Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 1 Managing Information Technology 6 th Edition CHAPTER 16 INFORMATION SECURITY.

Similar presentations


Presentation on theme: "Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 1 Managing Information Technology 6 th Edition CHAPTER 16 INFORMATION SECURITY."— Presentation transcript:

1 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 1 Managing Information Technology 6 th Edition CHAPTER 16 INFORMATION SECURITY

2 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 2 Information Security Background – Organizations face security threats from both within and outside – Traditional security measures have addressed external threats – Understanding the managerial aspects of information security is important because of the changing regulatory environment and the potential risk exposure that some firms face

3 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 3 E-Crime any criminal violation in which a computer or e-media is used in the commission of the crime E-Crime Example of Credit card security breaches – TJX – CardSystems Inc.

4 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 4 E-Crime Many Types of E- Crime – All incur costs to organizations or individuals Figure 16.2

5 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 5 E-Crime Some common ways computers are attacked A small unit of code embedded in a file or program that when executed will replicate itself and may cause damage to infected computers Virus A self-replicating virus Worm A security-breaking program that is disguised as a legitimate program Trojan horse A program, or code within a system that takes action when a certain even occurs Logic bomb Occurs when a large number of messages are sent to a target computer simultaneously with the purpose of disrupting the capability of the target Denial of service attack

6 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 6 E-Crime Other techniques used in E-Crime: Involves the solicitation of sensitive personal information from users, commonly in the form of and instant messages Phishing The use of a fraudulent Web site mimics a legitimate one. Often used in conjunction with phishing Spoofing

7 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 7 E-Crime Hacker vs. Cracker Hacker An individual with no malicious intent who attacks computer systems for the purpose of highlighting security vulnerabilities Cracker An individual who attacks computer systems to intentionally steal information or cause harm

8 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 8 E-Crime All managers responsible for security compliance should have an understanding of the basics of security Technology Security Basics (Figure 16.4) Firewall and Proxy Servers Encryption and VPNs Identity and Access Management Systems (IAM) Content-Filtering Tools Penetration-Testing Tools

9 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9 Information Risk Management Steps in Risk Management – Determine the organization’s information assets and their values – Decide how long can the organization function without specific information assets – Develop and implement security procedures (controls) to protect these information assets

10 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 10 Information Risk Management Steps in Risk Management – Determine the organization’s information assets and their values – Example: One organization determined that corporate information found on employee laptops is an important asset The organization estimates that a loss of the information on a single laptop may cost $50,000 on average

11 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 11 Information Risk Management Calculation of the expected losses due to a vulnerability can be calculated by the following formula: Annualized Expected Losses (AEL) Single Loss Expectancy (SLE) Annual Occurrence Rate (AOR)

12 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 12 Information Risk Management Quantitative example: – Losing the corporate data from a single laptop has an estimated value of $50,000 – The corporation identified three occurrences in the last two years where a laptop had been lost This is an Annual Occurrence Rate of 1.5 Annualized Expected Losses (AEL) Single Loss Expectancy (SLE) Annual Occurrence Rate (AOR)

13 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 13 Information Risk Management Quantitative example: – Therefore, the Annualized Expected Losses (AEL) amount to $75,000 Annualized Expected Losses (AEL) Single Loss Expectancy (SLE) Annual Occurrence Rate (AOR) $75,000$50,0001.5

14 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 14 Information Risk Management After performing a quantitative risk analysis, the Annualized Expected Losses (AEL) are used to perform security cost-benefit analysis A quantitative analysis IS managers may perform to examine the potential business benefits and the intervention costs involved with mitigating security risks Security Cost-Benefit Analysis

15 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 15 Information Risk Management Security Cost-Benefit Analysis – Managers must estimate the costs of the actions performed to secure the information asset – The Return Benefit from the actions can be estimated by the following formula: Return Benefit Annualized Expected Losses (AEL) Annualized Cost of Actions

16 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 16 Information Risk Management Security Cost-Benefit Analysis – From the laptop example, the company estimates that adding strong encryption to the corporate data on the laptops will cost $100 per year for each of the 200 laptops in the company – Overall, a $20,000 annualized cost for this intervention would be realized Return Benefit Annualized Expected Losses (AEL) Annualized Cost of Actions

17 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 17 Information Risk Management Security Cost-Benefit Analysis – After performing a the analysis, we find that this action has an estimated return benefit of $55,000 per year Return Benefit Annualized Expected Losses (AEL) Annualized Cost of Actions $55,000$75,000$20,000

18 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 18 Compliance with Current Security Laws Legal and Regulatory Environment – Impacts information security practices Figure 16.7

19 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 19 Compliance with Current Security Laws Sarbanes-Oxley Act of 2002 (SOX) – Created as a response to the scandals at Enron, Tyco, WorldCom, and others – Applies to publicly traded US companies "Sarbanes is the most sweeping legislation to affect publicly traded companies since the reforms during the Great Depression" - Gartner Analyst John Bace

20 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 20 Compliance with Current Security Laws SOX affects IS leaders in two major ways: – Records retention The act states that companies must retain electronic communication such as and instant messaging for a period of at least five years – IT audit controls Officers must certify that they are responsible for establishing and maintaining internal controls

21 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 21 Compliance with Current Security Laws Section 404 of SOX states that companies must use an internal control framework such as COSO COSO is an a framework for auditors to use when assessing internal controls that was created by the Committee of Sponsoring Organizations (COSO) COSO

