Lecture 14: Business Information Systems - ICT Security
Discussion point How would you plan the ultimate security of your HOME when you are building a house
Points of Vulnerability – An analogy External Threat Burglars Storms Rodents Snakes Crocodiles Mistress Internal Threat Maid Kids Fire Dirt/Clatter Television External/Internal Electricity Sewer Water Neighbourhood
What to protect The whole computing system: Hardware Software Network Systems Data Network People
Points of Vulnerability External Manufacturers: Backdoor software: this has been known to be put in active devices for example. Part of the reason why CISCO is deemed a threat in China. http://www.china.org.cn/business/2013-06/21/content_29186348.htm Quality of product Fit to purpose Vendors Are they in the channel Are they reliable What warranty do they give
Points of Vulnerability External Suppliers of Software Is it genuine What support do they have Reaction time; can they be reached and solve issues online How well established are they Backdoor (http://www.infoworld.com/article/2606776/hacking/155947-Biggest-baddest-boldest-software-backdoors-of-all-time.html#slide1)
Points of Vulnerability External Repair Companies Are they in the channel Are they reliable What warranty do they have What is their turn around Partners Coupled thorough the Intranet Software vulnerabilities Data vulnerabilities
Points of Vulnerability External Burglars Protection of the Sever Room Access points Controlled Access Controlled Conditions in the room General physical security Hackers Protection from without at network entry points Protection from within
Points of Vulnerability Internal ICT Staff Intentional or Accidental Users Intentional or Accidental Solutions Access levels (only access necessary data) Training Properly defined procedures
Points of Vulnerability Internal/External Internet Connection Greatest point of vulnerability Firewall with access rules External access rules including for employees Exchange of storage devices Lack of virus protection for the external devices (Bringing the external to the internal while bypassing the Firewall) Wireless network
What could go wrong Denial of services Virus attack Spam attack Antivirus Spam attack Emailing Policies Antispam Wrong Data Rules in the database for integrity check
What could go wrong Denial of Service Corrupt Data Loss of Data Manner in which data is stored Loss of Data Backup On site Off site Exposure of data By employees Regulatory By trusted third parties (e.g., your lawyers) Slow system Deny use of some services (webmail, social network sites etc.)
HR Role in ensuring security of bespoke systems Physical security – the persons to secure Access control linked to the financial system Background check on all employed staff Training In house training of IT staff In house training of non-IT staff Contracts for IT staff Unlimited liability in terms of execution of their duties, ability to sue if there is intentional malice Resource allocation, appropriate tools Code of conduct consequences of breaching ICT related policies Skills retention schemes
Computer Crime Unauthorized Use at work Hacking Cyber Theft List these and discuss these Software Piracy Piracy of Intellectual Property
Posed problems Give the security reasons why one should not use mobile/wireless networks for conducting business transactions How would you mitigate against these risks What security issues should one consider when using popular email systems like Gmail and Yahoo What are the security issues to consider when an organization issues a laptop to its executives? (elaborated on next slide)
Stolen with sensitive information What are the security issues to consider when an organization issues a laptop to its executives? Stolen with sensitive information Encryption Lock hard drive with password Limit the type of information on the laptop Physical damage of laptop loss of data Data backup Should not access internet via wireless when off work should access through VPN Restrict some of the uses of systems on the laptop
Discussion Point In an attempt to protect the ICT related assets we have decided to have a cocktail of policies. List the policies and briefly outline what would be in each policy What are the security issues that have to be considered at the following stages, National, Corporate, Personal, Global