Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Systems Security

Published byTeresa Warren Modified over 6 years ago

Similar presentations

Presentation on theme: "Information Systems Security"— Presentation transcript:

1 Information Systems Security
Chapter 5

2 Describe general approaches to analyzing vulnerabilities and
Learning Objective 1 Describe general approaches to analyzing vulnerabilities and threats in information systems.

3 Overview The information security system is the
subsystem of the organization that controls the special risks associated with computer-based information systems. The information security system has the basic elements of any information system, such as hardware, databases, procedures, and reports.

4 The Information Security System Life Cycle
Life-cycle Phase Objective Systems analysis Analyze system vulnerabilities in terms of relevant threats and their associated loss exposure. Systems design Design security measures and contingency plans to control the identified loss exposures.

5 The Information Security System Life Cycle
Life-cycle Phase Objective Systems implementation Implement the security measures as designed. Systems operation, evaluation, and control Operate the system and assess its effectiveness and efficiency. Make changes as circumstances require.

6 The Information Security System in the Organization
The information security system must be managed by a chief security officer (CSO). This individual should report directly to the board of directors in order to maintain complete independence.

7 Analyzing Vulnerabilities and Threats
Different Approaches: Quantitative approach to risk assessment Qualitative approach

8 Analyzing Vulnerabilities and Threats
Quantitative Approach: Cost of an individual loss  Likelihood of its occurrence

9 Analyzing Vulnerabilities and Threats
Difficulties With This Approach: Identifying the relevant costs per loss and the associated likelihoods can be difficult. Estimating the likelihood of a given failure requires predicting the future, which is very difficult.

10 Analyzing Vulnerabilities and Threats
Qualitative Approach: The system’s vulnerabilities and threats are subjectively ranked in order of their contribution to the company’s total loss exposure.

11 Analyzing Vulnerabilities and Threats
Loss Exposure Areas: business interruption loss of software loss of data loss of hardware loss of facilities loss of service and personnel

12 Identify active and passive threats to information systems.
Learning Objective 2 Identify active and passive threats to information systems.

13 Vulnerabilities and Threats
What is a vulnerability? A vulnerability is a weakness in a system. What is a threat? A threat is a potential exploitation of a vulnerability.

14 Vulnerabilities and Threats
Categories of Threats: Active threats Passive threats

15 Individuals Posing a Threat to the Information System
Groups of individuals that could be involved in an information system’s attack: Information systems personnel Users Intruders

16 Individuals Posing a Threat to the Information System
Information Systems Personnel: computer maintenance persons programmers network operators information systems administrative personnel data control clerks

17 Individuals Posing a Threat to the Information System
Users are composed of heterogeneous groups of people. Their functional area does not lie in data processing. An intruder is anyone who accesses equipment, electronic data, or files without proper authorization. Who are hackers?

18 Individuals Posing a Threat to the Information System
A hacker is an intruder who attacks a system for fun and challenge. What are other types of intruders? unnoticed intruders wiretappers piggybackers impersonating intruders eavesdroppers

19 Active Threats to Information Systems
Input manipulation Sabotage Program alteration Misappropriation or theft of information resources Direct file alteration Data theft

20 Active Threats to Information Systems
In most cases of computer fraud, manipulation of input is the method used. Program alteration is perhaps the least common method used to commit computer fraud.

21 Active Threats to Information Systems
A direct file alteration occurs when individuals find ways to bypass the normal process for inputting data into computer programs. Data theft is a serious problem in business today. What are some methods of computer sabotage?

22 Active Threats to Information Systems
Logic bomb Trojan horse Virus program Denial of service attack Defacing the company’s Web site

23 Active Threats to Information Systems
What is a worm? It is a type of virus that spreads itself over a computer network.

24 Active Threats to Information Systems
One type of misappropriation of computer resources exists when employees use company computers resources for their own business.

25 Identify key aspects of an information security system.
Learning Objective 3 Identify key aspects of an information security system.

26 The Information System Security System
Security measures focus on preventing and detecting threats. Contingency plans focus on correcting the effects of threats.

27 The Control Environment
Management philosophy and operating style 1 Organization structure 2 Board of directors and its committees 3

28 The Control Environment
4 Management control activities 5 Internal audit function 6 Personnel policies and practices 7 External influences

29 Controls for Active Threats
Layered Approach to Access Control: Site-access controls System-access controls File-access controls

30 Controls for Active Threats
Site-Access Controls: The objective of site-access controls is to physically separate unauthorized individuals from computer resources.

