Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright 2010 John Wiley & Sons, Inc.

Similar presentations


Presentation on theme: "Copyright 2010 John Wiley & Sons, Inc."— Presentation transcript:

1 Copyright 2010 John Wiley & Sons, Inc.
Turban and Volonino Chapter 5 Securing the Enterprise and Business Continuity Information Technology for Management Improving Performance in the Digital Economy 7th edition John Wiley & Sons, Inc. Slides contributed by Dr. Sandra Reid Chair, Graduate School of Business & Professor, Technology Dallas Baptist University Copyright 2010 John Wiley & Sons, Inc.

2 Copyright 2010 John Wiley & Sons, Inc.
Chapter Outline 5.1 Data and Enterprise Security Incidents 5.2 IS Vulnerabilities and Threats 5.3 Fraud and Computer-Mediated Crimes 5.4 IT Security Management Practices 5.5 Network Security Copyright 2010 John Wiley & Sons, Inc.

3 Chapter Outline (cont’d)
5.6 Internal Control and Compliance Management 5.7 Business Continuity and Disaster Recovery Planning 5.8 Auditing and Risk Management 5.9 Managerial Issues Copyright 2010 John Wiley & Sons, Inc.

4 Copyright 2010 John Wiley & Sons, Inc.
Learning Objectives Recognize the business and financial value of information security. Recognize IS vulnerabilities, threats, attack methods, and cybercrime symptoms. Describe the factors that contribute to risk exposure and methods to mitigate them. Explain key methods of defending information systems, networks, and wireless devices. Describe internal control and fraud and related legislation. Copyright 2010 John Wiley & Sons, Inc.

5 Learning Objectives cont’d
6. Understand business continuity and disaster recovery planning methods. Discuss the role of IT in defending critical infrastructures. Copyright 2010 John Wiley & Sons, Inc.

6 Copyright 2010 John Wiley & Sons, Inc.
Figure IT 7eU provides opportunity to discuss overview of IT’s role in corporate strategy setting and its intricate importance to performance as business solutions and the resulting profitability. Throughout the “semester” student learning will be evolving surrounding this chart making it good to begin by going back to it to integrate learning. Figure IT7eU Copyright 2010 John Wiley & Sons, Inc.

7 Copyright 2010 John Wiley & Sons, Inc.
ChoicePoint Problem – Personal & financial data of 145,000 individuals compromised * Perpetrator sentenced & fined * $55M loss to company in fines, compensation to victims, lawsuits, & legal fees * Public loss of goodwill causes serious revenue losses Copyright 2010 John Wiley & Sons, Inc.

8 Copyright 2010 John Wiley & Sons, Inc.
Figure 5.1 Security breaches can have devastating effects upon stock prices; severely reduce customer confidence; may even cause a company to go out of business. Security breaches of significant magnitude must be reported to the public & to shareholders as was required in this case. Impact of data breach on ChoicePoint’s stock price. Copyright 2010 John Wiley & Sons, Inc.

9 Copyright 2010 John Wiley & Sons, Inc.
ChoicePoint (cont’d) Solution – Implement new procedures to ensure that consumers are protected from illegitimate access to personal data. * Establish & maintain comprehensive information security program. * Obtain audits by independent third-party security professionals. Copyright 2010 John Wiley & Sons, Inc.

10 Copyright 2010 John Wiley & Sons, Inc.
ChoicePoint (cont’d) Results – Business practices reformed. * Security policies gained national attention. * Improved corporate governance. * Increased laws & government involvement. * Need for more improvement. Discuss value/forms of utilizing technology such as firewalls & malware, internal controls, information assurance, & COBIT framework to minimize risk of information security violations. Contrast infosec (information security) resources versus cost. This huge breach cost the company $55M in fines, compensation to potential victims of identity theft, lawsuit settlements, & legal fines. $10M additional settlement in class action lawsuit for a total of $65M. It would seem that proper security systems, policies, etc., would have likely resulted in costs much less. This case caused lots of attention resulting in major changes across the nation in terms of reporting, security requirements, etc. Copyright 2010 John Wiley & Sons, Inc.

