Presentation on theme: "Copyright 2010 John Wiley & Sons, Inc."— Presentation transcript:
1Copyright 2010 John Wiley & Sons, Inc. Turban and VoloninoChapter 5 Securing the Enterprise and Business Continuity Information Technology for Management Improving Performance in the Digital Economy 7th edition John Wiley & Sons, Inc. Slides contributed by Dr. Sandra Reid Chair, Graduate School of Business & Professor, Technology Dallas Baptist UniversityCopyright 2010 John Wiley & Sons, Inc.
2Copyright 2010 John Wiley & Sons, Inc. Chapter Outline5.1 Data and Enterprise Security Incidents5.2 IS Vulnerabilities and Threats5.3 Fraud and Computer-Mediated Crimes5.4 IT Security Management Practices5.5 Network SecurityCopyright 2010 John Wiley & Sons, Inc.
3Chapter Outline (cont’d) 5.6 Internal Control and Compliance Management5.7 Business Continuity and Disaster Recovery Planning5.8 Auditing and Risk Management5.9 Managerial IssuesCopyright 2010 John Wiley & Sons, Inc.
4Copyright 2010 John Wiley & Sons, Inc. Learning ObjectivesRecognize the business and financial value of information security.Recognize IS vulnerabilities, threats, attack methods, and cybercrime symptoms.Describe the factors that contribute to risk exposure and methods to mitigate them.Explain key methods of defending information systems, networks, and wireless devices.Describe internal control and fraud and related legislation.Copyright 2010 John Wiley & Sons, Inc.
5Learning Objectives cont’d 6. Understand business continuity and disaster recovery planning methods.Discuss the role of IT in defending critical infrastructures.Copyright 2010 John Wiley & Sons, Inc.
6Copyright 2010 John Wiley & Sons, Inc. Figure IT 7eU provides opportunity to discuss overview of IT’s role in corporate strategy setting and its intricate importance to performance as business solutions and the resulting profitability. Throughout the “semester” student learning will be evolving surrounding this chart making it good to begin by going back to it to integrate learning.Figure IT7eUCopyright 2010 John Wiley & Sons, Inc.
7Copyright 2010 John Wiley & Sons, Inc. ChoicePointProblem – Personal & financial data of 145,000 individuals compromised * Perpetrator sentenced & fined * $55M loss to company in fines, compensation to victims, lawsuits, & legal fees * Public loss of goodwill causes serious revenue lossesCopyright 2010 John Wiley & Sons, Inc.
8Copyright 2010 John Wiley & Sons, Inc. Figure 5.1Security breaches can have devastating effects upon stock prices; severely reduce customer confidence; may even cause a company to go out ofbusiness. Security breaches of significant magnitude must be reported to the public & to shareholders as was required in this case.Impact of data breach on ChoicePoint’s stock price.Copyright 2010 John Wiley & Sons, Inc.
9Copyright 2010 John Wiley & Sons, Inc. ChoicePoint (cont’d)Solution – Implement new procedures to ensure that consumers are protected from illegitimate access to personal data. * Establish & maintain comprehensive information security program. * Obtain audits by independent third-party security professionals.Copyright 2010 John Wiley & Sons, Inc.
10Copyright 2010 John Wiley & Sons, Inc. ChoicePoint (cont’d)Results – Business practices reformed. * Security policies gained national attention. * Improved corporate governance. * Increased laws & government involvement. * Need for more improvement.Discuss value/forms of utilizing technology such as firewalls & malware, internal controls, information assurance, & COBIT framework to minimizerisk of information security violations.Contrast infosec (information security) resources versus cost. This huge breach cost the company $55M in fines, compensation to potential victimsof identity theft, lawsuit settlements, & legal fines. $10M additional settlement in class action lawsuit for a total of $65M. It would seem thatproper security systems, policies, etc., would have likely resulted in costs much less.This case caused lots of attention resulting in major changes across the nation in terms of reporting, security requirements, etc.Copyright 2010 John Wiley & Sons, Inc.
11ChoicePoint Suffers…. Dramatically with Data Breach ChoicePoint data leak losses exceed $55MChoicePoint's data breach losses reach $26.4MRelatively big breaches and one huge but not confirmedGreat articles for further reading associated with opening case. Integrate some into discussions as time permits.Copyright 2010 John Wiley & Sons, Inc.
12Copyright 2010 John Wiley & Sons, Inc. 5.1 Data and Enterprise Security IncidentsCopyright 2010 John Wiley & Sons, Inc.
13Copyright 2010 John Wiley & Sons, Inc. Table 5.1Information slide. Security terms are important for students understanding overall. Topic will grow.At what price security? Can a company ever be really secure? In what cases would 100% secure be appropriate? Health care possibly.No company can guarantee 100% security. However, in industries such as healthcare, money, organizations are expected to near the100% secure level. Cost of total security may be cost prohibitive, or if required such as in these 2 examples, make cost passed onto customers so high that some cannot afford coverage, access, etc.Copyright 2010 John Wiley & Sons, Inc.
