Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security Management

Published bySheena Johnston Modified over 8 years ago

Similar presentations

Presentation on theme: "Information Security Management"— Presentation transcript:

1 Information Security Management
Chapter 12 Information Security Management

2 Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall
Study Questions Q1: What are the sources and types of security threats? Q2: What are the elements of a security program? Q3: How can technical safeguards protect against security threats? Q4: How can data safeguards protect against security threats? Q5: How can human safeguards protect against security threats? Q6: What is necessary for disaster preparedness? Q7: How should organizations respond to security incidents? Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall

3 Q1: What Are the Sources and Types of Security Threats?
Unintentional human errors and mistakes Accidental problems – deletions, copyovers, operating errors Physical accidents—driving forklift through computer room wall Malicious human activity Intentional destruction of programs, hardware, and data by employees Insider attacks from disgruntled employees Hackers, Criminals, Terrorists Natural events and disasters Fires, floods, hurricanes, earthquakes, avalanches, tornados Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall

4 Unauthorized Data Disclosure
Human error Posting private information in public place Placing restricted information on searchable Web sites Inadvertent disclosure during recovery Malicious release Pretexting = pretending to be someone else via phone call Phishing = pretexting using Spoofing = disguising as a different IP address or different sender Sniffing/Drive-by sniffing = searching for unprotected or WEP wireless networks Network Tap = breaking into networks = slicing into cables, using a client on network Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall

5 Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall
Faulty Service Usurpation = unauthorized program or update replaces legitimate/approved program Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall

6 Denial of Service (DOS)
Human error Inadvertently shut down Web server, gateway router with computationally intensive application Example: OLAP application that uses operational DBMS blocks order-entry transaction Malicious denial-of-service attacks Flood Web server with millions of requests for Web pages Computer worms Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall

7 Q2: What Are the Elements of a Security Program?
Senior management responsibility Establish a security policy Balancing costs and benefits of security program Safeguards Incident response Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall

8 Q3: How Can Technical Safeguards Protect Against Security Threats?
Primary technical safeguards Identification and authentication Encryption (Ch 6.) Firewalls (Ch 6.) Malware protection Design for secure applications Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall

9 Identification and Authentication
User names and passwords Identification—user name Authentication—password Authentication methods What you know (password, PIN) What you have (smart card, ID card, Digital Certificate) What you are (biometric) Single sign-on for multiple systems Authenticate to network and other servers Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall

10 Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall
Malware Protection Types of Malware Spyware programs Install without user’s knowledge Reside in background, monitor user actions, keystrokes, etc. Used for marketing analysis Latest viruses, malware threats Adware Similar to spyware without malicious intent Watches users activity, produces pop-up ads, changes window, modifies search results Can slow computer performance Remove with anti-spyware, anti-adware programs Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall

11 Malware Is a Serious Problem
Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall

12 Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall
Malware Safeguards Install antivirus and anti-spyware programs Set anti-malware programs to scan frequently Scan hard drive and Update malware definitions regularly Open attachments only from known sources 90% of all viruses spread by attachments Install updates promptly and only from legitimate sources Browse only reputable Internet neighborhoods It is possible for some malware to install itself when you do nothing but open a Web page or download a picture. Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall

13 Design for Secure Applications
Be sure that your company designs and builds systems with security as a requirement CERT Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall

14 Q4: How Can Data Safeguards Protect Against Security Threats?
Data administration Organization wide function Develops data policies Enforces data standards Database administration Ensures procedures exist for orderly multiuser processing Controls changes to database structure Protects the database Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall

15 Q5: How Can Human Safeguards Protect Against Security Threats?
Human Safeguards for employees Position definitions Separation of duties and authorities Grant “least possible privileges” Hiring and screening employees Extensive interviews and background checks for new hires and employees being promoted Dissemination and enforcement (Security Policy) Make employees aware of security policies and procedures Enforcement factors Responsibility Accountability Compliance Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall

16 Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall
Q5: How Can Human Safeguards Protect Against Security Threats? (cont’d) Termination Standard human resources policies for “friendly” terminations Remove accounts, passwords on last work day Recover all keys for encrypted data Recover all door keys and pass cards, ID badges Unfriendly terminations Remove accounts, passwords prior to notifying employee of termination Security officer cleans out person’s desk or watches Accompany person off premises Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall

