We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byJanae Hansbury
Modified over 2 years ago
Copyright © 2011 Pearson Education, Inc. publishing as Prentice Hall 14-1 MANAGING INFORMATION TECHNOLOGY 7 th EDITION CHAPTER 14 INFORMATION SECURITY
Copyright © 2011 Pearson Education, Inc. publishing as Prentice Hall 14-2 INFORMATION SECURITY Background -Organizations face both internal and external security threats -Growth in online transactions and usage of external networks has increased the demands for information security - Traditional security measures include technical solutions - Managerial measures will be a key focus of this chapter
Copyright © 2011 Pearson Education, Inc. publishing as Prentice Hall 14-3 COMPUTER CRIME (E-CRIME) A crime that involves a computer or a network Some crimes directly target computer or networks; other crimes use computer or networks to commit a crime Computer crimes can involve a single computer or thousands of computers Due to increased Internet connectivity, cyber attacks have greatly increased over the past decade
Copyright © 2011 Pearson Education, Inc. publishing as Prentice Hall 14-4 COMPUTER CRIMES BY EXTERNAL ATTACKERS. Virus: a small unit of code that invades a computer program or file. When the invaded program is executed or the file is opened, the virus makes copies of itself that are released to invade other programs or files in that computer. It may also do nasty things like erase files or corrupt programs. Viruses are transmitted from one computer to another when an invaded computer program or files is transmitted to another computer. Example: ILOVEYOU – May Written in Visual Basic script; transmitted as an attachment to an with the subject line ILOVEYOU. Estimated damage: $10-15 billion Worm: a virus that has the ability to copy itself from machine to machine, normally over a network Example: Sobig.F – August Spread via attachments; sent massive amounts of with forged sender information; deactivated itself Sept. 10, Estimated damage: $5-10 billion Trojan Horse: a security-breaking program that is introduced into a computer and serves as a way for an intruder to re-enter the computer in the future. Like the huge wooden horse used by the Greeks to trick the Trojans into opening their city gates to let in the horse, it may be disguised as something innocent such as an electronic greeting card, screen saver or game. Logic Bomb: a program introduced into a computer that is designed to take action at a certain time or when a specific event occurs. Denial of Service Attack: a large number of computers on the Internet simultaneously send repeated messages to a target computer, resulting in the computer being overloaded or the communications lines are jammed so that legitimate users cannot obtain access. FIGURE 14.1 Common Techniques Used by External Attackers
Copyright © 2011 Pearson Education, Inc. publishing as Prentice Hall 14-5 NEWER SOCIAL ENGINEERING TECHNIQUES Phishing The solicitation of sensitive personal information from users, commonly in the form of and instant messages Spoofing The use of a fraudulent Web site that mimics a legitimate one; often used in conjunction with phishing
Copyright © 2011 Pearson Education, Inc. publishing as Prentice Hall 14-6 COMPUTER CRIMES BY INSIDERS Typical crimes by current employees, recent employees, and business partners: – Gaining unauthorized access to information, systems, and/or networks – Theft of intellectual property rights, trade secrets, and/or research and development knowledge – Data breaches by an organizations business partners
Copyright © 2011 Pearson Education, Inc. publishing as Prentice Hall 14-7 SECURITY TECHNIQUES BY OSI LAYER Layer #1: Perimeter Layer (web servers, mail servers, etc.) Firewalls VPN encryption Network-based Anti-virus Pros: lots of vendor solutions, easy to implement Cons: hackers can easily penetrate it Layer #2: Network (LAN/WAN) Intrusion detection systems (IDS) Vulnerability management systems Network access control User control/Authentication Pros: solutions provide deep security not easy to breach and regular monitoring Cons: IDS tend to report false alarms; some solutions better for specific network devices rather than network as a whole Layer #3: Host Security (individual computer, server, router, etc.) Host IDS Host Anti-Virus Pros: solutions provide good operational protection at device level Cons: time-consuming to deploy as are fine-tuned for individual devices Layer #4: Application Public Key Interface (PKI) RSA Access Control/Authentication Pros: encryption provides robust security Cons: overhead results in slower system response Level #5: Data EncryptionPros: solutions provide good security Cons: Dependent on good organizational policies and good execution by data steward Figure 14.2
Copyright © 2011 Pearson Education, Inc. publishing as Prentice Hall 14-8 THE CHIEF SECURITY OFFICER ROLE CSO Role The CSO is responsible for continually assessing an organizations information security risks and for developing and implementing effective countermeasures Key Tasks: - Identify and prioritize relevant risks - Eliminate essentially avoidable risks with reasonable investments - Mitigate other risks to an appropriate point of diminished returns on security investments
Copyright © 2011 Pearson Education, Inc. publishing as Prentice Hall 14-9 THE CHIEF SECURITY OFFICER ROLE Since it is impossible to eliminate all risk, the CSO must balance the trade-offs between risks and the costs of minimizing them Risk Costs to Minimize
