Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 12 Managing Information Security and Privacy

Published bySharon Benson Modified over 7 years ago

Similar presentations

Presentation on theme: "Chapter 12 Managing Information Security and Privacy"— Presentation transcript:

1 Chapter 12 Managing Information Security and Privacy
Part 4: Information Systems Management Chapter 12 Managing Information Security and Privacy What are the sources and types of security threats? We start the chapter by discussing the various security threats faced by IT departments. This list help to introduce students to the large area of IS security. What are the elements of a security program? An organization responds to threats through its security program. Some programs are well documented. Others are not. Students learn that they play a part in this security program regardless of where they work in a firm. What types of safeguards are there? The students will learn about technical safeguards, data safeguards and human safeguards that can be applied in a security program. The discussion highlights the importance of human safeguards in any security policy. What is necessary for disaster preparedness? How does an organization continue to function in the wake of a disaster? Students will learn about the importance of planning for disaster, particularly for IT. How should organizations respond to security incidents? Students will learn about the appropriate behaviours for responding to security incidents. This discussion will help students realize the threats that they will face when working with information systems and appropriate actions the student can take to protect themselves and their company. How do you create a strong password? Students will learn some techniques for developing strong passwords that can be remembered easily. This discussion will also highlight the dangers of not using strong passwords. Security Cases: Three cases are provided at the end of the chapter to help students to better understand the security and privacy risks associated with information technology. These cases help to show that the responsibility for security rests on each individual. Copyright © 2014 Pearson Canada Inc.

2 Running Case Akbar’s company was flooded and all his company servers were all under three inches of water He had backed up each of his servers, but all of the backups were in the same room He called a disaster recovery company that specialized in fire and water restorations Akbar was able to restore more than 98% of the data that he had prior to the accident To prevent future occurrence, he decided to invest in a disaster recovery plan for his company

3 Study Questions What is identity theft? What is PIPEDA?
What types of security threats do organizations face? How can technical safeguards protect against security threats? How can data safeguards protect against security threats? How can human safeguards protect against security threats? What is disaster preparedness? How should organizations respond to security incidents? Q1 What is identity theft? Q2 What is PIPEDA? Q3 What types of security threats do organizations face? Q4 How can technical safeguards protect against security threats? Q5 How can data safeguards protect against security threats? Q6 How can human safeguards protect against security threats? Q7 What is disaster preparedness? Q8 How should organizations respond to security incidents? MIS in Use (a): What is my real name? MIS in Use (b): Privacy and the Federal Government Exercise: The Final, Final Word

4 What is identity theft? Understanding and managing security threats to organizations Understanding threats to your own privacy will help make you more sensitive to the importance of security and privacy In identity theft, vital information such as a person’s name, address, date of birth, social insurance number, and mother’s maiden name are acquired to complete impersonation With this information, the identity thief can take over a victim’s financial accounts; open new bank accounts; transfer bank balances; apply for loans, credit cards, and other services Q1 What is identity theft? It is very important to be aware of security issues. Once you are aware of threats to your own security, it is often easier to consider security threats to the organizations you work for. The focus of this chapter is on understanding and managing security threats to organizations, but understanding threats to your own privacy will help make you more sensitive to the importance of security and privacy. Consider all of the things you do in a day and how many of those things revolve around electronic information. If someone else had your personal information, what could they do with it? In identity theft , vital information such as a person’s name, address, date of birth, social insurance number, and mother’s maiden name are often all that is need to facilitate the impersonation. With this information, the identity thief can take over a victim’s financial accounts; open new bank accounts; transfer bank balances; apply for loans, credit cards, and other services; purchase vehicles; take luxury vacations, and so on. Identity theft is one of the fastest-growing crimes in Canada because it is relatively easy to do. This kind of theft involves stealing, misrepresenting, or hijacking the identity of another person or business and provides an effective way to commit other crimes. The Public Safety Canada website ( identhft-eng.aspx ) provides useful information about what identify theft is and who to contact if it happens to you.

