Presentation is loading. Please wait.

Presentation is loading. Please wait.

Principles of Information System Security: Text and Cases

Published byRoger Mason Modified over 8 years ago

Similar presentations

Presentation on theme: "Principles of Information System Security: Text and Cases"— Presentation transcript:

1 Principles of Information System Security: Text and Cases
Gurpreet Dhillon PowerPoint Prepared by Youlong Zhuang University of Missouri-Columbia

2 Principles of Information System Security: Text and Cases
Chapter Six Security of Formal Systems in Organizations: An Introduction

3 Copyright 2006 John Wiley & Sons, Inc.
Learning Objectives Identify the key aspects of formal information system security Explain structures of responsibility Understand organizational buy-in Explain the importance of security policies Recommend issues in good security policy formulation Copyright 2006 John Wiley & Sons, Inc.

4 Copyright 2006 John Wiley & Sons, Inc.
Formal IS Security Creating organizational structures and processes to ensure security and integrity Creating and sustaining proper responsibility structures Maintaining integrity of the roles Creating adequate business processes Establishing an overarching strategy and policy Copyright 2006 John Wiley & Sons, Inc.

5 Ten Deadly Sins of IS Security Management, Table 6.1
Copyright 2006 John Wiley & Sons, Inc.

6 Four Classes of Formal IS Security
Security strategy and policy Responsibility and authority structures Business processes Roles and skills Copyright 2006 John Wiley & Sons, Inc.

7 Formal IS Security Dimensions
Responsibility and authority structures Organizational buy-in Security policy Copyright 2006 John Wiley & Sons, Inc.

8 Responsibility and Authority Structures
Determine the performance of the formal controls systems Provide a means to understand the manner in which responsible agents are identified Understand the underlying patterns of behavior Manifest the roles and reporting structures of organizational members Copyright 2006 John Wiley & Sons, Inc.

9 Mapping Structures of Responsibility
Identify the agents who determine what takes place, and what behavior is realized Agents are associated with communication acts which serve to change the social world, which in turn constitutes the world of interrelated obligations An ontology chart represents the invariants in any domain as patterns of behavior to be realized by agents acting therein Copyright 2006 John Wiley & Sons, Inc.

10 A Simple Representation of Structures of Responsibility Figure 6.1
Copyright 2006 John Wiley & Sons, Inc.

11 Mapping Structures of Responsibility (Cont’d)
Invariants on the right of the chart can only be realized when those on their left have been realized Each invariant pattern is shown as a node in the chart The analysis task is to elicit for each node the responsible agents and the norms used by the organization The chart is a useful platform to study the norms and structure of an organization Copyright 2006 John Wiley & Sons, Inc.

12 Mapping Structures of Responsibility (Cont’d)
Sketches the generic affordances that constrain any agent in this domain Implicitly creates a place for the agents at each node who decide Who has access to a PC Which PCs have access to what data Which PCs are sited in which rooms Agents make decisions in line with prevailing norms, which should reflect the practices espoused by the firm; and the practices conform to various over arching jurisdictions Copyright 2006 John Wiley & Sons, Inc.

13 Using Structures of Responsibility Maps
Compare responsible structure against the explicit security management structure of an enterprise Between the formal and the informal systems Lead to the substantive actions required of members of the firm It can be difficult to attribute responsibility if the norms are not strong Copyright 2006 John Wiley & Sons, Inc.

14 Using Structures of Responsibility Maps (Cont’d)
Two security procedures are revealed when a person is given access to a PC which has access to the network The ‘start’ and ‘finish’ of an incumbency The ‘start’ and ‘finish’ of access to a PC Understand the underlying repertoires of behavior Copyright 2006 John Wiley & Sons, Inc.

15 Organizational Buy-in
Support from an organization’s executive leadership is the most challenging task It is also a challenge to educate employees A two-fold need for executive leadership buy-in Assures staff buy-in Ensures funding Copyright 2006 John Wiley & Sons, Inc.

