Presentation is loading. Please wait.

Presentation is loading. Please wait.

© Pearson Prentice Hall 2009 12-1 Using MIS 2e Chapter 12 Information Security Management David Kroenke.

Published bySusanna Carpenter Modified over 9 years ago

Similar presentations

Presentation on theme: "© Pearson Prentice Hall 2009 12-1 Using MIS 2e Chapter 12 Information Security Management David Kroenke."— Presentation transcript:

1 © Pearson Prentice Hall 2009 12-1 Using MIS 2e Chapter 12 Information Security Management David Kroenke

2 © Pearson Prentice Hall 2009 12-2 Study Questions Q1 – What are the threats to information security? Q2 – What is senior management’s security role? Q3 – What technical safeguards are available? Q4 – What data safeguards are available? Q5 – What human safeguards are available? Q6 – How should organizations respond to security incidents? Q7 – What is the extent of computer crime?

3 © Pearson Prentice Hall 2009 12-3 Q1 – What are the threats to information security? Q2 – What is senior management’s security role? Q3 – What technical safeguards are available? Q4 – What data safeguards are available? Q5 – What human safeguards are available? Q6 – How should organizations respond to security incidents? Q7 – What is the extent of computer crime?

4 © Pearson Prentice Hall 2009 12-4 Q1 – What are the threats to information security? In order to adequately protect information resources, managers must be aware of the sources of threats to those resources, the types of security problems the threats present, and how to safeguard against both. The three most common sources of threats are:  Human error and mistakes  Malicious human activity  Natural events and disasters.

5 © Pearson Prentice Hall 2009 12-5 Q1 – What are the threats to information security? Human error and mistakes stem from employees and nonemployees.  They may misunderstand operating procedures and inadvertently cause data to be deleted.  Poorly written application programs and poorly designed procedures may allow employees to enter data incorrectly or misuse the system.  Employees may make physical mistakes like unplugging a piece of hardware that causes the system to crash. Malicious human activity results from employees, former employees, and hackers who intentionally destroy data or system components. These actions include:  Breaking into systems with the intent of stealing, altering or destroying data.  Introducing viruses and worms into a system.  Acts of terrorism.

6 © Pearson Prentice Hall 2009 12-6 Q1 – What are the threats to information security? The last source of threats to information security are those caused by natural events and disasters. These threats pose problems stemming not just from the initial loss of capability and service but also problems a company may experience as it recovers from the initial problem. They include:  Fires  Floods  Hurricanes  Earthquakes and  Other acts of nature.

7 © Pearson Prentice Hall 2009 12-7 Q1 – What are the threats to information security? Fig 12-1 Security Problems and Sources This chart shows some of the security problems a company may experience and the possible sources of the problems.

8 © Pearson Prentice Hall 2009 12-8 Q1 – What are the threats to information security? There are three components of a sound organizational security program:  Senior management must establish a security policy and manage risks.  Safeguards of various kinds must be established for all five components of an IS as the figure below demonstrates.  The organization must plan its incident response before any problems occur. Fig 12-2 Security Safeguards as They Relate to the Five Components

9 © Pearson Prentice Hall 2009 12-9 Q1 – What are the threats to information security? Q2 – What is senior management’s security role? Q3 – What technical safeguards are available? Q4 – What data safeguards are available? Q5 – What human safeguards are available? Q6 – How should organizations respond to security incidents? Q7 – What is the extent of computer crime?

10 © Pearson Prentice Hall 2009 12-10 Q2 – What is senior management’s security role? Fig 12-3 Elements of Computer Security The NIST Handbook of Security Elements lists the necessary elements of an effective security program as this figure shows.

11 © Pearson Prentice Hall 2009 12-11 Q2 – What is senior management’s security role? Senior managers should ensure their organization has an effective security policy that includes these elements:  A general statement of the organization’s security program  Issue-specific policies like personal use of email and the Internet  System-specific policies that ensure the company is complying with laws and regulations. Senior managers must also manage risks associated with information systems security.  Risk is the likelihood of an adverse occurrence.  You can reduce risk but always at a cost. The amount of money you spend on security influences the amount of risk you must assume.  Uncertainty is defined as the things we do not know that we do not know.

12 © Pearson Prentice Hall 2009 12-12 Q2 – What is senior management’s security role? Fig 12-4 Risk Assessment Factors When you’re assessing risks to an information system you must first determine:  What the threats are.  How likely they are to occur.  The consequences if they occur. The figure below lists the factors you should include in a risk assessment. Once you’ve assessed the risks to your information system, you must make decisions about how much security you want to pay for. Each decision carries consequences.  Some risk is easy and inexpensive.  Some risk is expensive and difficult.  Managers have a fiduciary responsibility to the organization to adequately manage risk.

13 © Pearson Prentice Hall 2009 12-13 Q1 – What are the threats to information security? Q2 – What is senior management’s security role? Q3 – What technical safeguards are available? Q4 – What data safeguards are available? Q5 – What human safeguards are available? Q6 – How should organizations respond to security incidents? Q7 – What is the extent of computer crime?

