INFORMATION SYSTEMS SECURITY and CONTROL
What is security? The quality or state of being secure to be free from danger Security is achieved using several strategies simultaneously or used in combination with one another Security is recognized as essential to protect vital processes and the systems that provide those processes Security is not something you buy, it is something you do
Vulnerability, Threat and Attack A vulnerability:- is a weakness in security system Can be in design, implementation, etc. Can be hardware, or software A threat:- is a set of circumstances that has the potential to cause loss or harm Or it’s a potential violation of security Threat can be: Accidental (natural disasters, human error, …) Malicious (attackers, insider fraud, …) An attack:- is the actual violation of security
Why Systems are Vulnerable? Hardware problems- Breakdowns, configuration errors, damage from improper use or crime Software problems- Programming errors, installation errors, unauthorized changes) Disasters- Power failures, flood, fires, etc. Use of networks and computers outside of firm’s control - E.g. with domestic or offshore outsourcing vendors
SYSTEM VULNERABILITY AND ABUSE Concerns for System Builders and Users Disaster Destroys computer hardware, programs, data files, and other equipment Security Prevents unauthorized access, alteration, theft, or physical damage
SYSTEM VULNERABILITY AND ABUSE Concerns for System Builders and Users Errors- Cause computers to disrupt or destroy organization’s record-keeping and operations Bugs- Program code defects or errors Maintenance - Maintenance costs high due to organizational change, software complexity, and faulty system analysis and design
RISKS & THREATS Virus Attacks Systems & Network Failure Theft, Sabotage, Misuse High User Knowledge of IT Systems Natural Calamities & Fire Lack Of Documentation Lapse in Physical Security
BUSINESS VALUE OF SECURITY AND CONTROL Inadequate security and control may create serious legal liability. Businesses must protect not only their own information assets but also those of customers, employees, and business partners. Failure to do so can lead to costly litigation for data exposure or theft. A sound security and control framework that protects business information assets can thus produce a high return on investment.
ESTABLISHING A MANAGEMENT FRAMEWORK FOR SECURITY AND CONTROL General controls: Establish framework for controlling design, security, and use of computer programs Software controls Hardware controls Computer operations controls Data security controls Implementation controls
Application controls: Unique to each computerized application Input Processing Output
CREATING A CONTROL ENVIRONMENT Controls:- Methods, policies, and procedures Ensures protection of organization’s assets Ensures accuracy and reliability of records, and operational adherence to management standards
CREATING A CONTROL ENVIRONMENT Mirroring: Duplicating all processes and transactions of server on backup server to prevent any interruption Clustering: Linking two computers together so that a second computer can act as a backup to the primary computer or speed up processing
CREATING A CONTROL ENVIRONMENT Internet Security Challenges Firewalls:- Hardware and software controlling flow of incoming and outgoing network traffic Prevent unauthorized users from accessing private networks Intrusion Detection System:- Monitors vulnerable points in network to detect and deter unauthorized intruders
CREATING A CONTROL ENVIRONMENT Internet Security Challenges Encyption: - Coding and scrambling of messages to prevent their access without authorization Authentication: - Ability of each party in a transaction to ascertain identity of other party Message integrity: - Ability to ascertain that transmitted message has not been copied or altered
CREATING A CONTROL ENVIRONMENT Internet Security Challenges Digital signature: -Digital code attached to electronically transmitted message to uniquely identify contents and sender Digital certificate: -Attachment to electronic message to verify the sender and to provide receiver with means to encode reply Secure Electronic Transaction (SET): -Standard for securing credit card transactions over Internet and other networks
MANAGEMENT CHALLENGES Implementing an effective security policy Applying quality assurance standards in large systems projects What are the most important software quality assurance techniques? Why are auditing information systems and safeguarding data quality so important?