Information Security Management David Kroenke Using MIS 3e Chapter 12.

Slides:



Advertisements
Similar presentations
Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.
Advertisements

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Information Security Management by David Kroenke
© Pearson Prentice Hall Using MIS 2e Chapter 12 Information Security Management If you don’t do security right, nothing else matters. David Kroenke.
1 MIS 2000 Class 22 System Security Update: Winter 2015.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,
Crime and Security in the Networked Economy Part 4.
Information Security Management Chapter “We Have to Design It for Privacy and Security. ” Tension between Maggie and Ajit regarding terminology.
McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.
Chapter 4 McGraw-Hill/Irwin Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved. Ethics and Information Security.
© Pearson Prentice Hall Using MIS 2e Chapter 12 Information Security Management David Kroenke.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Information Security Management
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Security, Privacy, and Ethics Online Computer Crimes.
Chapter 12 Information Security Management
Information Security Policies and Standards
Security+ Guide to Network Security Fundamentals
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Information Security Management Using MIS 4e Chapter 12.
1 Using Management Information Systems David Kroenke Information Security Management Chapter 11.
Chapter 12 Information Security Management © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
Chapter Extension 23 SSL/TLS and //https © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
Chapter Extension 22 Managing Computer Security Risk © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
Network security policy: best practices
Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.
Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.
Copyright © 2014 Pearson Education, Inc. 1 IS Security is a critical aspect of managing in the digital world Chapter 10 - Securing Information Systems.
Information Security Technological Security Implementation and Privacy Protection.
© 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke Slide 1 Chapter 12 Information Security Management.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
PHISHING AND SPAM INTRODUCTION There’s a good chance that in the past week you have received at least one that pretends to be from your bank,
PART THREE E-commerce in Action Norton University E-commerce in Action.
 Computer Hacking is the practice of modifying computer hardware and software to accomplish a goal outside of the creator’s original purpose.  the act.
Computers Are Your Future Tenth Edition Chapter 12: Databases & Information Systems Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall1.
HIPAA PRIVACY AND SECURITY AWARENESS.
© 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke Slide 1 Chapter 12 Information Security Management.
BUSINESS B1 Information Security.
Prepared by: Dinesh Bajracharya Nepal Security and Control.
1.Too many users 2.Technical factors 3.Organizational factors 4.Environmental factors 5.Poor management decisions Which of the following is not a source.
Information Security Management
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin Business Plug-In B6 Information Security.
 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Computer Hardware and Software Maintenance.
1 Network and E-commerce Security Nungky Awang Chandra Fasilkom Mercu Buana University.
Topic 5: Basic Security.
Chap1: Is there a Security Problem in Computing?.
Tamra Pawloski Jeff Miller. The views, information, and content expressed herein are those of the authors and do not necessarily represent the views of.
IT Security Challenges In Higher Education Steve Schuster Cornell University Copyright Steve Schuster This work is the intellectual property of.
CONTROLLING INFORMATION SYSTEMS
© 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke Slide 1 Chapter 11 Information Systems Management Read this unit prior to the presentation.
LESSON 5-2 Protecting Your Computer Lesson Contents Protecting Your Computer Best Practices for Securing Online and Network Transactions Measures for Securing.
Computer Crime: Identity Theft, Misuse of Personal Information, and How to Protect Yourself (Tawny Walsh, Irina Lohina, Renair Jackson, Jahmele Betterson,
Any criminal action perpetrated primarily through the use of a computer.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Computer Security Keeping you and your computer safe in the digital world.
Securing Information Systems
Using MIS 2e Chapter 12 Information Security Management
Securing Information Systems
Presentation transcript:

Information Security Management David Kroenke Using MIS 3e Chapter 12

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall 12-2 Chapter Preview This chapter describes common sources of security threats and explains management’s role in addressing those threats. It defines the major elements of an organizational security policy. It presents the most common types of technical, data, and human security safeguards. We then discuss how organizations should respond to security incidents, and, finally, examine common types of computer crime. Primary focus is on management’s responsibility for the organization’s security policy and for implementing human security safeguards. We approach this topic from the standpoint of a major organization that has professional staff in order to learn the tasks that need to be accomplished. Both MRV and FlexTime need to adapt the full-scale security program to their smaller requirements and more limited budget.