14 © Pearson Prentice Hall 2009 12-14 Q3 – What technical safeguards are available? Fig 12-5 Technical Safeguards You can establish five technical safeguards for the hardware and software components of an information system as this figure shows.  Identification and authentication includes passwords (what you know), smart cards (what you have), and biometric authentication (what you are).  Since users must access many different systems, it’s often more secure, and easier, to establish a single sign-on for multiple systems.  Wireless systems pose additional threats. Wired Equivalent Privacy (WEP)-first developed Wi-Fi Protected Access (WPA)-more secure Wi-Fi Protected Access (WPA2)-newest and most secure

15 © Pearson Prentice Hall 2009 12-15 Q3 – What technical safeguards are available? Encryption is the second safeguard you can establish for an IS. The chart below and on the next slide describe each of them. Fig 12-6 Basic Encryption Techniques

16 © Pearson Prentice Hall 2009 12-16 Q3 – What technical safeguards are available? Fig 12-6 Basic Encryption Techniques (continued)

17 © Pearson Prentice Hall 2009 12-17 Q3 – What technical safeguards are available? Fig 12-7 Digital Signatures for Message Authentication This diagram describes how digital signatures are used to authenticate messages and ensure they aren’t altered during transmission. Digital certificates are used in conjunction with digital signatures for added security.  Certificate authorities are independent third-party companies that supply public keys used with the certificates.

18 © Pearson Prentice Hall 2009 12-18 Q3 – What technical safeguards are available? Firewalls, the third technical safeguard, should be installed and used with every computer that’s connected to any network, especially the Internet.  The diagram shows how perimeter and internal firewalls are special devices that help protect a network.  Packet-filtering firewalls are programs on general-purpose computers or on routers that examine each packet entering the network.  Access control lists (ACLs) are used in conjunction with firewalls and determine which packets can enter a network. The ACLs also control which Web sites users can access. Fig 12-8 Use of Multiple Firewalls

19 © Pearson Prentice Hall 2009 12-19 Q3 – What technical safeguards are available? Malware Protection is the fourth technical safeguard. We’ll concentrate on spyware and adware here.  Spyware are programs that may be installed on your computer without your knowledge or permission.  Adware is a benign program that’s also installed without your permission. It resides in your computer’s background and observes your behavior.  If your computer displays any of the symptoms in this figure, you may have one of these types of malware on your computer. Fig 12-9 Spyware & Adware Symptoms

20 © Pearson Prentice Hall 2009 12-20 Q3 – What technical safeguards are available? Here are a few ways you can safeguard your computer against malware:  Install antivirus and antispyware programs.  Scan your computer frequently for malware.  Update malware definitions often or use an automatic update process.  Open email attachments only from known sources and even then be wary.  Promptly install software updates from legitimate sources like Microsoft for your operating system or McAfee for your spyware programs.  Browse only in reputable Internet neighborhoods. Malware is often associated with rogue Web sites.

21 © Pearson Prentice Hall 2009 12-21 Q3 – What technical safeguards are available? Fig 12-10 Malware Survey Results The survey results in this chart show how serious the malware problem is and yet how unaware most people are about the effects. You should understand the malware problem, realize how frequently it occurs, and follow safeguards to protect your computer and system from it. Designing secure applications with as few bugs as possible is the last safeguard.

22 © Pearson Prentice Hall 2009 12-22 Q1 – What are the threats to information security? Q2 – What is senior management’s security role? Q3 – What technical safeguards are available? Q4 – What data safeguards are available? Q5 – What human safeguards are available? Q6 – How should organizations respond to security incidents? Q7 – What is the extent of computer crime?

23 © Pearson Prentice Hall 2009 12-23 Q4 – What data safeguards are available? Fig 12-11 Data Safeguards To protect databases and other data sources, an organization should follow the safeguards listed in this figure. Remember, data and the information from it are one of the most important resources an organization has.

24 © Pearson Prentice Hall 2009 12-24 Q1 – What are the threats to information security? Q2 – What is senior management’s security role? Q3 – What technical safeguards are available? Q4 – What data safeguards are available? Q5 – What human safeguards are available? Q6 – How should organizations respond to security incidents? Q7 – What is the extent of computer crime?

25 © Pearson Prentice Hall 2009 12-25 Q5 – What human safeguards are available? Human safeguards for employees are some of the most important safeguards an organization can deploy. They should be coupled with effective procedures to help protect information systems. This figure shows the safeguards for in-house employees. Fig 12-12 Security Policy for In-house Staff

26 © Pearson Prentice Hall 2009 12-26 Q5 – What human safeguards are available? An organization needs human safeguards for nonemployees whether they are temporary employees, vendors, business partners, or the public. Here are a few suggestions:  Ensure any contracts between the organization and other workers include security policies. Third-party employees should be screened and trained the same as direct employees.  Web sites used by third-party employees and the public should be hardened against misuse or abuse.  Protect outside users from internal security problems. If your system gets infected with a virus, you should not pass it on to others.