11 ChoicePoint Suffers…. Dramatically with Data Breach
ChoicePoint data leak losses exceed $55M ChoicePoint's data breach losses reach $26.4M Relatively big breaches and one huge but not confirmed Great articles for further reading associated with opening case. Integrate some into discussions as time permits. Copyright 2010 John Wiley & Sons, Inc.

12 Copyright 2010 John Wiley & Sons, Inc.
5.1 Data and Enterprise Security Incidents Copyright 2010 John Wiley & Sons, Inc.

13 Copyright 2010 John Wiley & Sons, Inc.
Table 5.1 Information slide. Security terms are important for students understanding overall. Topic will grow. At what price security? Can a company ever be really secure? In what cases would 100% secure be appropriate? Health care possibly. No company can guarantee 100% security. However, in industries such as healthcare, money, organizations are expected to near the 100% secure level. Cost of total security may be cost prohibitive, or if required such as in these 2 examples, make cost passed on to customers so high that some cannot afford coverage, access, etc. Copyright 2010 John Wiley & Sons, Inc.

14 Copyright 2010 John Wiley & Sons, Inc.
Internal Threats $100 Million Data Breach at US Department of Veterans Affairs Veterans Affairs Data Theft TJX says 45.7 million customer records were compromised Bank Group Sues TJX over Data Breach.(Massachusetts Bankers Association, TJX Companies Inc.) Data Breach Reported at Walter Reed Medical Center Compare & contrast short term & long term organizational profitability issues related to data breaches. Short term costs for start up company may be prohibitive; however, to do nothing can have serious long-term effect on organizational stability, health, & growth capabilities. Employees may be disgruntled & take out their anger on the company through security breach activities. Medical record data breaches extend further than simply organizational profitability concern, discuss others such as health care coverage, employment, and professional opportunity concerns. Could massive security breaches occur at any company? Absolutely! Why or why not? Viruses are being developed & perpetrated every few minutes. Without continual focus & awareness, employees may lose sight of the importance of security & let something get by them. There must be clear policies that are enforced at all times. Recurrent training & awareness is key; penalties must warrant crime. Staten Island University Hospital Patients Personal Records Stolen In December University Of California At San Francisco Patients Records Exposed Copyright 2010 John Wiley & Sons, Inc.

15 Internal IT Threats – cont’d
The Top 5 Internal Security Threats The 25 Most Common Mistakes in Security Deconstructing a 20 Billion Message Spam Attack Positive Security: Worth The Work? Hot links to articles that will extend/further explain concepts presented in the text. What are some reason why employees fail to follow internal security policies & procedures? How might they be more motivated? Use incentives. Recognition of employees/business units for following policies, without security violations, secure ideas brought forward, etc. Employees may believe they are too busy for the additional steps that may be required such as passwords, door entry, data authentication procedures, etc. It is important that employees be fully aware of risks & penalties; penalties should be enforced consistently. Insider Threats: Beware the Enemy from Within Change Management: A Required Element of Business Transformation Copyright 2010 John Wiley & Sons, Inc.

16 Copyright 2010 John Wiley & Sons, Inc.
IT Governance Information Governance: The Cost, The Risk, The Value Information Governance: Strategy, Best Practices, Results IT Governance Trends Hot links to videos & articles for further discussion. Identify major challenges to IT leaders. One threat is lack of “C” suite representation by IT executives. Assign students to read an article & then report back to the other students. Copyright 2010 John Wiley & Sons, Inc.

