Presentation on theme: "7th Module: Security Management: Structure: 1.The Need for Security Management? 2.Information Systems Security and Risk Management 3.Security Policy 4.Contingency."— Presentation transcript:
7th Module: Security Management: Structure: 1.The Need for Security Management? 2.Information Systems Security and Risk Management 3.Security Policy 4.Contingency Planning 5.Computer Systems Audits 6.IT Legislation 7.Applications
The need for security management Every organisation is concerned about losing sensitive data/experiencing damage on its systems. Business espionage is very frequent. It thus seems obvious that organisations need to protect their systems and the information on their systems. Thus, security is an organisation-wide concern. It has led to the development of highly sophisticated firewalls/security in e-commerce…
There are a number of legal requirements that organisations need to observe as well, e.g. staff illegally downloading music/software to a companys computer and the company being made liable for this. Viruses, worms and trojan horses are problems for many companies. Moreover, the trust of customers (in particular customers of banks) is based on secure systems and companies therefore have difficulties to admit any security breaches in case they happen.
The public has become increasingly aware of the fact that some of their confidential information is at risk of being misused. A lot of information about security issues can be found at http://www.cl.cam.ac.uk/Research/Security/ http://www.cl.cam.ac.uk/Research/Security/
Information Systems Security and Risk Management Security Management aims at identifying/managing risks of the damage a security breach would involve. According to Robson (1997, Chapter 13), a security failure is the loss of elements of an information system for which they were intended. This definition covers any loss from natural disasters (fires, flooding, etc.), deliberate crime and fraud, system errors to accidents.
Protecting IS from such a wide range of risks is complicated and expensive (e.g. multiple backups at decentralised locations, whilst the backup mostly transmit the data in encrypted form, etc.). It is therefore important the the cost do not exceed the benefits, but that enough money is spent on security when dealing with highly sensitive information (e.g. in the financial sector).
Robson (1997, Chapter 13) gives detailed examples on how Information Systems Security can be tackled from a risk management perspective, where the identification of appropriate security measures proceeds from the systematic identification and investigation of risks. Security management is a continuous process, and because much has happened since 1997, the study guide is out of date. If you want more recent information, I would suggest you refer to the website of the Cambridge Security group: http://www.cl.cam.ac.uk/Research/Security/
Security Policy The greatest risk with security management is often not technical, but making sure that people adhere to those measures, e.g. when telling people not to telnet into their email account, but to rather use ssh. As long as people will have the chance to use telnet, there will almost always be people who do so, even if you tell them to use ssh.
Another problem is getting people to choose passwords that cannot be guessed, getting them to adhere to not sending their passports or credit card details via email, to not write them down, and to change them regularly. Moreover, it is not easy to convince people to backup their data regularly. One way to tackle these problems is to formulate a policy that makes personnel responsible for part of the computer security. Suggestions on how to formulate such a policy can be found in Roberts (1990).
The key of implementing a secure system is staff awareness. This policy must be highly publicised, staff must know about their own responsibilities, and observance of security procedures has to be part of the management reporting process. Consequently, a security policy must be recognised as one of the most important policies within an organisation.
Contingency Planning No security measures can be 100 percent effective and accidents might eventually take place. It is therefore necessary to have plans in terms of what to do when security breaches take place. These scenarios should include the worst case. Contingency Planning = Planning to ensure satisfactory performance when services/resources are lost or unavailable.
Practical responsibility for contingency planning is shared between the application owner and the IT manager. The IT manager is responsible for correcting the systems failure, whilst the application owner needs to manage production in case the system fails. Where the organisation relies on information systems so much that a breakdown would be unacceptable, arrangements for uninterrupted service must be made. This could happen through a backup facility at another site.
It could also happen through a sharing agreement with another organisation or a service provider. Robson (1997, Chapter 13.1) discusses the most important possibilities for data recovery.
Computer Systems Audits When organisations become reliant on Information Systems, it is very important that those systems can be shown to perform to the prescribed specifications and procedures. The demonstration of this performance is called auditing. Duncan (1997): An information system is auditable if it allows an auditor to determine that correct processing takes place on an ongoing basis and errors are handled correctly.
To produce auditable systems, the systems developments themselves must be checked thoroughly. The attitude of many IT developers towards auditors however is that the auditors interfere with their own work and mess with matters they dont understand.
Because information systems errors can have disastrous consequences, with liability processes and legal action following bugs in the system, senior management often insists on auditing. It is therefore important that system developers change their attitude towards auditing and try to work with auditors in a team. It is important to consider that senior management might not be knowledgeable enough to select the best auditors. Therefore, it would be good if part of the senior management was IT experienced.
IT Legislation Software and information systems pose problems for legislators, because they are hard to define in physical means, can be converted from one medium/location to another or altered without leaving traces. Since most laws are concerned with physical objects, legislators had difficulties to devise fair and active legislation. Though in the meantime, there has also been a lot of progress (e.g. patents for software).
Law is trying new ways of enforcing that copyright issues are respected (e.g. the film/music industry lobbies for laws that enforce strict legal consequences for violators of copyright and software piracy). The US (seat of the majority of film/music/software companies), have successfully influenced many countries to tighten up their laws on copyright and software piracy (Duncan, 1997).
Robson (1997, Chapter 13) mentions the 4 main areas of IT law in the UK: 1.Confidentiality and privacy. 2.Copyright and software protection. 3.Contracts. 4.Computer crime.
Applications If there are security problems in organisations, there is the possibility of getting advice from state-owned Computer Emergency Response Teams (CERT). There are other non-profit organisations that advise on security issues, such as the Information Systems Security Association (ISSA), http://www.issa.org/http://www.issa.org/ Or the International Information Systems Security Certification Consortium (ISC) 2
(ISC) 2 has the following website: https://www.isc2.org/cgi-bin/index.cgi Security has several applications, e.g. Security Protocols (authentication, digital signature) Formal Methods (cryptographic protocol proofs) Medical Information Security Cryptographic algorithms (e.g. Serpent: Anderson et al. 1998) Steganography and Digital Watermarking (Information Hiding, e.g. ensuring that music, films etc. have marks that identify that they are originals and not illegal copies by adding invisible serial numbers, copyright messages etc.) Hardware security (including smartcard security) E-commerce Source: http://www.cl.cam.ac.uk/Research/Security/research.htmlhttp://www.cl.cam.ac.uk/Research/Security/research.html
References: Anderson, R., Biham, E. & Knudsen, L. (1998). Serpent and Smartcards. http://www.ftp.cl.cam.ac.uk/ftp/users/rja14/ser pent_card.pdf http://www.ftp.cl.cam.ac.uk/ftp/users/rja14/ser pent_card.pdf Duncan, W.M. (1997). Information Systems Management. London: University of London Press. Roberts, D.W. (1990). Computer Security: Policy, planning and practice. Blenheim Online ISBN 0-86353-180-6, 127 pages.
Robson, W. (1997). Strategic Management and Information Systems. London: Pitman. The references for students who are interested in further reading can be found on page 22 of the study guide. Moreover, IEEE Computer dedicated its July 2003 issue to Information Protection and Piracy Prevention.