5 What is PIPEDA? PIPEDA: Personal Information Protection and Electronic Documents Act The Act is intended to balance an individual’s right to the privacy of his or her personal information, which organizations need to collect, use, or share for business purposes The Privacy Commissioner of Canada oversees this Act PIPEDA governs how data are collected and used Q2 What is PIPEDA? Personal information is defined under this Act as information about an identifiable individual, but does not include the name, title, business address, or telephone number of an employee of an organization. The Act gives individuals the right to know why an organization collects, uses, or discloses their personal information. So organizations are required to identify why they are collecting information and how they will use it. PIPEDA also requires organizations to identify anyone in the organization who is responsible for keeping personal information private and secure and allows other individuals to have access to this information, as necessary, to check its accuracy. We all do business with many companies. Every time we buy or ask for something, we create a transaction. When you interact with organizations, you often leave behind personal information about yourself. Your name, address, debit card number, and other behaviours are information, and they can be of great value to an organization. PIPEDA stands for the Personal Information Protection and Electronic Documents Act . The Act is intended to balance an individual’s right to the privacy of his or her personal information, which organizations need to collect, use, or share for business purposes. To oversee this Act, the Privacy Commissioner of Canada was created as the ombudsman for privacy complaints in Canada. Every business professional needs to be aware of PIPEDA because it governs how data are collected and used. One of the most critical elements in PIPEDA is to establish the principle that individuals have the right to know what type of information an organization collects about them and also how that information is going to be used. PIPEDA suggests that organizations should not be able to use the information collected for any purpose other than what the organization agreed to use it for. For example, if an organization collects information about a customer, they cannot sell or move that information to another company unless they initially tell the customer that the organization may share personal information with others. PIPEDA, therefore, creates some protection of personal privacy.

6 PIPEDA and Organizations
PIPEDA suggests that organizations should not be able to use the information collected for any purpose other than what the organization agreed to use it for PIPEDA suggests that it is the duty of an organization to protect the information they collect PIPEDA does not facilitate individuals suing organizations The commission reviews case and produces a report stating its conclusions Q2 What is PIPEDA? Every business professional needs to be aware of PIPEDA because it governs how data are collected and used. One of the most critical elements in PIPEDA is to establish the principle that individuals have the right to know what type of information an organization collects about them and also how that information is going to be used. PIPEDA suggests that organizations should not be able to use the information collected for any purpose other than what the organization agreed to use it for. For example, if an organization collects information about a customer, they cannot sell or move that information to another company unless they initially tell the customer that the organization may share personal information with others. PIPEDA, therefore, creates some protection of personal privacy. A second responsibility that an organization takes on when it collects personal information is securing the information. PIPEDA suggests that it is the duty of an organization to protect the information they collect. To ensure this, PIPEDA provides an individual with the right to know the person in the organization who is responsible for securing the information. PIPEDA requires that this information be complete, up to date, and accurate.

7 What Types of Security Threats Do Organizations Face?
Three sources of security threats are: Human errors and mistakes Accidental problems Poorly written programs Poorly designed procedures Physical accidents Malicious human activity Intentional destruction of data Destroying system components Hackers Virus and worm writers Criminals Terrorists Q3 What types of security threats do organizations face? It is not just individuals who face threats to their security. Organizations face the same threats, too. There are three sources of security threats : (1) human error and mistakes, (2) malicious human activity, and (3) natural events and disasters. Human errors and mistakes include accidental problems caused by both employees and others outside the organization. An example is an employee who misunderstands operating procedures and accidentally deletes customer records; another example is a physical accident, such as an employee driving a forklift through the wall of a computer room. The second source is malicious human activity . This category includes employees and others who intentionally destroy data or other system components. It also includes hackers who break into a system, virus and worm writers who infect computer systems, and people who send millions of unwanted s (referred to as spam ). Natural events and disasters are the third source of security problems. This category includes fires, floods, hurricanes, earthquakes, tsunamis, avalanches, and other acts of nature. Problems in this category include not only the initial loss of capability and service but also losses stemming from actions to recover from the initial problem. Figure 12-1 summarizes threats by type of problem and source. Five types of security problems are listed: (1) unauthorized data disclosure , (2) incorrect data modification , (3) faulty service , (4) denial of service , and (5) loss of infrastructur e .

8 Sources and Types of Security Threats, continued
Natural events and disasters Fires, floods, hurricanes, earthquakes, tsunamis, avalanches, tornados, and other acts of nature Initial losses of capability and service Plus losses from recovery actions Five types of security problems are: Unauthorized data disclosure Incorrect data modification Faulty service Denial of service Loss of infrastructure Q3 What types of security threats do organizations face?

9 Security Threats Q3 What types of security threats do organizations face? Figure Security Threats

10 Types of Problems PIPEDA Unauthorized data disclosure Human error
Posting private information in public place Placing restricted information on searchable Web sites Inadvertent disclosure Malicious release Pretexting Phishing Spoofing Sniffing Q3 What types of security threats do organizations face?

11 Types of Problems, continued
Incorrect data modification Human errors incorrect entries and information procedural problems systems errors Hacking Faulty Service Incorrect system operation Usurpation Q3 What types of security threats do organizations face?

12 Types of Problems, continued
Denial of service (DOS) Human error Denial-of-service attacks Loss of infrastructure Accidental Theft Terrorism Natural disasters Q3 What types of security threats do organizations face?