17 Government Regulation
The Sarbanes-Oxley Act Gramm-Leach-Bliley Act Federal Information Security Management Act USA Patriot Act Canada’s Personal Information Protection and Electronic Documents Act Hot links to the major regulation for background information, history of security law initiatives. Why is government intervention & regulation required in virtually every country? Security, reporting of financial performance, health records are all expensive to maintain. If affects profitability & isn’t always considered good business by customers; it is inconvenient, expensive, intrusive, etc. Copyright 2010 John Wiley & Sons, Inc.

18 Copyright 2010 John Wiley & Sons, Inc.
Industry Standards Summary of “Information Security: A CompTIA Analysis of IT Security and the Workforce Hot link to initial standards. Discuss advantages & disadvantages for organizational proactive versus reactive interventions such as described by “industry standards.” Is this really good for business? Yes, it is always more costly when a company is forced to comply; there is untold expense in bad will that may ensue by disregarding what is best for the customer, organization, etc. Copyright 2010 John Wiley & Sons, Inc.

19 Breakdowns Beyond Company Control
E-Payment Provider Hit With Denial-Of-Service BOMA honors Verizon for actions taken on Sept. 11 7 World Trade Center Click links for articles & expanded information at wikipedia.org. How were the tragic events of 9-11 a result of mistakes (human error), malfunctioning systems, and misunderstanding? Why were these events missed by IT security technologies (or were they simply ignored?)? From an airline perspective, the perpetrators were ignored because the profiling systems had been turned off from improper use previously which resulted in payment of huge law suit settlements. In the end, payments were astronomical afterwards. Copyright 2010 John Wiley & Sons, Inc.

20 Copyright 2010 John Wiley & Sons, Inc.
Figure 5.2 Ask if anyone was in NYC at the time of Does everyone remember where they were? What changes have they made as a result? Certainly airport security is a good example of changes as a result of this national tragedy. We no longer just “trust.” Lower Manhattan, the most communications-intensive real estate in the world. (Photo courtesy of Verizon Communications. Used with permission.) Copyright 2010 John Wiley & Sons, Inc.

21 Copyright 2010 John Wiley & Sons, Inc.
Figure 5.3 Verizon’s Central Office (CO) at 140 West St., harpooned by steel girders. (Photo courtesy of Verizon Communications. Used with permission.) One of the largest & most complex telecommunications facilities in the world was harpooned by huge steel girders. 300,000 telephone lines & 3.6 million high-capacity data circuits served by that central office were put out of service. The disaster was not expected, but this event has been the reason for disaster plan development by almost every business in the U.S. Have any students been involved in disaster plan development at their university or organization? Copyright 2010 John Wiley & Sons, Inc.

22 Copyright 2010 John Wiley & Sons, Inc.
Cybercrime Cyber Crime Growing Global Threat The New Face of Cybercrime Cyber Crime Toolkits FBI on fighting cyber crime How has the Internet increased our vulnerability to criminal activities? Has overall criminal activities increased or just assumed a new perspective? Increased, yes. We are trusting people & still do not expect there to be hatred on the other side of the internet, so to speak. Why is cyber crime safer & easier than selling drugs, dealing in black market environments or robbing banks? Because one is invisible. Discuss guarding the children and their vulnerability if we do not tightly control & monitor. Fight against cyber crime intensifies - 27 Apr 08 Copyright 2010 John Wiley & Sons, Inc.

23 Copyright 2010 John Wiley & Sons, Inc.
Figure 5.4 Enterprise wide information security and internal control model. Any security policy requires top management support. It requires recurrent training & awareness sessions. There must be heavy violation penalties. Do you think organizations should publicly make examples of those who violate policies? Yes. Why? Because it lets everyone know that the organization is serious about security. Copyright 2010 John Wiley & Sons, Inc.

24 Copyright 2010 John Wiley & Sons, Inc.
Table 5.2 Informational slide. Risk exposure model for digital assets is comprised of the 5 factors shown in this table. Copyright 2010 John Wiley & Sons, Inc.

