Presentation is loading. Please wait.

Presentation is loading. Please wait.

Control , Audit & Security of Information

Published byIda Kurniawan Modified over 5 years ago

Similar presentations

Presentation on theme: "Control , Audit & Security of Information"— Presentation transcript:

1 Control , Audit & Security of Information

2 Why Control of Information?
Digital Form  Vast Accessibility  More Vulnerability & Abuse Problem Business Information Vulnerability Individuals' taxes, Financial assets, Medical records, Job performance reviews. Corporate operations, Trade secrets new product development plans marketing strategies.

3 Why Vulnerability ? Rely on computer stored evidence
portable compact disks, CDs, Computer hard disk drives, , Instant messages, E-commerce transactions over the Internet.

4 Threats to Computerized System
Hardware & Software Failures User Errors Physical Disasters such as Fire or Power Failures Theft of Data, Services or Equipments Telecommunication Disruption

5 Contemporary Security Challenges

6 Information Security Model

7 How to Control ? Policies Organizational Procedures Technical Measures
Are used to prevent Unauthorized access Alteration Theft Physical Damage to Information System

8 Business Information security
Businesses must protect not only their own information assets but also those of customers, employees, and business partners. Some of U.S. Based Security Acts : The Health Insurance Portability and Accountability Act (HIPAA) of 1996, which requires members of the healthcare industry to retain patient information for six years and ensure the confidentiality of those records The Gramm-Leach-Bliley Act, which requires financial institutions to ensure the security and confidentiality of customer data The Sarbanes-Oxley Act, which imposes responsibility on companies and their management to use internal controls to safeguard the accuracy and integrity of financial information

9 ERM Electronic records management (ERM)
consists of policies, procedures, and tools for managing the retention, destruction, and storage of electronic records. An effective electronic document retention policy ensures that electronic documents, , and other records are well organized, accessible, and neither retained too long nor discarded too soon.

10 Management Framework for Security & Control
ISO 17799, an international set of standards for security and control, specifies best practices in information systems security and control. A risk assessment the value of information assets, points of vulnerability, the likely frequency of a problem, the potential for damage. concentrate on the control points with the greatest vulnerability and potential for loss in order to minimize overall cost and maximize defences.

11 Large Corporate Security Structure
Educates and trains users, keeps management aware of security threats and breakdowns, maintains the tools chosen to implement security.

12 Corporate Security Policies
Security Policy - consists of statements ranking information risks, identifying acceptable security goals, identifying the mechanisms for achieving these security goals. Acceptable use policy (AUP) defines acceptable uses of the firm's information resources and computing equipment, including desktop and laptop computers, wireless devices, telephones, and the Internet. Authorization policy determine differing levels of access to information assets for different levels of users.

13 SECURITY PROFILES FOR A PERSONNEL SYSTEM

14 Techniques to reduce Downtime
Fault-tolerant computer systems use hardware or software to detect hardware failures and automatically switch to backup systems. High-availability computing environments use backup servers, distributing processing among multiple servers, high-capacity storage, and disaster recovery planning and business continuity planning to recover quickly from a system crash. Recovery-oriented computing, systems are designed to recover quickly, and implementing capabilities and tools to help operators pinpoint the sources of faults in multi component systems and easily correct their mistakes. Business continuity planning focuses on how the company can restore business operations after a disaster strikes.

15 Network Security Some companies outsource security functions to managed security service providers (MSSPs) that monitor network activity and perform vulnerability testing and intrusion detection.

16 Audit of Information An MIS audit examines
the firm's overall security environment Controls governing individual information systems MIS Security audits review technologies, procedures, documentation, training, and personnel. MIS audit lists and ranks all control weaknesses and estimates the probability of their occurrence. It then assesses the financial and organizational impact of each threat.

17 SAMPLE AUDITOR’S LIST OF CONTROL WEAKNESSES

18 Technologies and Tools for Security and Control
Authentication Tools Firewalls Intrusion Detection Systems Antivirus and Encryption Software

19 Authentication Tools Access control consists of all the policies and procedures a company uses to prevent improper access to systems by unauthorized insiders and outsiders. Smart card: A device about the size of a credit card that contains a chip formatted with access permission and other data. Biometric authentication: Compares a person's unique characteristics, such as fingerprints, face, or retinal image, against a stored set profile.