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall 12-3 Study Questions Q1What are the threats to information security? Q2What is senior management’s security role? Q3What technical safeguards are available? Q4What data safeguards are available? Q5What human safeguards are available? Q6How should organizations respond to security incidents? Q7What is the extent of computer crime? Q82020?

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall 12-4 What Are the Sources of Threats? (Tutorial video) Security threats arise from three sources: 1. Human error and mistakes, 2. Malicious human activity, and 3. Natural events and disasters.

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall 12-5 Human Errors and Mistakes Human errors and mistakes include:  Accidental problems caused by both employees and nonemployees. An employee misunderstands operating procedures and accidentally deletes customer records. An employee, while backing up a database, inadvertently installs an old database on top of the current one.  Category also includes poorly written application programs and poorly designed procedures.  Physical accidents, such as driving a forklift through the wall of a computer room.

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall 12-6 Malicious Human Activity Employees and former employees who intentionally destroy data or other system components Hackers who break into a system; virus and worm writers who infect computer systems Outside criminals who break into a system to steal for financial gain Terrorism

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall 12-7 Natural Events and Disasters Fires, floods, hurricanes, earthquakes, tsunamis, avalanches, and other acts of nature Includes the initial loss of capability and service, and losses stemming from actions to recover from the initial problem

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall 12-8 What Are the Types of Security Problems?

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall 12-9 What Are the Components of an Organization’s Security Program? Three Components of a Security Program 1.Senior-management involvement, 2.Safeguards of various kinds, and 3.Incident response. Senior-management involvement has two critical security functions: 1.Senior management must establish security policy. This policy sets the stage for organization’s response to security threats. However, because no security program is perfect, there is always risk. 2.Manage risk by balancing the costs and benefits of security program.

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall Safeguards

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall Study Questions Q1What are the threats to information security ? Q2What is senior management’s security role? Q3 What technical safeguards are available? Q4What data safeguards are available? Q5What human safeguards are available? Q6How should organizations respond to security incidents? Q7What is the extent of computer crime? Q82020?

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall NIST Handbook of Security Elements

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall What Are the Elements of a Security Policy? Security policy has three elements: 1.A general statement of organization’s security program. This statement becomes the foundation for more specific security measures. Management specifies the goals of security program and assets to be protected. Statement designates a department for managing security program and documents. In general terms, it specifies how the organization will ensure enforcement of security programs and policies. 2.Issue-specific policy. Personal use of computers at work and privacy. 3.System-specific policy. What customer data from order-entry system will be sold or shared with other organizations? Or, what policies govern the design and operation of systems that process employee data? Addressing such policies are part of standard systems development process.

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall How Is Risk Managed? Risk—likelihood of an adverse occurrence  Management cannot manage threats directly, but can limit security consequences by creating a backup processing facility at a remote location.  Companies can reduce risks, but always at a cost. It is management’s responsibility to decide how much to spend, or stated differently, how much risk to assume. Uncertainty refers to lack of knowledge especially about chance of occurrence or risk of an outcome or event.  An earthquake could devastate a corporate data center built on a fault that no one knew about.  An employee finds a way to steal inventory using a hole in the corporate Web site that no expert knew existed.

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall Factors to Consider in Risk Assessment

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall Factors to Consider in Risk Assessment Safeguard is any action, device, procedure, technique, or other measure that reduces a system’s vulnerability to a threat.  No safeguard is ironclad; there is always a residual risk that it will not protect the assets in all circumstances. Vulnerability is an opening or a weakness in security system. Some vulnerabilities exist because there are no safeguards or because existing safeguards are ineffective. Consequences are damages that occur when an asset is compromised. Consequences can be tangible or intangible.  Tangible consequences, those whose financial impact can be measured.  Intangible consequences, such as the loss of customer goodwill due to an outage, cannot be measured.

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall Final Two Factors in Risk Assessment Likelihood is the probability that a given asset will be compromised by a given threat, despite the safeguards. Probable loss is the “bottom line” of risk assessment.  To obtain a measure of probable loss, companies multiply likelihood by cost of the consequences. Probable loss also includes a statement of intangible consequences.

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall Risk-Management Decisions Given the probable loss from the risk assessment just described, senior management must decide what to do. Some assets can be protected by inexpensive and easily implemented safeguards. Some vulnerabilities can be expensive to eliminate, and management must determine if costs of safeguard are worth the benefit of probable loss reduction.