14Copyright 2010 John Wiley & Sons, Inc. Internal Threats$100 Million Data Breach at US Department of Veterans AffairsVeterans Affairs Data TheftTJX says 45.7 million customer records were compromisedBank Group Sues TJX over Data Breach.(Massachusetts Bankers Association, TJX Companies Inc.)Data Breach Reported at Walter Reed Medical CenterCompare & contrast short term & long term organizational profitability issues related to data breaches. Short term costs for start up company maybe prohibitive; however, to do nothing can have serious long-term effect on organizational stability, health, & growth capabilities. Employeesmay be disgruntled & take out their anger on the company through security breach activities.Medical record data breaches extend further than simply organizational profitability concern, discuss others such as health care coverage, employment,and professional opportunity concerns.Could massive security breaches occur at any company? Absolutely! Why or why not? Viruses are being developed & perpetratedevery few minutes. Without continual focus & awareness, employees may lose sight of the importance of security & letsomething get by them. There must be clear policies that are enforced at all times. Recurrent training & awareness iskey; penalties must warrant crime.Staten Island University Hospital Patients Personal Records Stolen In DecemberUniversity Of California At San Francisco Patients Records ExposedCopyright 2010 John Wiley & Sons, Inc.
15Internal IT Threats – cont’d The Top 5 Internal Security ThreatsThe 25 Most Common Mistakes in SecurityDeconstructing a 20 Billion Message Spam AttackPositive Security: Worth The Work?Hot links to articles that will extend/further explain concepts presented in the text.What are some reason why employees fail to follow internal security policies & procedures? How might they be more motivated?Use incentives. Recognition of employees/business units for following policies, without security violations, secure ideas broughtforward, etc. Employees may believe they are too busy for the additional steps that may be required such as passwords, doorentry, data authentication procedures, etc. It is important that employees be fully aware of risks & penalties; penalties should beenforced consistently.Insider Threats: Beware the Enemy from WithinChange Management: A Required Element of Business TransformationCopyright 2010 John Wiley & Sons, Inc.
16Copyright 2010 John Wiley & Sons, Inc. IT GovernanceInformation Governance: The Cost, The Risk, The ValueInformation Governance: Strategy, Best Practices, ResultsIT Governance TrendsHot links to videos & articles for further discussion. Identify major challenges to IT leaders. One threat is lack of “C” suite representation byIT executives.Assign students to read an article & then report back to the other students.Copyright 2010 John Wiley & Sons, Inc.
17Government Regulation The Sarbanes-Oxley ActGramm-Leach-Bliley ActFederal Information Security Management ActUSA Patriot ActCanada’s Personal Information Protection and Electronic Documents ActHot links to the major regulation for background information, history of security law initiatives.Why is government intervention & regulation required in virtually every country? Security, reporting of financial performance,health records are all expensive to maintain. If affects profitability & isn’t always considered good business by customers;it is inconvenient, expensive, intrusive, etc.Copyright 2010 John Wiley & Sons, Inc.
18Copyright 2010 John Wiley & Sons, Inc. Industry StandardsSummary of “Information Security: A CompTIA Analysis of IT Security and the WorkforceHot link to initial standards.Discuss advantages & disadvantages for organizational proactive versus reactive interventions such as described by “industry standards.” Isthis really good for business? Yes, it is always more costly when a company is forced to comply; there is untold expense in bad will that mayensue by disregarding what is best for the customer, organization, etc.Copyright 2010 John Wiley & Sons, Inc.
19Breakdowns Beyond Company Control E-Payment Provider Hit With Denial-Of-ServiceBOMA honors Verizon for actions taken on Sept. 117 World Trade CenterClick links for articles & expanded information at wikipedia.org.How were the tragic events of 9-11 a result of mistakes (human error), malfunctioning systems, and misunderstanding? Whywere these events missed by IT security technologies (or were they simply ignored?)?From an airline perspective, the perpetrators were ignored because the profiling systems had been turned off from improper usepreviously which resulted in payment of huge law suit settlements. In the end, payments were astronomical afterwards.Copyright 2010 John Wiley & Sons, Inc.
20Copyright 2010 John Wiley & Sons, Inc. Figure 5.2Ask if anyone was in NYC at the time of Does everyone remember where they were? What changes have they made as a result?Certainly airport security is a good example of changes as a result of this national tragedy. We no longer just “trust.”Lower Manhattan, the most communications-intensive real estate in the world. (Photo courtesy of Verizon Communications. Used with permission.)Copyright 2010 John Wiley & Sons, Inc.
