Understanding the management of IS security GP Dhillon, Ph. D. Associate Professor of IS, VCU

Slides:



Advertisements
Similar presentations
Ministry of Public Sector Development Public Sector Development Program Better Government Delivering Better Result.
Advertisements

Management, Leadership, & Internal Organization………..
The Value of a Project Management Office Copyright: Kathy J. Lang, 2004.
Chapter 13: Organizational Innovation and Change
Competencies Are King… Improving organizational and staff performance
ACCOUNTING ETHICS Lect. Victor-Octavian Müller, Ph.D.
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
Strategic Leadership: Creating a Learning Organization and an Ethical Organization Chapter Eleven Copyright © 2010 by The McGraw-Hill Companies, Inc. All.
The Australian/New Zealand Standard on Risk Management
Computer Security: Principles and Practice
SAFA- IFAC Regional SMP Forum
Purpose of the Standards
ISA 220 – Quality Control for Audits of Historical Financial Information
TC176/IAF ISO 9001:2000 Auditing Practices Group.
Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,
Internal Auditing and Outsourcing
Justice Information Network Strategic Plan Development Justice Information Network Board March 18, 2008 Mo West, JIN Program Manager.
SEC835 Database and Web application security Information Security Architecture.
The IS Security Problem GP Dhillon, Ph. D. Associate Professor of IS, VCU
ACADEMIC PERFORMANCE AUDIT
Behavior in Organizations
Implementing Security Education, Training, and Awareness Programs
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
IAEA International Atomic Energy Agency Reviewing Management System and the Interface with Nuclear Security (IRRS Modules 4 and 12) BASIC IRRS TRAINING.
Integrity & Professional Ethics in a Climate of Change Debra J. Williams Higher Ground International 29th Annual Training Conference Equality and Diversity:
GUIDELINES ON CRITERIA AND STANDARDS FOR PROGRAM ACCREDITATION (AREA 1, 2, 3 AND 8)
State of California Executive Leadership Competency Model January 12, 2011 Presentation for the California Citizens Redistricting Commission.
Alaska Staff Development Network – Follow-Up Webinar Emerging Trends and issues in Teacher Evaluation: Implications for Alaska April 17, :45 – 5:15.
Building an information organization/staff - 6 Barbie E. Keiser University of Vilnius May 2007.
SECTION 1 THE PROJECT MANAGEMENT FRAMEWORK
Chapter 11. Intro  What is Project Management?  Project Manager  Project Failures & Successes Managing Projects  PMBOK  SDLC Core Process 1 – Project.
 Architecture and Description Of Module Architecture and Description Of Module  KNOWLEDGE BASE KNOWLEDGE BASE  PRODUCTION RULES PRODUCTION RULES 
Managing Information System Security: Principles GP Dhillon Associate Professor Virginia Commonwealth University.
ACADEMIC PERFORMANCE AUDIT ON AREA 1, 2 AND 3 Prepared By: Nor Aizar Abu Bakar Quality Academic Assurance Department.
FSA - The Financial Supervision Authority Nele Piir, Marge Laan, Kadri Toks.
9 Systems Analysis and Design in a Changing World, Fourth Edition.
Strategic Approaches to Improving Ethical Behavior
Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill/Irwin.
ITU CoE/ARB 11 th Annual Meeting of the Arab Network for Human Resources 16 – 18 December 2003; Khartoum - Sudan 1 The content is based on New OECD Guidelines.
Job Analysis - Competency Modeling MANA 5322 Dr. Jeanne Michalski
Introduction to Information Security
Copyright ©2005 by South-Western, a division of Thomson Learning. All rights reserved Chapter 17 1 Information Management Systems MANAGEMENT Meeting and.
Chapter 8 Management, Leadership, and Internal Organization Learning Goals Define management and the skills necessary for managerial success. Explain the.
Understanding Business Ethics 2 nd Edition © 2014 SAGE Publications, Inc. Chapter 12 Establishing a Code of Ethics and Ethical Guidelines Understanding.
Principles of Information System Security: Text and Cases Gurpreet Dhillon PowerPoint Prepared by Youlong Zhuang University of Missouri-Columbia.
Generic competencesDescription of the Competence Learning Competence The student  possesses the capability to evaluate and develop one’s own competences.
The collection of phases that are performed in completing a project. Each project phase is marked by completion of one or more deliverables. The conclusion.
Principles of Information System Security: Text and Cases
Chapter 16: Understanding the HR Profession Jackson and Schuler © 2003 South-Western College Publishing. All rights reserved. Eighth edition.
IS Security Policies and Strategies Dr Gurpreet Dhillon Virginia Commonwealth University.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
TC176/IAF ISO 9001:2000 Auditing Practices Group.
Management Accounting Overview CHAPTER ONE 1. OBJECTIVES 1.Discuss the need for management accounting information. 2.Differentiate between management.
Implementing Security Education, Training, and Awareness Programs By: Joseph Flynn.
Lecture 5 Control and AIS Copyright © 2012 Pearson Education 7-1.
Welcome. Contents: 1.Organization’s Policies & Procedure 2.Internal Controls 3.Manager’s Financial Role 4.Procurement Process 5.Monthly Financial Report.
MANAGEMENT OF CORPORATE SOCIAL RESPONSIBILITY. PLAN 1. The institute of the civilized business: the essence and functions 2. The standards of CSR management.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
The Human Side of Project Management
Chapter 11 Project Management.
PROGRESS IN IMPLEMENTING e-GOVERNANCE
ISO/IEC
Principles of Information System Security: Text and Cases
The Organizational Context
ACCOUNTING ETHICS Conf.univ.dr. Victor-Octavian Müller.
ACCOUNTING ETHICS Conf.univ.dr. Victor-Octavian Müller.
ACCOUNTING ETHICS Conf.univ.dr. Victor-Octavian Müller.
ACCOUNTING ETHICS Conf.univ.dr. Victor-Octavian Müller.
ACCOUNTING ETHICS Lect. Victor-Octavian Müller, Ph.D.
Presentation transcript:

Understanding the management of IS security GP Dhillon, Ph. D. Associate Professor of IS, VCU

Cases and vignettes The chip theft case Purchasing manager with access to data entry and store accounting systems Would steal chips and smuggle them out of factory premises Management response was to establish access control and physically search everybody leaving premises Boyd Gaming Sunrise Hospital Eagle Star Insurance Other published cases: Kidder Peabody; Daiwa Bank; Barings Bank

A point to note “Perpetrators usually stick to the easiest and the least expensive methods to breach security” – Donn Parker (various: )

Three architectures and beyond Model of reality Conceptual level Technological Model Technology level Implementation Model Physical level ? Technical security Physical security ????

P Planning for IS Security Corporate plan and existence of a security vision Quality of operations Security policy as it relates to the operations Existence of a security evaluation method E Evaluation of IS Security Security evaluation linked to nature of organization (networked, hierarchical, power distance etc) Security measures contextualized for a particular situation (typically Checklist, RA …) Stakeholder analysis for security D Design considerations for IS security Interpreting the design ideal Correctness in system specification Integrity of controls (F/I/T) I Implementation aspects of IS security ‘Informal’ considerations before formal Situation issue centered approach in implementation Communication between ‘experts’ and managers

EagleI SunriseH BoydG SamsHR PEDIPEDI Business processes not designed – questions About integrity of data & responsibility of people No stakeholder analysis done resulting in limited understanding of authority structures and therefore confidentiality Security was not even considered to be an issue. Correctness of design and and consequences of errors ignored or overlooked Analysis of communication patterns ignored. Over generalized assumptions of implementation were considered Technological fix sought. No one considered the process aspects. Lack of integrity of organization structures In built security mechanisms in the s/w were considered sufficient Checklist followed in evaluating controls No analysis or design undertaken Security was an afterthought at best Lack of communication among staff Low trust levels since authority structures not defined Broken processes. Security implications of client server apps not considered. Members of co. did not even know if a security policy existed Not even conventional security evaluation done – RA, checklists. Authority structures ill defined. Traditional trust bet. dept. being broken Not much. Needs assessment was limited. It was thought that C/S was a mature technology so no need to consider process/user issues It was more of a technical implementation and consultants were given the charge. Access rights determined but no corresponding resp st. Competence to handle secure personal information questionable Inadequate training Conflicting purpose of the IT system. Lack of understanding of procedures and related security policy. Policy ill defined HR systems not considered ‘strategic’ hence lack of evaluation. Security is a major concern elsewhere in the co Since it was just a s/w – design issues were not considered to be important “People will learn”

Confidentiality of data Integrity of data Availability of data Responsibility of people Integrity of roles Trustworthiness of people ‘Ethicality’ of people ‘Surface structural’ IS security issues ‘Deep structural’ IS security issues IS Security in Organizations

IS Security in organizations = CIA + RITE My original argument: To resolve the problem of managing IS security, we need to understand the deep-seated pragmatic aspects of an organization. Solutions to the problem of security can be provided by interpreting the behavioral patterns of the people involved.

What competencies do you need to manage IS security?

Competence categories IS Security Organizational PersonalTechnological

Organizational Competencies Create Adequate Business Processes Clearly Define Roles Recognize the Importance and Scope of IS Security Concerns Identify Internal Threats to IS Security Develop IS security Processes Implement IS security Policies Maintain Policy Flexibility Regulate the Flow of Information Communicate the Necessity for IS Security Procedures Facilitate Informal Communication About IS Security Monitor Adequately The Competency to:

Personal Competencies Lead and Influence Others Awareness Continuing Personal Development Work in Teams Maintain Ethical Behaviors and Engender Loyalty Maintain Good Hiring Practices The Competency to:

Technological Competencies The Competency to Sustain Technical Expertise The Competency to Synthesize Technical and Business Knowledge The Competency to:

CIA Confidentiality Integrity Availability RITE Reliability Integrity Trust Ethicality COMPETENCIES Organizational Personal Technological PRINCIPLES

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.