27 © Pearson Prentice Hall 2009 12-27 Q5 – What human safeguards are available? Account administration is the third type of human safeguard and has three components—account management, password management, and help-desk policies.  Account management focuses on Establishing new accounts Modifying existing accounts Terminating unnecessary accounts.  Password management requires that users Immediately change newly created passwords Change passwords periodically Sign an account acknowledgment form like the one in this figure. Fig 12-13 Sample Account Acknowledgement Form

28 © Pearson Prentice Hall 2009 12-28 Q5 – What human safeguards are available?  Help-desks have been a source of problems for account administration because of the inherent nature of their work. It is difficult for the help-desk to determine exactly with whom they’re speaking. Users call up for a new password without the help-desk having a method of definitively identifying who is on the other end of the line. There must be policies in place to provide ways of authenticating users like asking questions only the user would know the answers to. Users have a responsibility to help the help-desk by responsibly controlling their passwords.

29 © Pearson Prentice Hall 2009 12-29 Q5 – What human safeguards are available? Effective system procedures can help increase security and reduce the likelihood of computer crime. As this figure shows, procedures should exist for both system users and operations personnel that cover normal, backup, and recovery procedures. Fig 12-14 Systems Procedures Security monitoring is the last human safeguard. It includes:  Activity log analyses  Security testing  Investigating and learning from security incidents.

30 © Pearson Prentice Hall 2009 12-30 Q1 – What are the threats to information security? Q2 – What is senior management’s security role? Q3 – What technical safeguards are available? Q4 – What data safeguards are available? Q5 – What human safeguards are available? Q6 – How should organizations respond to security incidents? Q7 – What is the extent of computer crime?

31 © Pearson Prentice Hall 2009 12-31 Q6 – How should organizations respond to security incidents? No system is fail-proof. Every organization must have an effective plan for dealing with a loss of computing systems. This figure describes disaster preparedness tasks for every organization, large and small. The last item that suggests an organization train and rehearse its disaster preparedness plans is very important. Fig 12-15 Disaster Preparedness Tasks

32 © Pearson Prentice Hall 2009 12-32 Q6 – How should organizations respond to security incidents? Along with disaster preparedness plans, every organization should think about how it will respond to security incidences that may occur, before they actually happen. The figure below lists the major factors that should be included in any incident response. Fig 12-16 Factors in Incident Response

33 © Pearson Prentice Hall 2009 12-33 Q1 – What are the threats to information security? Q2 – What is senior management’s security role? Q3 – What technical safeguards are available? Q4 – What data safeguards are available? Q5 – What human safeguards are available? Q6 – How should organizations respond to security incidents? Q7 – What is the extent of computer crime?

34 © Pearson Prentice Hall 2009 12-34 Q7 – What is the extent of computer crime? The full extent of computer crime is unknown. There is no national census because many organizations are reluctant to report losses for fear of alienating customers, suppliers, and business partners. A 2006 survey estimated that the total loss due to computer crime is at least $52.5 billion. This chart shows the top four sources of computer crime and the total dollar loss. Fig 12-17 Computer Crime, 2006 FBI/CSI Survey

Download ppt "© Pearson Prentice Hall 2009 12-1 Using MIS 2e Chapter 12 Information Security Management David Kroenke."

Similar presentations

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.
Let’s Talk About Cyber Security

Let’s Talk About Cyber Security
© Pearson Prentice Hall 2009 12-1 Using MIS 2e Chapter 12 Information Security Management If you don’t do security right, nothing else matters. David Kroenke.

© Pearson Prentice Hall Using MIS 2e Chapter 12 Information Security Management If you don’t do security right, nothing else matters. David Kroenke.
Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.

Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
Information Security Management Chapter 12. 12-2 “We Have to Design It for Privacy and Security. ” Tension between Maggie and Ajit regarding terminology.

Information Security Management Chapter “We Have to Design It for Privacy and Security. ” Tension between Maggie and Ajit regarding terminology.
Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.

Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.
Chapter Extension 24 Computer Crime and Forensics © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.

Chapter Extension 24 Computer Crime and Forensics © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.

Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.
McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.

McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.
© 2007 Prentice Hall, Inc.1 Using Management Information Systems David Kroenke Information Security Management.

© 2007 Prentice Hall, Inc.1 Using Management Information Systems David Kroenke Information Security Management.
Information Security Management

Information Security Management
Security, Privacy, and Ethics Online Computer Crimes.

Security, Privacy, and Ethics Online Computer Crimes.
Chapter 12 Information Security Management

Chapter 12 Information Security Management
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
FIT3105 Security and Identity Management Lecture 1.

FIT3105 Security and Identity Management Lecture 1.
1 Management Information Systems Information Security Management Chapter 12.

1 Management Information Systems Information Security Management Chapter 12.

Similar presentations

Ads by Google