Copyright © 2011 Pearson Education, Inc. publishing as Prentice Hall INFORMATION RISK MANAGEMENT Risk Management Steps -Determine the organizations information assets & their values - Determine length of time the organization can function without a given information asset - Develop and implement security procedures to protect the assets Example for a specific organization: - Corporate information on employee laptops is an important asset - Loss of the information on a laptop averages $50,000
Copyright © 2011 Pearson Education, Inc. publishing as Prentice Hall INFORMATION RISK MANAGEMENT The expected losses due to a vulnerability can be calculated by the following formula: Annualized Expected Losses (AEL) Single Loss Expectancy (SLE) Annual Occurrence Rate (AOR)
Copyright © 2011 Pearson Education, Inc. publishing as Prentice Hall INFORMATION RISK MANAGEMENT Example continued: - Loss of the information on a laptop averages $50,000 - Company identifies three occurrences in the last two years where a laptop had been lost: Annual Occurrence Rate = 1.5 Annualized Expected Losses (AEL) Single Loss Expectancy (SLE) Annual Occurrence Rate (AOR) $75,000$50,0001.5
Copyright © 2011 Pearson Education, Inc. publishing as Prentice Hall INFORMATION RISK MANAGEMENT Managers estimate the costs of the actions performed to secure valued information assets Cost estimates and Annualized Expected Losses (AEL) are then used to perform security cost-benefit analysis The Return Benefit is estimated as follows: Security Cost-Benefit Analysis: Quantitative analysis to calculate the potential business benefits and the intervention costs involved with mitigating security risks Return Benefit Annualized Expected Losses (AEL) Annualized Cost of Actions
Copyright © 2011 Pearson Education, Inc. publishing as Prentice Hall INFORMATION RISK MANAGEMENT Example continued: -Company estimates that adding strong encryption to the corporate data on the laptops will cost $100 per year for each of the 200 laptops in the company = $20,000 annualized cost for this intervention - Return Benefit for this action = $55,000 Return Benefit Annualized Expected Losses (AEL) Annualized Cost of Actions $55,000$75,000$20,000
Copyright © 2011 Pearson Education, Inc. publishing as Prentice Hall RECENT INFORMATION SCURITY BREACHES Organization & DateInformation Security Breach Blue Cross Blue Shield Personal laptop stolen with unencrypted copy of database with national provider ID number and personal information of more than 850,000 physicians and other U.S. Healthcare providers. Kaiser Hospital Hospital fined $182,500 and $250,000 by state of California for privacy violation involving at least 27 employees improperly accessing records of mother of octuplets and her children. TJX More than 45 million customers credit card information was stolen over a period of more than 6 months. U.S. Military Computer hard drive with data for 76 million U.S. veterans was erroneously sent out for repair. Figure 14.5
Copyright © 2011 Pearson Education, Inc. publishing as Prentice Hall COMPLIANCE WITH RECENT U.S. LAWS Recent U.S. Laws with Information Security Impacts Figure 14.6
Copyright © 2011 Pearson Education, Inc. publishing as Prentice Hall COMPLIANCE WITH RECENT U.S. LAWS Sarbanes-Oxley Act of 2002 (SOX) -Legislation in response to corporate scandals at Enron, Tyco, WorldCom, and others -Applies to publicly traded U.S. companies
Copyright © 2011 Pearson Education, Inc. publishing as Prentice Hall SARBANES–OXLEY ACT OF 2002 ( SOX) Impact of SOX on IS organization: - Records retention - The act states that companies must retain electronic communication such as and instant messaging for a period of at least five years - IT audit controls -Company officers must certify that they are responsible for establishing and maintaining internal controls Section 404 states that companies must use an internal control framework such as COSO
Copyright © 2011 Pearson Education, Inc. publishing as Prentice Hall SARBANES–OXLEY ACT OF 2002 ( SOX) COSO A framework for auditors to use when assessing internal controls, created by the Committee of Sponsoring Organizations (COSO) COSO definition of an Internal Control a process, effected by an entitys board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: - Effectiveness and efficiency of operations - Reliability of financial reporting - Compliance with applicable laws and regulations COSO Framework contains five interrelated categories: - Risk Assessment- Control Environment - Control Activities- Monitoring - Information and Communication
Copyright © 2011 Pearson Education, Inc. publishing as Prentice Hall GRAMM-LEACH-BLILEY ACT of 1999 (GBLA) Gramm-Leach-Bliley Act (GBLA) -Mandates that all organizations maintain a high level of confidentiality of all financial information of their clients or customers - Federal agencies and states enforce the following rules: - Financial Privacy Rule - Safeguards Rule
Copyright © 2011 Pearson Education, Inc. publishing as Prentice Hall GRAMM-LEACH-BLILEY ACT OF 1999 (GBLA) – Financial Privacy Rule - Requires financial institutions to provide customers with privacy notices - Organizations must clearly state their privacy policies when establishing relationships with customers -Organizations cannot disclose non-public personal information to a third-party – Safeguards Rule - Organizations must have a written security plan in place to protect a customers non-public confidential information