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall Study Questions Q1What are the threats to information security? Q2What is senior management’s security role? Q3What technical safeguards are available? Q4What data safeguards are available? Q5What human safeguards are available? Q6How should organizations respond to security incidents? Q7What is the extent of computer crime? Q82020?

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall List of Primary Technical Safeguards (Tutorial video)

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall Single Sign-on for Multiple Systems Operating systems authenticate you to networks and other servers. You sign on to your local computer and provide authentication data; from that point on, your operating system authenticates you to another network or server, which can authenticate you to yet another network and server, and so forth. Kerberos is a system protocol that authenticates users without sending their passwords across the computer network.Kerberos  Uses a complicated system of “tickets” to enable users to obtain services from networks and other servers. Windows, Linux, Unix, and other operating systems employ kerberos and thus can authenticate user requests across networks of computers using a mixture of these operating systems. Protect your passwords!

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall Wireless Access Drive-by sniffers can walk or drive around business or residential neighborhoods with a wireless computer and locate dozens, or even hundreds, of wireless networks. Businesses with sophisticated communications equipment use elaborate techniques—techniques that require support of highly trained communications specialists. Common protections use VPNs and special security servers. IEEE committee developed a wireless security standard called Wired Equivalent Privacy (WEP). Unfortunately, WEP has serious flaws.Wired Equivalent Privacy (WEP) Wi-Fi Protected Access (WPA) and WPA2 developed and improved wireless security standards that newer wireless devices use.Wi-Fi Protected Access (WPA)WPA2 Search Web for latest on wireless network securitywireless network security

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall Encryption

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall Digital Signatures Most messages, such as , are sent over Internet as plaintext.  “Please deliver shipment 1000 to our Oakdale facility.” It is possible for a third party to intercept the , remove the words “our Oakdale facility,” substitute its own address, and send the message on to its destination. Digital signatures are a technique for ensuring that plaintext messages are received without alteration.Digital signatures  Plaintext message is first hashed. Hashing is a method of mathematically creating a string of bits (message digest) that characterize the message. According to one popular standard, message digests are 160 bits long.message digest

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall Using Digital Signatures

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall Digital Certificates: How Does Receiver Obtain True Party’s Public Key? Trusted, independent third-party companies, called certificate authorities (CAs), supply public keys.certificate authorities For your browser to obtain the public key for Bank of America, either to conduct a secure session using SSL/TLS or to authenticate a digital signature, your browser will obtain Bank of America’s public key from a CA. CA will respond with a digital certificate that contains the name “Bank of America” and Bank of America’s public key. Your browser will verify the name and then use that public key. A digital certificate is sent as plaintext, so there is possibility an entity can intercept the digital certificate sent by the CA and substitute its own public key. To prevent that possibility, the CA signs the digital certificate with its digital signature.

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall Firewalls Firewall is a computing device that prevents unauthorized network access. A firewall can be a special-purpose computer or it can be a program on a general-purpose computer or on a router.Firewall Malware Protection:  Spyware—resides in background, unknown to user; observes user’s actions and keystrokes, monitors computer activity, and reports user’s activities to sponsoring organizations. Some captures keystrokes to obtain user names, passwords, account numbers, and other sensitive information. Some support marketing analyses, observing what users do, Web sites visited, products examined and purchased, and so forth. Spyware  Adware—does not perform malicious acts or steal data. It watches user activity and produces pop-up ads. Adware can change user’s default window or modify search results and switch user’s search engine. Adware

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall Symptoms of Adware and Spyware

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall Malware Safeguards 1.Install antivirus and antispyware programs on your computer 2.Set up your antimalware programs to scan your computer frequently 3.Update malware definitions 4.Open attachments only from known sources 5.Promptly install software updates from legitimate sources 6.Browse only in reputable Internet neighborhoods

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall AOL and the National Cyber Security Alliance Malware Study

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall Bots, BotNets, and Bot Herders Bot—a computer program surreptitiously installed and that takes actions unknown and uncontrolled by computer’s owner or administratorBot Botnet—a network of bots created and managed by an individual or organization that infects networks with a bot programBotnet Bot herder—individual or organization that controls the botnetBot herder Serious problems to commerce and national security. It is believed that a unit of the North Korean Army served as a bot herder for a botnet that caused denial of service attacks on Web servers in South Korea and in the United States in July, 2009.