20 Firewall Firewall is a combination of hardware and software that controls the flow of incoming and outgoing network traffic and prevents unauthorized communication into and out of the network. The firewall identifies names, Internet Protocol (IP) addresses, applications, and other characteristics of incoming traffic. It checks this information against the access rules programmed into the system by the network administrator. Information Filtering

21 Information Filtering
Packet filtering examines fields in the headers of data packets flowing between the network and the Internet, examining individual packets in isolation. Stateful inspection determines whether packets are part of an ongoing dialogue between a sender and a receiver. Network Address Translation (NAT) conceals the IP addresses of the organization's internal host computer(s) to protect against sniffer programs outside the firewall. Application proxy filtering examines the application content of packets. A proxy server stops data packets originating outside the organization, inspects them, and passes a proxy to the other side of the firewall. If a user outside the company wants to communicate with a user inside the organization, the outside user first "talks" to the proxy application and the proxy application communicates with the firm's internal computer.

22 A CORPORATE FIREWALL

23 Intrusion Detection System
Intrusion detection systems feature full-time monitoring tools placed at the most vulnerable points of corporate networks to detect and deter intruders continually. Scanning software looks for patterns indicative of known methods of computer attacks, such as bad passwords, checks to see if important files have been removed or modified, and sends warnings of vandalism or system administration errors.

24 Antivirus Software & Security Standards
Antivirus software is designed to check computer systems and drives for the presence of computer viruses. However, to remain effective, the antivirus software must be continually updated. The Wi-Fi Alliance industry trade group's i specification tightens security for wireless LAN products. WEP stands for Wired Equivalent Privacy. This encryption standard was the original encryption standard for wireless. As its name implies, this standard was intended to make wireless networks as secure as wired networks. Wi-Fi Protected Access (WPA) is a software/firmware improvement over WEP. All regular WLAN-equipment that worked with WEP are able to be simply upgraded and no new equipment needs to be bought. WPA is a trimmed-down version of the i security standard that was developed by the Wi-Fi Alliance to replace WEP

25 Network Traffic Encryption
Two methods for encrypting network traffic on the Web are: Secure Sockets Layer (SSL): SSL and its successor Transport Layer Security (TLS) enable client and server computers to establish a secure connection session and manage encryption and decryption activities. Secure Hypertext Transfer Protocol (S-HTTP) is another protocol used for encrypting data flowing over the Internet, but it is limited to individual messages. Data is encrypted by applying a secret numerical code, called an encryption key, so that the data are transmitted as a scrambled set of characters. To be read, the message must be decrypted (unscrambled) with a matching key.

26 Digital Signatures & Certificates
Digital signatures and digital certificates help with authentication. A digital signature is a digital code attached to an electronically transmitted message that is used to verify the origin and contents of a message. Digital certificates are data files used to establish the identity of users and electronic assets for protection of online transactions. A digital certificate system uses a trusted third party known as a certificate authority (CA) to validate a user's identity. The digital certificate system would enable, for example, a credit card user and a merchant to validate that their digital certificates were issued by an authorized and trusted third party before they exchange data. Public key infrastructure (PKI), the use of public key cryptography working with a certificate authority, is a principal technology for providing secure authentication of identity online.

27 Digital Signature

28 Digital Signature in Detail with Example
Continue ..

29 Digital Signature in Detail with Example..
Encryption Public Key Decryption Private Key Continue ..

30 Digital Signature in Detail with Example..
Message Digest can not be reconverted to original document Continue ..

31 Digital Signature Verification

32 DIGITAL CERTIFICATES

Download ppt "Control , Audit & Security of Information"

Similar presentations

HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.

HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.
E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.

E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.
4/15: Security & Controls in IS Systems Vulnerabilities Controls: what to use to guard against vulnerabilities –General controls –Application controls.

4/15: Security & Controls in IS Systems Vulnerabilities Controls: what to use to guard against vulnerabilities –General controls –Application controls.
HIPAA Security Standards What’s happening in your office?

HIPAA Security Standards What’s happening in your office?
Security Controls – What Works

Security Controls – What Works
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Lecture 10 Security and Control.

Lecture 10 Security and Control.
Lecture 10 Security and Control.

Lecture 10 Security and Control.
10.1 © 2006 by Prentice Hall 10 Chapter Security and Control.

10.1 © 2006 by Prentice Hall 10 Chapter Security and Control.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Risks, Controls and Security Measures

Risks, Controls and Security Measures
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
Security Measures Using IS to secure data. Security Equipment, Hardware Biometrics –Authentication based on what you are (Biometrics) –Biometrics, human.

Security Measures Using IS to secure data. Security Equipment, Hardware Biometrics –Authentication based on what you are (Biometrics) –Biometrics, human.
OV 11 - 1 Copyright © 2011 Element K Content LLC. All rights reserved. System Security  Computer Security Basics  System Security Tools  Authentication.

OV Copyright © 2011 Element K Content LLC. All rights reserved. System Security  Computer Security Basics  System Security Tools  Authentication.
E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.

E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.

Similar presentations

Ads by Google