Copyright © 2011 Pearson Education, Inc. publishing as Prentice Hall HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) Health Insurance Portability and Accountability Act (HIPAA) – Includes Privacy and Security Rules – Healthcare providers must maintain privacy of non-public confidential medical information of all patients – Non-compliance can lead to serious civil penalties and fines – Security rules are for electronic personal health information – Note: Recent legislation also requires that healthcare providers perform a formal security risk assessment
Copyright © 2011 Pearson Education, Inc. publishing as Prentice Hall PATRIOT ACT: INTERCEPT AND OBSTRUCT TERRORISM ACT OF 2001 Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of Commonly called the PATRIOT Act - Gives the US government greater ability to use tools to access information about individuals - Victims of computer hacking can now request law enforcement assistance
Copyright © 2011 Pearson Education, Inc. publishing as Prentice Hall CALIFORNIA INFORMATION PRACTICES ACT (CA Senate Bill 1386) – Requires organizations that store non-public information on California residents to report information theft within 96 hours – Noncompliance may lead to civil or criminal consequences Note: Companies in the past have often been silent about thefts of electronic information on individuals (employees, customers), and the act makes this illegal
Copyright © 2011 Pearson Education, Inc. publishing as Prentice Hall ORGANIZATIONAL POLICIES FOR INFORMATION SECURITY. - Required by many laws and regulations (e.g., SOX) - Required by U.S. insurance companies due to risks of heavy civil or criminal penalties for non-compliance Information Security Policy A written policy document describing what is, and is not, permissible use of information in the organization, and the consequences for violation of the policy
Copyright © 2011 Pearson Education, Inc. publishing as Prentice Hall DEVELOPING AN INFORMATION SECURITY POLICY WHO should develop the security policy? - Policy Committee with representatives of all affected user groups and stakeholders -Policy Committee that develops policy should also meet regularly to ensure that it continues to meet the organizations needs and satisfies current regulations -Managers need to communicate, provide training on, and enforce the policy
Copyright © 2011 Pearson Education, Inc. publishing as Prentice Hall DEVELOPING AN INFORMATION SECURITY POLICY WHAT should be in the policy? - Typical content: - Access control policies - External access policies - User and Physical policies Examples or templates of security policies are available from several Internet sites. SANS Security Policy Template
Copyright © 2011 Pearson Education, Inc. publishing as Prentice Hall ACCEPTABLE USE POLICY Example: Information Technology resources are provided in the hope that the community will use them in a spirit of mutual cooperation. Resources are limited and must be shared. Everyone will benefit if all computer users avoid any activities that cause problems for others who use the same systems. - Stevens Institute of Technology, 2010
Copyright © 2011 Pearson Education, Inc. publishing as Prentice Hall DEVELOPING AN INFORMATION SECURITY POLICY Other General Guidelines : – Policies should be appropriate for the estimated risks of the organization – Policies should be quickly modified when new situations arise affecting security and affected organizational members should be notified about these policy modifications – Policies should be easily accessed by employees
Copyright © 2011 Pearson Education, Inc. publishing as Prentice Hall BUSINESS CONTINUITY PLANNING Research has shown that businesses that cannot resume operations in a reasonable time frame do not survive. Business Continuity Planning (BCP) Plans to ensure that employees and business processes can continue when faced with any major, unanticipated disruption
Copyright © 2011 Pearson Education, Inc. publishing as Prentice Hall BUSINESS CONTINUITY PLANNING 1.Define the critical business processes and departments 2.Identify interdependencies between them 3.Examine all possible disruptions to these systems 4.Gather quantitative and qualitative information on these threats 5.Provide remedies for restoring systems
Copyright © 2011 Pearson Education, Inc. publishing as Prentice Hall BCP LESSONS LEARNED AFTER 9/11 TERRORIST ATTACKS IN U.S. BCP Plans should include: -Alternate workspaces for people with working computers and phone lines - Backup IT sites that are not too close, but not too far away - Up-to-date evacuation plans that everyone knows and has practiced -Backed-up laptops and departmental servers, because a lot of corporate information is housed on these machines rather than in the data center -Easily accessible phone lists, lists, and even instant- messenger lists so that people can communicate with loved ones and colleagues
Copyright © 2011 Pearson Education, Inc. publishing as Prentice Hall BCP LESSONS LEARNED AFTER HURRICANE KATRINA IN U.S. Keep Data and Data Centers more than 1000 miles apart. Plan for the Public Infrastructure to not be available. Plan for Civil unrest In case your A-Team is not available, assemble a B-Team Source: Junglas and Ives, 2007
Copyright © 2011 Pearson Education, Inc. publishing as Prentice Hall CATEGORIES FOR TOLERABLE DOWNTIMES.