16 Organizational Buy-in (Cont’d)
Support from the IT Department is also essential Consensus needs to be reached regarding the best practices to protect enterprise information assets User support is another important ingredient Copyright 2006 John Wiley & Sons, Inc.

17 NIST’s Seven Steps for Effective Security Training
Identify Program Scope, Goals, and Objectives To all types of people who interact with IT systems Organizational wide program needs to be supplemented by more system-specific programs Identify Training Staff Knowledge and communication skills Copyright 2006 John Wiley & Sons, Inc.

18 NIST’s Seven Steps for Effective Security Training (Cont’d)
Identify Target Audiences Presents only the information needed by the particular audience Motivate Management and Employees Show how participation will benefit the organization Administer the Program Visibility, selection of appropriate training methods, topics, materials, and presentation techniques Copyright 2006 John Wiley & Sons, Inc.

19 NIST’s Seven Steps for Effective Security Training (Cont’d)
Maintain the Program A training program that meets an organization’s needs today may become ineffective when the organization starts to use a new application or changes its environment Evaluate the Program How much information is retained, to what extent security procedures are being followed, and general attitudes toward security Copyright 2006 John Wiley & Sons, Inc.

20 Copyright 2006 John Wiley & Sons, Inc.
Security Policy Numerous security problems have been attributed to the lack of a security policy Possible vulnerabilities related to security policies occurs at three levels- policy development, implementation, and reinterpretation More details in Chapter Seven Copyright 2006 John Wiley & Sons, Inc.

21 Good Security Policy Formulation
An organization incorporates the strategic direction of the company both at a micro and macro levels Clarification of the strategic agenda sets the stage for developing the security model The security policies determine the processes and techniques required to provide the security but not the technology Copyright 2006 John Wiley & Sons, Inc.

22 Good Security Policy Formulation (Cont’d)
The implementation of security policies entails the development of procedures to implement the techniques defined in the security policies Security processes and techniques should be monitored constantly A response policy is an integral part of a good security policy Establish procedures and practices for educating all stakeholders Copyright 2006 John Wiley & Sons, Inc.

23 Layers in Designing Formal IS Security, Figure 6.2
Copyright 2006 John Wiley & Sons, Inc.

24 Copyright 2006 John Wiley & Sons, Inc.
Concluding Remarks Good formal IS security is a function of Organizational considerations related to the structures of responsibility Ensuring organizational buy in Establishing security plans and policies and relating them to the organizational vision Copyright 2006 John Wiley & Sons, Inc.

25 Copyright 2006 John Wiley & Sons, Inc.
All rights reserved. Reproduction or translation of this work beyond that permitted in section 117 of the 1976 United States Copyright Act without express permission of the copyright owner is unlawful. Request for further information should be addressed to the Permission Department, John Wiley & Sons, Inc. The purchaser may make back-up copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages caused by the use of these programs or from the use of the information herein. Copyright 2006 John Wiley & Sons, Inc.

Download ppt "Principles of Information System Security: Text and Cases"

Similar presentations

Chapter 51 Products, Processes, and Quality Chapter 5 Achieving Quality Through Continual Improvement Claude W. Burrill / Johannes Ledolter Published.

Chapter 51 Products, Processes, and Quality Chapter 5 Achieving Quality Through Continual Improvement Claude W. Burrill / Johannes Ledolter Published.
ACCOUNTING INFORMATION SYSTEMS

ACCOUNTING INFORMATION SYSTEMS
By Edgar K. Browning & Mark A. Zupan John Wiley & Sons, Inc.

By Edgar K. Browning & Mark A. Zupan John Wiley & Sons, Inc.
Principles of Information System Security: Text and Cases

Principles of Information System Security: Text and Cases
Management, 6e Schermerhorn Prepared by Cheryl Wyrick California State Polytechnic University Pomona John Wiley & Sons, Inc.