21Copyright 2010 John Wiley & Sons, Inc. Figure 5.3Verizon’s Central Office (CO) at 140 West St., harpooned by steel girders. (Photo courtesy of Verizon Communications. Used with permission.)One of the largest & most complex telecommunications facilities in the world was harpooned by huge steel girders. 300,000 telephone lines & 3.6 millionhigh-capacity data circuits served by that central office were put out of service.The disaster was not expected, but this event has been the reason for disaster plan development by almost every business in the U.S.Have any students been involved in disaster plan development at their university or organization?Copyright 2010 John Wiley & Sons, Inc.
22Copyright 2010 John Wiley & Sons, Inc. CybercrimeCyber Crime Growing Global ThreatThe New Face of CybercrimeCyber Crime ToolkitsFBI on fighting cyber crimeHow has the Internet increased our vulnerability to criminal activities? Has overall criminal activities increased or justassumed a new perspective? Increased, yes. We are trusting people & still do not expect there to be hatred on the otherside of the internet, so to speak.Why is cyber crime safer & easier than selling drugs, dealing in black market environments or robbing banks? Because one isinvisible. Discuss guarding the children and their vulnerability if we do not tightly control & monitor.Fight against cyber crime intensifies- 27 Apr 08Copyright 2010 John Wiley & Sons, Inc.
23Copyright 2010 John Wiley & Sons, Inc. Figure 5.4Enterprise wide information security and internal control model.Any security policy requires top management support. It requires recurrent training & awareness sessions. There must be heavy violation penalties.Do you think organizations should publicly make examples of those who violate policies? Yes. Why? Because it lets everyone know that the organizationis serious about security.Copyright 2010 John Wiley & Sons, Inc.
24Copyright 2010 John Wiley & Sons, Inc. Table 5.2Informational slide. Risk exposure model for digital assets is comprised of the 5 factors shown in this table.Copyright 2010 John Wiley & Sons, Inc.
25Copyright 2010 John Wiley & Sons, Inc. 5.2 IS Vulnerabilities and ThreatsCopyright 2010 John Wiley & Sons, Inc.
26Unintentional or not – IT Security Threats? Hunting The HackersStolen data on 'crime server'Top 5 Social Engineering TechniquesHacker SpeakClick links to articles & videos supplements to text.Discuss ethical dilemmas associated with “white” versus “black” hacking – is there a difference?Do you believe that known hackers should be employed within organizations as security “officers” or gurus of security? No,people should not pay others to legalize hacking. But everyone may have a difference of opinion here.Hackers - A Brief Look Into Their WorldCopyright 2010 John Wiley & Sons, Inc.
27Copyright 2010 John Wiley & Sons, Inc. Methods of AttackA Brief History of Malware and CybercrimeHow You Can Fight CybercrimeHow Organized Crime Uses Technology to Make MoneyTop 10 Security Stories Of 2008Students can be tasked to find safeguards for the future to avoid, or at least slow down, cyber attacks.Discuss if we are safer, as a global world, since 911.Computer virusCopyright 2010 John Wiley & Sons, Inc.
28Figure 5.5 - How a computer virus can spread. Is it possible to really be safe from virus attack? No, we are only as safe as what we have learned & done since the last one.We must get at solutions for the reasons behind, the social reasons behind, cyber attack in order to be safe.THE HISTORY OF COMPUTER VIRUSES – for chronology….Copyright 2010 John Wiley & Sons, Inc.
29Copyright 2010 John Wiley & Sons, Inc. 5.3 Fraud and Computer-Mediated CrimesCopyright 2010 John Wiley & Sons, Inc.
30Copyright 2010 John Wiley & Sons, Inc. Table 5.3Have a discussion about what has been happening over the last year! There are so very many examples & this is a great place for discussion aboutthe part the technology has played in making these organizational frauds possible.Copyright 2010 John Wiley & Sons, Inc.
31Copyright 2010 John Wiley & Sons, Inc. FraudANALYZING Organizational FraudAdelphia founder John Rigas found guiltyEx-Tyco executives get up to 25 years in prisonHot links to articles for deeper explanation.What elements are common to all? Typically, it is done by an insider. It may be perpetrated at the very top, or at least with theknowledge of senior management.Copyright 2010 John Wiley & Sons, Inc.
32Copyright 2010 John Wiley & Sons, Inc. Table 5.4Do you think it possible for someone to innocently perpetrate a fraud? Yes, initially. If so, describe it for discussion by the class.Is it any less a fraud? No.Copyright 2010 John Wiley & Sons, Inc.
33Copyright 2010 John Wiley & Sons, Inc. Fraud TrendsTop Ten Cyber Security Menaces for 2008Why is there growing trends in cyber security menaces? What can we do about it?We must get to the causes & get away from focus on the symptoms.Copyright 2010 John Wiley & Sons, Inc.
