chapter 81 Creating a Production Process Chapter 8 Achieving Quality Through Continual Improvement Claude W. Burrill / Johannes Ledolter Published by John.
Introduction to Information Technology, 2nd Edition Turban, Rainer & Potter © 2003 John Wiley & Sons, Inc. 15-1 Introduction to Information Technology.

Introduction to Information Technology, 2nd Edition Turban, Rainer & Potter © 2003 John Wiley & Sons, Inc Introduction to Information Technology.
Systems Analysis and Design

Systems Analysis and Design
Chapter 18: Controlling – Processes and Systems

Chapter 18: Controlling – Processes and Systems
© Copyright 2011 John Wiley & Sons, Inc.

© Copyright 2011 John Wiley & Sons, Inc.
Dinesh Mirchandani University of Missouri – St. Louis

Dinesh Mirchandani University of Missouri – St. Louis
Chapter 8 Setting Goals. 8- 2 Management 1e 8- 2 Management 1e 8- 2 Management 1e 8- 2 Management 1e Learning Objectives  Describe the primary goals.

Chapter 8 Setting Goals Management 1e 8- 2 Management 1e 8- 2 Management 1e 8- 2 Management 1e Learning Objectives  Describe the primary goals.
12-1 Planning for Information Technology and Systems.

12-1 Planning for Information Technology and Systems.
Evaluating and Terminating the Project

Evaluating and Terminating the Project
Management, 6e Schermerhorn Prepared by Cheryl Wyrick California State Polytechnic University Pomona John Wiley & Sons, Inc.

Management, 6e Schermerhorn Prepared by Cheryl Wyrick California State Polytechnic University Pomona John Wiley & Sons, Inc.
Management, 6e Schermerhorn Prepared by Cheryl Wyrick California State Polytechnic University Pomona John Wiley & Sons, Inc.

Management, 6e Schermerhorn Prepared by Cheryl Wyrick California State Polytechnic University Pomona John Wiley & Sons, Inc.
PowerPoint Presentation for Dennis & Haley Wixom, Systems Analysis and Design Copyright 2000 © John Wiley & Sons, Inc. All rights reserved. Slide 1 Systems.

PowerPoint Presentation for Dennis & Haley Wixom, Systems Analysis and Design Copyright 2000 © John Wiley & Sons, Inc. All rights reserved. Slide 1 Systems.
Information Technology Project Management

Information Technology Project Management
2-1 Information Technologies Concepts and Management.

2-1 Information Technologies Concepts and Management.
PowerPoint Presentation for Dennis & Haley Wixom, Systems Analysis and Design Copyright 2000 © John Wiley & Sons, Inc. All rights reserved. Slide 1 Systems.

PowerPoint Presentation for Dennis & Haley Wixom, Systems Analysis and Design Copyright 2000 © John Wiley & Sons, Inc. All rights reserved. Slide 1 Systems.

Similar presentations

Ads by Google