Management, 6e Schermerhorn Prepared by Cheryl Wyrick California State Polytechnic University Pomona John Wiley & Sons, Inc.
Chapter 1: Financial Accounting and Accounting Standards

Chapter 1: Financial Accounting and Accounting Standards
Introduction to Information Technology, 2nd Edition Turban, Rainer & Potter © 2003 John Wiley & Sons, Inc. 15-1 Introduction to Information Technology.

Introduction to Information Technology, 2nd Edition Turban, Rainer & Potter © 2003 John Wiley & Sons, Inc Introduction to Information Technology.
Dr. Raymond N. Johnson, CPA MODERN AUDITING 7th Edition Developed by: Raymond N. Johnson Portland Sate University John Wiley & Sons, Inc. William C. Boynton.

Dr. Raymond N. Johnson, CPA MODERN AUDITING 7th Edition Developed by: Raymond N. Johnson Portland Sate University John Wiley & Sons, Inc. William C. Boynton.
Chapter 18: Controlling – Processes and Systems

Chapter 18: Controlling – Processes and Systems
Chapter 101 Information Technology For Management 6 th Edition Turban, Leidner, McLean, Wetherbe Lecture Slides by L. Beaubien, Providence College John.

Chapter 101 Information Technology For Management 6 th Edition Turban, Leidner, McLean, Wetherbe Lecture Slides by L. Beaubien, Providence College John.
© Copyright 2011 John Wiley & Sons, Inc.

© Copyright 2011 John Wiley & Sons, Inc.
Management, 6e Schermerhorn Prepared by Cheryl Wyrick California State Polytechnic University Pomona John Wiley & Sons, Inc.

Management, 6e Schermerhorn Prepared by Cheryl Wyrick California State Polytechnic University Pomona John Wiley & Sons, Inc.
Chapter 141 Establishing a Culture of Quality Chapter 14 Achieving Quality Through Continual Improvement Claude W. Burrill / Johannes Ledolter Published.

Chapter 141 Establishing a Culture of Quality Chapter 14 Achieving Quality Through Continual Improvement Claude W. Burrill / Johannes Ledolter Published.
Chapter 12 Managing Team Performance. 12- 2 Management 1e 12- 2 Management 1e 12- 2 Management 1e - 2 Management 1e Learning Objectives  Describe why.

Chapter 12 Managing Team Performance Management 1e Management 1e Management 1e - 2 Management 1e Learning Objectives  Describe why.
Chapter 8 Setting Goals. 8- 2 Management 1e 8- 2 Management 1e 8- 2 Management 1e 8- 2 Management 1e Learning Objectives  Describe the primary goals.

Chapter 8 Setting Goals Management 1e 8- 2 Management 1e 8- 2 Management 1e 8- 2 Management 1e Learning Objectives  Describe the primary goals.
Chapter 171 Stabilizing the Quality System Chapter 17 Achieving Quality Through Continual Improvement Claude W. Burrill / Johannes Ledolter Published by.

Chapter 171 Stabilizing the Quality System Chapter 17 Achieving Quality Through Continual Improvement Claude W. Burrill / Johannes Ledolter Published by.
12-1 Planning for Information Technology and Systems.

12-1 Planning for Information Technology and Systems.
Evaluating and Terminating the Project

Evaluating and Terminating the Project
Management, 6e Schermerhorn Prepared by Cheryl Wyrick California State Polytechnic University Pomona John Wiley & Sons, Inc.

Management, 6e Schermerhorn Prepared by Cheryl Wyrick California State Polytechnic University Pomona John Wiley & Sons, Inc.
Management, 6e Schermerhorn Prepared by Cheryl Wyrick California State Polytechnic University Pomona John Wiley & Sons, Inc.

Management, 6e Schermerhorn Prepared by Cheryl Wyrick California State Polytechnic University Pomona John Wiley & Sons, Inc.

Similar presentations

Ads by Google