31 Controls for Active Threats
TV monitor Telephone Locked door (entrance) (opened from inside vault) Intercom to vault LOBBY Service window Data archive INNER VAULT Scanner Magnet detector

32 Controls for Active Threats
System-Access Controls: These controls authenticate users by using such means as user IDs, passwords, IP addresses, and hardware devices. It is often desirable to withhold “administrative rights” from individual PC users.

33 Controls for Active Threats
File-Access Controls: The most fundamental file-access control is the establishment of authorization guidelines and procedures for accessing and altering files.

34 Controls for Passive Threats
Preventative: Fault-tolerant systems use redundant components. If one part of the system fails, a redundant part immediately takes over, and the system continues operating with little or no interruption.

35 Controls for Passive Threats
Corrective: File Backups Full backups Incremental backups Differential backups

36 Internet Security Internet-related vulnerabilities may
arise from weaknesses in five areas. the operating system or its configuration the Web server or its configuration the private network and its configuration various server programs general security procedures

37 Discuss contingency planning and other disaster risk
Learning Objective 4 Discuss contingency planning and other disaster risk management practices.

38 Disaster Risk Management
Disaster risk management is essential to ensure continuity of operations in the event of a catastrophe. Prevention planning Contingency planning

39 Disaster Risk Management
Frequencies of Disaster Causes: Natural disaster 30% Deliberate actions 45% Human error % A large percentage of disasters can be mitigated or avoided.

40 Disaster Risk Management
A disaster recovery plan must be implemented at the highest levels in the company. The first step in developing a disaster recovery plan should be obtaining the support of senior management and setting up a planning committee.

41 Disaster Risk Management
The design of the plan should include three major components. What are these components? Assess the company’s critical needs. List priorities for recovery. Establish recovery strategies and procedures.

42 Disaster Risk Management
A complete set of recovery strategies should take into account the following: emergency response center escalation procedures alternate processing arrangements personnel relocation and replacements plans salvage plan plan for testing and maintaining the system

43 End of Chapter 5

Download ppt "Information Systems Security"

Similar presentations

4 Information Security.

4 Information Security.
Ethics, Privacy and Information Security

Ethics, Privacy and Information Security
Control and Accounting Information Systems

Control and Accounting Information Systems
Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.

Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.
9 - 1 Computer-Based Information Systems Control.

9 - 1 Computer-Based Information Systems Control.
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
The Islamic University of Gaza

The Islamic University of Gaza
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
Introducing Computer and Network Security

Introducing Computer and Network Security
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Introduction Security is a major networking concern. 90% of the respondents to the 2004 Computer Security Institute/FBI Computer Crime and Security Survey.

Introduction Security is a major networking concern. 90% of the respondents to the 2004 Computer Security Institute/FBI Computer Crime and Security Survey.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 11 - 1 The Impact of Information Technology on the Audit.

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley The Impact of Information Technology on the Audit.
Chapter 5 Information Systems Security. Presentation Outline I.An Overview of Systems Security II.Active Threats and Computer Networks III.Controls for.

Chapter 5 Information Systems Security. Presentation Outline I.An Overview of Systems Security II.Active Threats and Computer Networks III.Controls for.
Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.

Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
Chapter 10: Computer Controls for Organizations and Accounting Information Systems

Chapter 10: Computer Controls for Organizations and Accounting Information Systems
CHAPTER 4 Information Security. CHAPTER OUTLINE 4.1 Introduction to Information Security 4.2 Unintentional Threats to Information Security 4.3 Deliberate.

CHAPTER 4 Information Security. CHAPTER OUTLINE 4.1 Introduction to Information Security 4.2 Unintentional Threats to Information Security 4.3 Deliberate.
11 SECURITY TEMPLATES AND PLANNING Chapter 7. Chapter 7: SECURITY TEMPLATES AND PLANNING2 OVERVIEW  Understand the uses of security templates  Explain.

11 SECURITY TEMPLATES AND PLANNING Chapter 7. Chapter 7: SECURITY TEMPLATES AND PLANNING2 OVERVIEW  Understand the uses of security templates  Explain.

Similar presentations

Ads by Google