25 Copyright 2010 John Wiley & Sons, Inc.
5.2 IS Vulnerabilities and Threats Copyright 2010 John Wiley & Sons, Inc.

26 Unintentional or not – IT Security Threats?
Hunting The Hackers Stolen data on 'crime server' Top 5 Social Engineering Techniques Hacker Speak Click links to articles & videos supplements to text. Discuss ethical dilemmas associated with “white” versus “black” hacking – is there a difference? Do you believe that known hackers should be employed within organizations as security “officers” or gurus of security? No, people should not pay others to legalize hacking. But everyone may have a difference of opinion here. Hackers - A Brief Look Into Their World Copyright 2010 John Wiley & Sons, Inc.

27 Copyright 2010 John Wiley & Sons, Inc.
Methods of Attack A Brief History of Malware and Cybercrime How You Can Fight Cybercrime How Organized Crime Uses Technology to Make Money Top 10 Security Stories Of 2008 Students can be tasked to find safeguards for the future to avoid, or at least slow down, cyber attacks. Discuss if we are safer, as a global world, since 911. Computer virus Copyright 2010 John Wiley & Sons, Inc.

28 Figure 5.5 - How a computer virus can spread.
Is it possible to really be safe from virus attack? No, we are only as safe as what we have learned & done since the last one. We must get at solutions for the reasons behind, the social reasons behind, cyber attack in order to be safe. THE HISTORY OF COMPUTER VIRUSES – for chronology…. Copyright 2010 John Wiley & Sons, Inc.

29 Copyright 2010 John Wiley & Sons, Inc.
5.3 Fraud and Computer-Mediated Crimes Copyright 2010 John Wiley & Sons, Inc.

30 Copyright 2010 John Wiley & Sons, Inc.
Table 5.3 Have a discussion about what has been happening over the last year! There are so very many examples & this is a great place for discussion about the part the technology has played in making these organizational frauds possible. Copyright 2010 John Wiley & Sons, Inc.

31 Copyright 2010 John Wiley & Sons, Inc.
Fraud ANALYZING Organizational Fraud Adelphia founder John Rigas found guilty Ex-Tyco executives get up to 25 years in prison Hot links to articles for deeper explanation. What elements are common to all? Typically, it is done by an insider. It may be perpetrated at the very top, or at least with the knowledge of senior management. Copyright 2010 John Wiley & Sons, Inc.

32 Copyright 2010 John Wiley & Sons, Inc.
Table 5.4 Do you think it possible for someone to innocently perpetrate a fraud? Yes, initially. If so, describe it for discussion by the class. Is it any less a fraud? No. Copyright 2010 John Wiley & Sons, Inc.

33 Copyright 2010 John Wiley & Sons, Inc.
Fraud Trends Top Ten Cyber Security Menaces for 2008 Why is there growing trends in cyber security menaces? What can we do about it? We must get to the causes & get away from focus on the symptoms. Copyright 2010 John Wiley & Sons, Inc.

34 Copyright 2010 John Wiley & Sons, Inc.
5.4 IT Security Management Practices Copyright 2010 John Wiley & Sons, Inc.

35 Copyright 2010 John Wiley & Sons, Inc.
Figure 5.6 Major defense controls. Does your company have a defense strategy? Most do, but may be unknown by most employees. A disaster plan? If not, why not? Sometimes it is extremely difficult to implement a defense, disaster plan effectively if the organization is especially complex, at various international locations with different laws & rules, etc. But no less necessary. Copyright 2010 John Wiley & Sons, Inc.

36 Copyright 2010 John Wiley & Sons, Inc.
Table 5.5 Continue discussion of your organization’s disaster plan for effective execution. Examples of administrative controls. Copyright 2010 John Wiley & Sons, Inc.

37 Copyright 2010 John Wiley & Sons, Inc.
Figure 5.7 Intelligent agents. (Source: Courtesy of Sandia National Laboratories.) Authentication is key. Agents are able to adapt based on changes occurring in its environment as shown in this figure. Copyright 2010 John Wiley & Sons, Inc.