Copyright © 2011 Pearson Education, Inc. publishing as Prentice Hall ELECTRONICS RECORDS MANAGEMENT Electronic Records Management (ERM) – ERM is a discipline that addresses retention periods for electronic documents and other records management issues Both SOX and HIPAA laws have specific requirements for document retention – Recent eDiscovery amendments also include rules for retention periods and information gathering in anticipation of litigation, with penalties for non-compliance
Copyright © 2011 Pearson Education, Inc. publishing as Prentice Hall ELECTRONICS RECORDS MANAGEMENT ERM managers are responsible for: - Defining what constitutes an electronic record - Analyzing the current business environment and developing appropriate ERM policies - Classifying specific records based upon their importance, regulatory requirements, and duration - Authenticating records by maintaining accurate logs and procedures to prove that these are the actual records, and that they have not been altered - Formulating policies and monitoring compliance
Copyright © 2011 Pearson Education, Inc. publishing as Prentice Hall COPYRIGHT All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher. Printed in the United States of America. Copyright © 2012 Pearson Education, Inc. Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 1 Managing Information Technology 6 th Edition CHAPTER 16 INFORMATION SECURITY.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
Topic 5: Basic Security. Topic Review... This topic will cover: - Understand the networking threats. :> Describe the risks of network intrusion. :> Sources.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley The Demand for Audit and Assurance Services Chapter.
C8- Securing Information Systems. Definitions Security: the policies, procedures and technical measures used to prevent unauthorized access, alteration,
Deck 5 Accounting Information Systems Romney and Steinbart Linda Batch February 2012.
1 CS5038 The Electronic Society Lecture 12: Security and Crime Online Lecture Outline Types of Attacks Security Problems Major security issues in online.
1.Too many users 2.Technical factors 3.Organizational factors 4.Environmental factors 5.Poor management decisions Which of the following is not a source.
Copyright Critical Software S.A All Rights Reserved. COTS based approach for the Multilevel Security Problem Bernardo Patrão.
Chapter 9 E-Security. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES Security in Cyberspace Conceptualizing Security Designing for Security.
Information Security Policies Larry Conrad September 29, 2009.
Red-Flag Identity Theft Requirements February 19th 2009 Cathy Casagrande, Privacy Officer.
Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley Internal Control and Control Risk Chapter 10.
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall. Chapter
BUSINESS B1 Information Security. 2 Learning Outcomes Describe the relationship between information security policies and an information security plan.
Security Awareness: Applying Practical Security in Your World Chapter 1: Introduction to Security.
Chapter 10 Accounting Information Systems and Internal Controls Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution.
Records Management TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.
Information Security Management Chapter “We Have to Design It for Privacy and Security.” Copyright © 2014 Pearson Education, Inc. Publishing.
Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Eight Strategies to Reduce Your Risk in the Event of A Data Breach Sheryl Falk December 10, 2013.
MANAGING RISK. CYBER CRIME The use of the internet and developments in IT bring with it a risk of cyber crime. Credit card details are stolen, hackers.
Additional Assurance Services: Other Information Chapter 20 McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
8.1 © 2007 by Prentice Hall Minggu ke 6 Chapter 8 Securing Information Systems Chapter 8 Securing Information Systems.
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder The Impact of Information Technology on the Audit Process Chapter 12.
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
1 HIPAA AWARENESS TRAINING ND Department of Health March 2003.
Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC Health Insurance Portability.
Copyright © 2015 Pearson Education, Inc. Confidentiality and Privacy Controls Chapter
IT Security Policy Framework. Policies IT Security Policy Framework Policies Standards.
Confidentiality and HIPAA. Learning Objectives Articulate the basic rules governing privacy of medical information and records. Identify the client’s.
16-1 Retail Mgt. 11e (c) 2010 Pearson Education, Inc. publishing as Prentice Hall Financial Merchandise Management RETAIL MANAGEMENT: A STRATEGIC APPROACH.
Information Systems Controls for System Reliability -Information Security-
Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall Chapter 11 Statistically-Based Quality Improvement for Variables.
Wonga example Register Question- What risks do you think businesses face due to IT developments?
1Copyright Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty.
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
© 2016 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
HIPAA PRIVACY AND SECURITY AWARENESS. Introduction The Health Insurance Portability and Accountability Act (known as HIPAA) was enacted by Congress in.
© 2017 SlidePlayer.com Inc. All rights reserved.