13 Elements of a Security Program
Senior management involvement Must establish a security policy Manage risk balancing costs and benefits Safeguards Protections against security threats Incident response Must plan for prior to incidents Q3 What types of security threats do organizations face?

14 Security Safeguards as They Relate to the Five Components
Q3 What types of security threats do organizations face? Figure Security Safeguards as They Relate to the Five Components

15 How can Technical Safeguards protect against Security Threats?
Involves hardware and software components User names and passwords Identification Authentication Smart cards Personal identification number (PIN) Biometric authentication Fingerprints, facial scans, retina scans Single sign-on for multiple systems Q4 How can technical safeguards protect against security threats?

16 Technical Safeguards, continued
Encryption and firewalls Malware Protection Viruses Worms Spyware Adware Malware safeguards Install antivirus and anti-spyware programs Scan hard drive and frequently Update malware definitions Open attachments only from known sources Install software updates promptly Browse only reputable Web sites Q4 How can technical safeguards protect against security threats?

17 Technical Safeguards Q4 How can technical safeguards protect against security threats? Figure Technical Safeguards

18 How can Data Safeguards protect against Security Threats?
protect databases and other organizational data Data administration Organization-wide function develops data policies enforce data standards Database administration Particular database function procedures for multi-user processing change control to structure protection of database Q5 How can data safeguards protect against security threats?

19 Data Safeguards Encryption keys Backup copies Physical security
Key escrow Backup copies Store off-premise Check validity Physical security Lock and control access to facility Maintain entry log Third party contracts Safeguards are written into contracts Right to inspect premises and interview personnel Q5 How can data safeguards protect against security threats?

20 How can Human Safeguards protect against Security Threats?
Involve people and procedure components of information system User access restriction requires authentication and account management Design appropriate security procedures Security considerations for: Employees Non-employee personnel Q6 How can human safeguards protect against security threats?

21 Human Safeguards for Employees
User accounts considerations Define job tasks and responsibility Separate duties and authorities Grant least possible privileges Document security sensitivity Hiring and screening employees Dissemination Employees need to be made aware of policies and procedures Employee security training Q6 How can human safeguards protect against security threats?

22 Human Safeguards for Employees, continued
Enforcement of policies Define responsibilities Hold employees accountable Encourage compliance Management attitude is crucial Create policies and procedures for employee termination Protect against malicious actions in unfriendly terminations Remove user accounts and passwords Q6 How can human safeguards protect against security threats?

23 Security Policy for In-House Staff
Q6 How can human safeguards protect against security threats? Figure 12-6 Security Policy for In-House Staff

24 Human Safeguards for Non-Employee Personnel
Temporary personnel and vendors Screen personnel Training and compliance Contract should include specific security provisions Provide accounts and passwords with the least privileges Public users Harden Web site and facility Hardening: Take extraordinary measures to reduce system’s vulnerability Partners and public that receive benefits from the information system Protect these users from internal company security problems Q6 How can human safeguards protect against security threats?

25 Account Administration
Account management procedures Creation of new user accounts Modification of existing account permissions Removal of unneeded accounts Password management Acknowledgment forms Change passwords frequently Help-desk policies Authentication of users who have lost their password Password should not be ed (just a notification of password change) Q6 How can human safeguards protect against security threats?

26 Account Administration, continued
System procedures: Normal operation Backup Recovery Procedures of each type should exist for each information system Definition and use of standardized procedures reduces the likelihood of computer crime Each procedure type should be defined for both, system users and operations personnel Different duties and responsibilities Varying needs and goals Q6 How can human safeguards protect against security threats?

27 System Procedures Insert Figure 12-8
Q6 How can human safeguards protect against security threats? Figure 12-8 System Procedures

28 Security Monitoring Activity log analyses Security testing
Firewall logs DBMS log-in records Web server logs Security testing In-house and external security professionals Investigation of incidents How did the problem occur? Lessons learned Indication of potential vulnerability and corrective actions Q6 How can human safeguards protect against security threats?

29 MIS in Use (a) What Is My True Name?
Professor logs on to the websites of various textbook publishers to review/order copies of textbooks he was considering for his courses to obtain access to restricted instructor materials (test banks and sample exams) Publisher noticed that address used in recent request for access did not match professors Was someone trying to impersonate professor? What could he do about it?

30 MIS in Use (a) Questions
Why do you think this has occurred? Who has been harmed (if anyone), or is this a “victimless” situation? Are the registration procedures adequate? What changes, if any, would you recommend? What action should be taken by Roark, the university, or the publisher? Does it matter where the request came from (i.e., if it was a student at Roark’s university)? Is this a case of identity theft? Assuming that the individual is identified, what would be an appropriate penalty?