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall Design Secure Applications You should ensure that any information system developed for you and your department includes security as one of the application requirements.

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall Study Questions Q1What are the threats to information security? Q2What is senior management’s security role? Q3What technical safeguards are available? Q4What data safeguards are available? Q5What human safeguards are available? Q6How should organizations respond to security incidents? Q7What is the extent of computer crime? Q82020?

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall Some Important Data Safeguards

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall Some Important Data Safeguards Should protect sensitive data by storing it in encrypted form  When data are encrypted, a trusted party should have a copy of encryption key. This safety procedure is called key escrow key escrow Periodically create backup copies of database contents DBMS and all devices that store database data should reside in locked, controlled-access facilities  Physical security was a problem that MRV had when it lost its data. Organizations may contract with other companies to manage their databases, inspect their premises, and interview its personnel to make sure they practice proper data protections.

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall Study Questions Q1What are the threats to information security? Q2What is senior management’s security role? Q3What technical safeguards are available? Q4What data safeguards are available? Q5What human safeguards are available? Q6How should organizations respond to security incidents? Q7What is the extent of computer crime? Q82020?

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall Human Safeguards for Employees Security considerations for employees

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall Human Safeguards for Nonemployee Personnel Temporary personnel, vendors, partner personnel (employees of business partners), and the public Contracts that govern activity should list security measures appropriate for sensitive data and IS resources involved. Require vendors and partners to perform appropriate screening and security training Specify security responsibilities for work to be performed Provide computer accounts and passwords with least privilege and remove those accounts as soon as possible

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall Best Safeguard to Protect from Threats from Public Users “Harden” Web site or other facility against attack Hardening a site means to take extraordinary measures to reduce a system’s vulnerability.Hardening Hardened sites use special versions of operating system, and lock down or eliminate operating systems features and functions that are not required.

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall Protect Ourselves from Us Safeguards need to protect users from internal company security problems. A disgruntled employee who maliciously changes prices on a Web site potentially damages both public users and business partners.

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall Account Administration Account management Password management Help-desk policies

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall Systems Procedures

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall Security Monitoring Important monitoring functions Activity log analyses  Firewalls produce logs of their activities, including lists of all dropped packets, infiltration attempts, and unauthorized access attempts from within the firewall. DBMS products produce logs of successful and failed log ins. Web servers produce voluminous logs of Web activities.  Operating systems in personal computers can produce logs of log ins and firewall activities. Security testing  Use in-house personnel and outside security consultants to conduct testing Investigating and learning from security incident

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall Study Questions Q1What are the threats to information security? Q2What is senior management’s security role? Q3What technical safeguards are available? Q4What data safeguards are available? Q5What human safeguards are available? Q6How should organizations respond to security incidents? Q7What is the extent of computer crime? Q82020?

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall Major Disaster-Preparedness Tasks

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall Disaster-Recovery Backup Sites Hot site  Utility company that can take over another company’s processing with no forewarning. Hot sites are expensive; organizations pay $250,000 or more per month for such services. Cold sites  Provide computers and office space. They are cheaper to lease, but customers install and manage systems themselves. The total cost of a cold site, including all customer labor and other expenses, might not cost less than a hot site.

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall Incident-Response Plan

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall Study Questions Q1What are the threats to information security? Q2What is senior management’s security role? Q3What technical safeguards are available? Q4What data safeguards are available? Q5What human safeguards are available? Q6How should organizations respond to security incidents? Q7What is the extent of computer crime? Q82020?

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall What Is the Extent of Computer Crime? Computer Security Institute survey (2009)Computer Security Institute survey  (registration required) Only 144 of the 522 responding organizations provided cost of loss data (2009) Financial fraud had highest average incident cost of $463,100 and losses due to bots averaged $345,600 Some losses are difficult to quantify.  What is the loss of a denial of service attack on an organization’s Web site? If a company’s Web site is unavailable for 24 hours, what potential sales, prospects, or employees have been lost? What reputation problem was created for the organization?

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall Percentage of Security Incidents Insert Figure here (new)

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall Study Questions Q1What are the threats to information security? Q2What is senior management’s security role? Q3What technical safeguards are available? Q4What data safeguards are available? Q5What human safeguards are available? Q6How should organizations respond to security incidents? Q7What is the extent of computer crime? Q82020?