17 Account Administration
Account management procedures Creation of new accounts, modification of existing accounts, removal of terminated accounts Users provide timely notification of account change needs Users and business manager inform IT to remove accounts Password management User-signed acknowledgment forms Change passwords frequently Help-desk policies Authentication of users who have lost password Password should not be ed Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall

18 Information Systems Safety Procedures
Procedure types Normal operations Backup Recovery Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall

19 Q6: What Is Necessary for Disaster Preparedness?
Substantial loss of infrastructure caused by acts of nature, crime, or terrorism Best safeguard is choose appropriate location for infrastructure (Common Sense?) Avoid placing where prone to floods, earthquakes, tornadoes, hurricanes, avalanches, car/truck accidents Place in unobtrusive buildings, basements, backrooms NOT physical perimeter Fire-resistant buildings Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall

20 Q6: What Is Necessary for Disaster Preparedness? (cont’d)
Create backups for critical resources Contract with “hot site” or “cold site” provider A hot site provides all equipment needed to continue operations there A cold site provides space but you have set up and install equipment Periodically train and rehearse cutover of operations Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall

21 Q7: How Should Organizations Respond to Security Incidents?
Have a plan in place Centralize reporting Computer Security Incident Reporting Team (CSIRT) Specific responses Speed Preparation pays Don’t make problems worse Practice! Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall

22 Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall
Active Review Q1: What are the sources and types of security threats? Q2: What are the elements of a security program? Q3: How can technical safeguards protect against security threats? Q4: How can data safeguards protect against security threats? Q5: How can human safeguards protect against security threats? Q6: What is necessary for disaster preparedness? Q7: How should organizations respond to security incidents? Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall

Download ppt "Information Security Management"

Similar presentations

Let’s Talk About Cyber Security

Let’s Talk About Cyber Security
Information Security Management Chapter 12. 12-2 “We Have to Design It for Privacy and Security.” Copyright © 2014 Pearson Education, Inc. Publishing.

Information Security Management Chapter “We Have to Design It for Privacy and Security.” Copyright © 2014 Pearson Education, Inc. Publishing.
Information Security Management Chapter 12. 12-2 “We Have to Design It for Privacy and Security.” Tension between Maggie and Ajit regarding terminology.

Information Security Management Chapter “We Have to Design It for Privacy and Security.” Tension between Maggie and Ajit regarding terminology.
1 MIS 2000 Class 22 System Security Update: Winter 2015.

1 MIS 2000 Class 22 System Security Update: Winter 2015.
2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.

2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.
Crime and Security in the Networked Economy Part 4.

Crime and Security in the Networked Economy Part 4.
Information Security Management Chapter 12. 12-2 “We Have to Design It for Privacy and Security. ” Tension between Maggie and Ajit regarding terminology.

Information Security Management Chapter “We Have to Design It for Privacy and Security. ” Tension between Maggie and Ajit regarding terminology.
Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.

Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.
Using Your Knowledge – Security Threats

Using Your Knowledge – Security Threats
Chapter 4 McGraw-Hill/Irwin Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved. Ethics and Information Security.

Chapter 4 McGraw-Hill/Irwin Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved. Ethics and Information Security.
© Pearson Prentice Hall 2009 12-1 Using MIS 2e Chapter 12 Information Security Management David Kroenke.

© Pearson Prentice Hall Using MIS 2e Chapter 12 Information Security Management David Kroenke.
Chapter 8 Chapter 8 Digital Defense: Securing Your Data and Privacy

Chapter 8 Chapter 8 Digital Defense: Securing Your Data and Privacy
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Internet Safety Basics Never share names, schools, ages, phone numbers, or addresses. Never open an email from a stranger – it may contain viruses that.

Internet Safety Basics Never share names, schools, ages, phone numbers, or addresses. Never open an from a stranger – it may contain viruses that.
7.1 Copyright © 2011 Pearson Education, Inc. 7 Chapter Securing Information Systems.

7.1 Copyright © 2011 Pearson Education, Inc. 7 Chapter Securing Information Systems.
Information Security Management

Information Security Management
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Chapter 10 Privacy and Security McGraw-Hill

Chapter 10 Privacy and Security McGraw-Hill
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

Similar presentations

Ads by Google