38 Copyright 2010 John Wiley & Sons, Inc.
5.5 Network Security Copyright 2010 John Wiley & Sons, Inc.

39 Copyright 2010 John Wiley & Sons, Inc.
Figure 5.8 Network access control is a common form, or security measure. Network security measures involve three layers: perimeter security (access, authentication & authorization). Details of these layers are shown in this figure. Three layers of network security measures. Copyright 2010 John Wiley & Sons, Inc.

40 Network Authentication & Authorization
How Firewalls Work How Phishing Works Protection from Phishers Good articles for discussion & class assignment opportunities. Copyright 2010 John Wiley & Sons, Inc.

41 Copyright 2010 John Wiley & Sons, Inc.
Figure 5.9 Where the defense mechanisms are located. A schematic view of all major defense mechanisms, which protect against attackers of all types is shown in this figure. Copyright 2010 John Wiley & Sons, Inc.

42 Copyright 2010 John Wiley & Sons, Inc.
War Driving War Driving (hacking WiFi) Wardriving Documentary Wireless Hack Data Breach Discuss methods to protect against war drivers. Firewalls may be one possibility. Copyright 2010 John Wiley & Sons, Inc.

43 Copyright 2010 John Wiley & Sons, Inc.
5.6 Internal Control & Compliance Management Copyright 2010 John Wiley & Sons, Inc.

44 Copyright 2010 John Wiley & Sons, Inc.
Figure 5.10 Increasing role of IT in internal control. How role of IT in internal control has changed. Why would increased internal control improve efficiency & ROI? Errors are minimized. Crime is minimized. Better decisions are made. Copyright 2010 John Wiley & Sons, Inc.

45 Copyright 2010 John Wiley & Sons, Inc.
Table 5.6 Informational slide. Common sense internal controls. Copyright 2010 John Wiley & Sons, Inc.

46 WorldWide Anti-Fraud Regulations
Basel II Accord Financial Services Authority U.S. Securities and Exchange Commission How do these regulations compare with SOX, Gramm-Leach-Bliley Act, Federal Information Security Management Act, & USA Patriot Act? Students should be tasked with knowing the differences in the various legislation with discussing in groups, in class, etc. Copyright 2010 John Wiley & Sons, Inc.

47 Copyright 2010 John Wiley & Sons, Inc.
5.7 Business Continuity & Disaster Recovery Planning Copyright 2010 John Wiley & Sons, Inc.

48 Copyright 2010 John Wiley & Sons, Inc.
Figure 5.11 Every organization should have a crisis management, disaster recovery plan BEFORE it is needed. Note: Section 5.8 not added because it has been the major point of discussion in previous sections. Business continuity services managed by IBM. (Courtesy of IBM) Copyright 2010 John Wiley & Sons, Inc.

49 Copyright 2010 John Wiley & Sons, Inc.
5.9 Managerial Issues Copyright 2010 John Wiley & Sons, Inc.

50 Copyright 2010 John Wiley & Sons, Inc.
Managerial Issues Value to business of IT security & internal control? Legal obligations? Important to management beginning at top? Acceptable use policies & security awareness training? Digital assets relied upon for competitive advantage? What does risk management involve? Impacts of IT security breaches? Federal & state regulations. Internal control. Copyright 2010 John Wiley & Sons, Inc.

51 Copyright 2010 John Wiley & Sons, Inc.
All rights reserved. Reproduction or translation of this work beyond that permitted in section 117 of the 1976 United States Copyright Act without express permission of the copyright owner is unlawful. Request for further information should be addressed to the Permission Department, John Wiley & Sons, Inc. The purchaser may make back-up copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages caused by the use of these programs or from the use of the Information herein. Copyright 2010 John Wiley & Sons, Inc.


Download ppt "Copyright 2010 John Wiley & Sons, Inc."

Similar presentations


Ads by Google