22 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 22 Compliance with Current Security Laws Internal controls are assurance processes COSO defines internal controls: COSO Definition of Internal Control: “a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations” Internal Controls

23 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 23 Compliance with Current Security Laws The COSO framework contains five interrelated categories: – Risk Assessment – Control Environment – Control Activities – Monitoring – Information and Communication

24 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 24 Compliance with Current Security Laws Gramm-Leach-Bliley Act of 1999 (GBLA) – Mandates that all organizations maintain a high level of confidentiality of all financial information of their clients or customers – The act gives federal agencies and states to enforce the following rules: Financial Privacy Rule Safeguards Rule

25 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 25 Compliance with Current Security Laws Gramm-Leach-Bliley Act of 1999 (GBLA) – Financial Privacy Rule Requires financial institutions to provide customers with privacy notices Organizations must clearly state their privacy policies when establishing relationships with customers Organizations cannot disclose nonpublic personal information to a third-party – Safeguards Rule

26 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 26 Compliance with Current Security Laws Gramm-Leach-Bliley Act of 1999 (GBLA) – Safeguards Rule Organizations must have a written security plan in place to protect customer’s nonpublic confidential information

27 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 27 Compliance with Current Security Laws Health Insurance Portability and Accountability Act (HIPAA) – HIPPA requires organizations to secure nonpublic confidential medical information – Noncompliance can lead to serious penalties and fines

28 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 28 Compliance with Current Security Laws Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT) – Commonly called the PATRIOT Act – Gives the US government greater ability to access information – Victims of computer hacking can now request law enforcement assistance

29 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 29 Developing and Information Security Policy Information Security Policies – Required by many regulations (e.g., SOX) – Required to obtain insurance A written document describing what is, and is not, permissible use of information in the organization and the consequences for violation of the policy Information Security Policy

30 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 30 Developing and Information Security Policy Who should develop the security policy? – Representatives of all affected user groups and stakeholders – Must have support of managers who train and enforce the policy – Committee who develops policy should meet regularly to ensure that security policy meets the organization’s needs and satisfies current regulations

31 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 31 Developing and Information Security Policy What should be in the policy? – Common Topics Access control policies External access policies User a physical policies – Example Policies SANS Institute provides template of many policy types

32 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 32 Developing and Information Security Policy Policy should be appropriate to the estimated risks of the organization They should be quickly modified when new situations arise affecting security Organizations should make it easy for employees to access the most recent policy

33 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 33 Planning for Business Continuity This is more than simple disaster recovery When an organization cannot resume operations in a reasonable time frame, it leads to business failure Putting specific plans in place that ensure that employees and business processes can continue when faced with any major unanticipated disruption Business Continuity Planning (BCP)

34 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 34 Planning for Business Continuity McNurlin & Sprague identified the following components of BCP that were often overlooked before the 9/11 terrorist attacks: – Alternate workspaces for people with working computers and phone lines – Backup IT sites that are not too close, but not too far away – Up-to-date evacuation plans that everyone knows and has practiced

35 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 35 Planning for Business Continuity McNurlin & Sprague identified the following components of BCP that were often overlooked before the 9/11 terrorist attacks: – Backed-up laptops and departmental servers, because a lot of corporate information is housed on these machines rather than in the data center – Helping people cope with a disaster by having easily accessible phone lists, lists, and even instant-messenger lists so that people can communicate with loved ones and colleagues

36 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 36 Planning for Business Continuity Creating a BCP begins with a business impact analysis with the following steps: 1.Define the critical business processes and departments 2.Identify interdependencies between them 3.Examine all possible disruptions to these systems 4.Gather quantitative and qualitative information on these threats 5.Provide remedies for restoring systems

37 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 37 Planning for Business Continuity Disruptions are usually ranked based on the following categories: Lower- priority 30 days Normal 7 days Important 72 hours Urgent 24 hours Critical < 12 hours

38 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 38 Planning for Business Continuity Electronic Records Management (ERM) – Covers the retention of important digital documents – Grew out of the need to satisfy regulation such as SOX and HIPAA – May require a centralized approach – eDiscovery amendments to rules for civil procedures make ERM even more important

39 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 39 Planning for Business Continuity Electronic Records Management (ERM) – ERM managers are responsible for the following Defining what constitutes an electronic record Analyzing the current business environment and developing appropriate ERM policies Classifying specific records based upon their importance, regulatory requirements, and duration Authenticating records by maintaining accurate logs and procedures to prove that these are the actual records, and that they have not been altered Managing policy compliance

40 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 40 Planning for Business Continuity Electronic Records Management (ERM) – Managers must realize that businesses may be digitally liable for actions their employees have taken when communicating electronically – Electronic corporate information may reside on computers external to the company (e.g. cached )

41 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 41 The Chief Information Security Role With increasing pressure to comply with laws and regulations, many companies have added a chief information security officer (CISO) to there is organization Responsible for monitoring information security risks and developing strategies to mitigate that risk

42 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 42 The Chief Information Security Role As it is impossible to eliminate all risk, the CISO must balance the trade-offs between risks and the costs of eliminating them Cost of Prevention Risk


Download ppt "Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 1 Managing Information Technology 6 th Edition CHAPTER 16 INFORMATION SECURITY."

Similar presentations


Ads by Google