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall ? Skill level of cat and mouse activity is likely to increase substantially Increased security in operating systems and other software, improved security procedures and employee training will make it harder and harder for the lone hacker to find some vulnerability to exploit.

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall ? Rise of professionals, primarily bot herders, who may be organized criminals, terrorists, or elements of governments inflicting a new type of cyber warfare on other nations We may see cyber warfare among nations. Number of computer security jobs is projected to increase by 27 percent by 2016

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall Ethics Guide: Security Privacy Legal requirements to protect the customer data they collect and store Gramm-Leach-Bliley (GLB) Act, passed by Congress in 1999, protects consumer financial data stored by financial institutions. Privacy Act of 1974 provides protections to individuals regarding records maintained by the U.S. government. Health Insurance Portability and Accountability Act (HIPAA) of 1996 gives individuals right to access health data created by doctors and other health-care providers. HIPAA also sets rules and limits on who can read and receive your health information. In Australia, Privacy Principles of the Australian Privacy Act of 1988 covers government, health-care data, and records maintained by businesses with revenues in excess of AU$3 million.

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall Ethics Guide: Security Privacy Do Dell, Amazon.com, the airlines, and other e-commerce businesses have a legal requirement to protect their customers’ credit card data? Apparently not—at least not in the United States. However, online retailers have an ethical requirement to protect a customer’s credit card and other data. Retailers have a strong business reason to protect customer data. A substantial loss of credit card data by any large online retailer would have detrimental effects on company sales and brand reputation. No federal law prohibits the U.S. Government from buying information products from the data accumulators.

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall Ethics Guide: Security Privacy What requirements does your university have on the data it maintains about you?  State law or university policy may govern those records, but no federal law does. Most universities consider it their responsibility to provide public access to graduation records. Anyone can determine when you graduated, your degree, and your major.  What about your class work? What about the papers you write, the answers you give on exams? What about the s you send to your professor? The data are not protected by federal law, and they are probably not protected by state law.  If your professor cites your work in research, it is subject to copyright law, but not privacy law. What you write is no longer your personal data; it belongs to the academic community.

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall Guide: Security Assurance, Hah! Employees who never change their password or use some simpleton word like “Sesame” or “MyDogSpot” or something equally absurd Notes with passwords in top drawer of desks If you enter a system with a readily available password, is that even breaking in? Or is it more like opening a door with a key you were given? Management should stop talking about security risk assurance and start talking about and enforcing real security.

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall Guide: The Final, Final Word Stay alert to new technology-based opportunities Watch for “second wave” opportunities Enroll in a database class or systems development class, security class, even if you’re not an IS major Look for novel applications of IS technology in emerging business environment

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall Active Review Q1What are the threats to information security? Q2What is senior management’s security role? Q3What technical safeguards are available? Q4What data safeguards are available? Q5What human safeguards are available? Q6How should organizations respond to security incidents? Q7What is the extent of computer crime? Q82020?

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall Phishing for Credit Card Accounts

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall Nonexistent Company, Entirely Fake

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall Case Study 12: The ChoicePoint Attack ChoicePoint provides motor vehicle reports, claims histories, and similar data to the automobile insurance industry, general business, and government agencies. Offers data for volunteer and job-applicant screening and data to assist in the location of missing children.ChoicePoint ChoicePoint has over 4,000 employees, and its 2007 revenue was $982 million. In 2004, ChoicePoint was the victim of a spoofing attack in which unauthorized individuals posed as legitimate customers and obtained personal data on more than 145,000 individuals. Example of a failure of authentication, not a network break in

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall The ChoicePoint Attack Firewalls and other safeguards were not overcome. Instead, criminals spoofed legitimate businesses by obtaining valid California business licenses. They appeared to be legitimate users. Undetected for months until unusual processing activity was detected ChoicePoint exposed itself to a public relations nightmare, considerable expense, a class-action lawsuit, a Senate investigation, and a 20-percent drop in its share price because it contacted police and cooperated in the attempt to apprehend the criminals.

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall The ChoicePoint Attack When ChoicePoint noticed the unusual account activity, had it simply shut down data access for the illegitimate businesses, no one would have known. Of course, the 145,000 customers whose identities had been compromised would have unknowingly been subject to identity theft, but it is unlikely that such thefts could have been tracked back to ChoicePoint.

Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher. Printed in the United States of America. Copyright © 2011 Pearson Education, Inc. Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.