31 MIS in Use (b) Privacy and the Federal Government
Social networking sites, such as Facebook, LinkedIn, and Twitter, are cultural phenomena that have attracted millions of people Users easily communicate with other users Some serious concerns raised about their impact on personal privacy The Office of the Privacy Commissioner of Canada acted on a complaint from the Canadian Internet Policy and Public Interest Clinic (CIPPIC)

32 MIS in Use (b) Questions
How important are agencies such as the Privacy Commissioner? What tools does the Privacy Commissioner have and how can they be used (Hint: Does it matter if the organization in question resides outside of Canada?)? How might Facebook respond to the Privacy Commissioner? How does an organization respond to conflicting privacy issues (e.g., PIPEDA and the U.S. Patriot Act)?

33 What is Disaster Preparedness?
A substantial loss of computing infrastructure caused by acts of nature, crime, or terrorist activity can be disastrous for an organization Best safeguard is appropriate physical location of infrastructure Backup processing centers in geographically removed site Identify mission-critical systems and resources needed to run those systems Prepare remote backup facilities Hot and cold sites Train and rehearse cutover of operations Q7 What is disaster preparedness? A substantial loss of computing infrastructure caused by acts of nature, crime, or terrorist activity can be disastrous for an organization. Of course, the best way to solve a problem to prevent it. The best safeguard against a disaster is appropriate location. If possible, place computing centres, web farms, and other computer facilities in locations not prone to floods, earthquakes, hurricanes, tornados, or avalanches. Even in those locations, place infrastructure in unobtrusive buildings, basements, back rooms, and similar locations well within the physical perimeter of the organization. As well, locate computing infrastructure in fire-resistant buildings designed to house expensive and critical equipment.

34 How should Organizations Respond to Security Incidents?
Organization must have plan Detail reporting and response Centralized reporting of incidents Allows for application of specialized expertise Speed is of the essence Preparation pays off Identify critical employees and contact numbers Training is vital Practise incidence response! Q8 How should organizations respond to security incidents?

35 What do YOU think? The Final, Final Word Congratulations!
You’ve made it through the entire book With this knowledge you are well prepared to be an effective user of information systems Information technology will continue to cause fundamental changes in the business environment So as you finish your business degree, stay alert for new technology-based opportunities If you found this course interesting, take more IS classes If you enjoy this material, become an IS major

36 What do YOU think? How will you further your career with what you’ve learned in this class? Give this question serious thought, and write a memo to yourself to read from time to time as your career progresses.

Download ppt "Chapter 12 Managing Information Security and Privacy"

Similar presentations

Let’s Talk About Cyber Security

Let’s Talk About Cyber Security
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.

2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.
Information Security Management Chapter 12. 12-2 “We Have to Design It for Privacy and Security. ” Tension between Maggie and Ajit regarding terminology.

Information Security Management Chapter “We Have to Design It for Privacy and Security. ” Tension between Maggie and Ajit regarding terminology.
Greg Lamb. Introduction It is clear that we as consumers and entrepreneurs cannot expect complete privacy when discussing business matters. However… There.

Greg Lamb. Introduction It is clear that we as consumers and entrepreneurs cannot expect complete privacy when discussing business matters. However… There.
© Pearson Prentice Hall 2009 12-1 Using MIS 2e Chapter 12 Information Security Management David Kroenke.

© Pearson Prentice Hall Using MIS 2e Chapter 12 Information Security Management David Kroenke.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Information Security Management

Information Security Management
Security, Privacy, and Ethics Online Computer Crimes.

Security, Privacy, and Ethics Online Computer Crimes.
1 Management Information Systems Information Security Management Chapter 12.

1 Management Information Systems Information Security Management Chapter 12.
1 Using Management Information Systems David Kroenke Information Security Management Chapter 11.

1 Using Management Information Systems David Kroenke Information Security Management Chapter 11.
Chapter 12 Information Security Management © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.

Chapter 12 Information Security Management © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Network security policy: best practices

Network security policy: best practices
Chapter 10 Information Systems Controls for System Reliability—Part 3: Processing Integrity and Availability Copyright © 2012 Pearson Education, Inc.

Chapter 10 Information Systems Controls for System Reliability—Part 3: Processing Integrity and Availability Copyright © 2012 Pearson Education, Inc.
E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.

E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.
GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Cameron Simpson.

GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Cameron Simpson.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
General Awareness Training

General Awareness Training
© 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke Slide 1 Chapter 12 Information Security Management.

© 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke Slide 1 Chapter 12 Information Security Management.

Similar presentations

Ads by Google