34Copyright 2010 John Wiley & Sons, Inc. 5.4 IT Security Management PracticesCopyright 2010 John Wiley & Sons, Inc.
35Copyright 2010 John Wiley & Sons, Inc. Figure 5.6Major defense controls.Does your company have a defense strategy? Most do, but may be unknown by most employees. A disaster plan? If not, why not?Sometimes it is extremely difficult to implement a defense, disaster plan effectively if the organization is especially complex,at various international locations with different laws & rules, etc.But no less necessary.Copyright 2010 John Wiley & Sons, Inc.
36Copyright 2010 John Wiley & Sons, Inc. Table 5.5Continue discussion of your organization’s disaster plan for effective execution. Examples of administrative controls.Copyright 2010 John Wiley & Sons, Inc.
37Copyright 2010 John Wiley & Sons, Inc. Figure 5.7Intelligent agents. (Source: Courtesy of Sandia National Laboratories.)Authentication is key. Agents are able to adapt based on changes occurring in its environment as shown in this figure.Copyright 2010 John Wiley & Sons, Inc.
38Copyright 2010 John Wiley & Sons, Inc. 5.5 Network SecurityCopyright 2010 John Wiley & Sons, Inc.
39Copyright 2010 John Wiley & Sons, Inc. Figure 5.8Network access control is a common form, or security measure.Network security measures involve three layers: perimeter security (access, authentication & authorization). Details of these layersare shown in this figure.Three layers of network security measures.Copyright 2010 John Wiley & Sons, Inc.
40Network Authentication & Authorization How Firewalls WorkHow Phishing WorksProtection from PhishersGood articles for discussion & class assignment opportunities.Copyright 2010 John Wiley & Sons, Inc.
41Copyright 2010 John Wiley & Sons, Inc. Figure 5.9Where the defense mechanisms are located.A schematic view of all major defense mechanisms, which protect against attackers of all types is shown in this figure.Copyright 2010 John Wiley & Sons, Inc.
42Copyright 2010 John Wiley & Sons, Inc. War DrivingWar Driving (hacking WiFi)Wardriving DocumentaryWireless Hack Data BreachDiscuss methods to protect against war drivers. Firewalls may be one possibility.Copyright 2010 John Wiley & Sons, Inc.
43Copyright 2010 John Wiley & Sons, Inc. 5.6 Internal Control & Compliance ManagementCopyright 2010 John Wiley & Sons, Inc.
44Copyright 2010 John Wiley & Sons, Inc. Figure 5.10Increasing role of IT in internal control.How role of IT in internal control has changed.Why would increased internal control improve efficiency & ROI? Errors are minimized. Crime is minimized. Better decisions are made.Copyright 2010 John Wiley & Sons, Inc.
45Copyright 2010 John Wiley & Sons, Inc. Table 5.6Informational slide. Common sense internal controls.Copyright 2010 John Wiley & Sons, Inc.
46WorldWide Anti-Fraud Regulations Basel II AccordFinancial Services AuthorityU.S. Securities and Exchange CommissionHow do these regulations compare with SOX, Gramm-Leach-Bliley Act, Federal Information Security Management Act, & USA Patriot Act?Students should be tasked with knowing the differences in the various legislation with discussing in groups, in class, etc.Copyright 2010 John Wiley & Sons, Inc.
47Copyright 2010 John Wiley & Sons, Inc. 5.7 Business Continuity & Disaster Recovery PlanningCopyright 2010 John Wiley & Sons, Inc.
48Copyright 2010 John Wiley & Sons, Inc. Figure 5.11Every organization should have a crisis management, disaster recovery plan BEFORE it is needed.Note: Section 5.8 not added because it has been the major point of discussion in previous sections.Business continuity services managed by IBM. (Courtesy of IBM)Copyright 2010 John Wiley & Sons, Inc.
49Copyright 2010 John Wiley & Sons, Inc. 5.9 Managerial IssuesCopyright 2010 John Wiley & Sons, Inc.
50Copyright 2010 John Wiley & Sons, Inc. Managerial IssuesValue to business of IT security & internal control?Legal obligations?Important to management beginning at top?Acceptable use policies & security awareness training?Digital assets relied upon for competitive advantage?What does risk management involve?Impacts of IT security breaches?Federal & state regulations.Internal control.Copyright 2010 John Wiley & Sons, Inc.
51Copyright 2010 John Wiley & Sons, Inc. All rights reserved. Reproduction or translation of this work beyond that permitted in section 117 of the 1976 United States Copyright Act without express permission of the copyright owner is unlawful. Request for further information should be addressed to the Permission Department, John Wiley & Sons, Inc. The purchaser may make back-up copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages caused by the use of these programs or from the use of the Information herein.Copyright 2010 John Wiley & Sons, Inc.