Presentation is loading. Please wait.

Presentation is loading. Please wait.

Www.sims.monash.edu.au 1 IMS9043 - INFORMATION TECHNOLOGY IN ORGANISATIONS Week 9 Control, audit and security.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Www.sims.monash.edu.au 1 IMS9043 - INFORMATION TECHNOLOGY IN ORGANISATIONS Week 9 Control, audit and security."— Presentation transcript:

1 www.sims.monash.edu.au 1 IMS9043 - INFORMATION TECHNOLOGY IN ORGANISATIONS Week 9 Control, audit and security

2 www.sims.monash.edu.au 2 Learning Objectives Recognize the difficulties in managing information resources. Recognize information systems ’ vulnerability and the possible damage from malfunctions. Describe the major methods of defending information systems.

3 www.sims.monash.edu.au 3 Learning Objectives (cont.) Describe the security issues of the Web and electronic commerce. Distinguish between security auditing and disaster recovery planning and understand the economics of security.

4 www.sims.monash.edu.au 4 Case: Cyber Crime On Feb. 6, 2000 - the biggest EC sites were hit by cyber crime. Yahoo!, eBay, Amazon.com, E*Trade The attacker(s) used a method called denial of service (DOS). –By hammering a Web site ’ s equipment with too many requests for information, an attacker can effectively clog a system. The total damage worldwide was estimated at $5-10 billion (U.S.). –The alleged attacker, from the Philippines, was not prosecuted because he did not break any law in the Philippines.

5 www.sims.monash.edu.au 5 Lessons Learned from the Case Information resources that include computers, networks, programs, and data are vulnerable to unforeseen attacks. Many countries do not have sufficient laws to deal with computer criminals. Protection of networked systems can be a complex issue.

6 www.sims.monash.edu.au 6 Lessons Learned from the Case Attackers can zero on a single company, or can attack many companies, without discrimination. Attackers use different attack methods. Although variations of the attack methods are known, the defence against them is difficult and/or expensive.

7 www.sims.monash.edu.au 7 Information Resources Management  IRM encompasses all activities related to the planning, organizing, acquiring, maintaining, securing, and controlling of IT resources.  The management of information resources is divided among the information services department (ISD) and the end-users.

8 www.sims.monash.edu.au 8 End-User Computing Establish policies and procedures to control end-user computing so that corporate risks are minimized. Create incentives to encourage certain end-user practices that reduce organizational risks. Offer support. Develop services to aid end- users in their computing activities.

9 www.sims.monash.edu.au 9 Steering Committees The corporate steering committee is a group of managers and staff representing various organizational units. The committee’s major tasks are:  Direction setting  Staffing  Rationing  Communication  Structuring  Evaluating

10 www.sims.monash.edu.au 10 Key Terminology Decryption Encryption Backup Exposure Integrity (of data) Risk Threats (or hazards) Vulnerability

11 www.sims.monash.edu.au 11 Security Threats

12 www.sims.monash.edu.au 12 Cyber Crime Crimes can be performed by outsiders who penetrate a computer system (hackers) or by insiders who are authorized to use the computer system but are misusing their authorization.. Two basic methods of attack are used in deliberate attacks on computer systems: –data tampering –programming fraud, e.g. Viruses

13 www.sims.monash.edu.au 13 Defending Information Systems Hundreds of potential threats exist. Computing resources may be situated in many locations. Many individuals control information assets. Rapid technological changes make some controls obsolete as soon as they are installed. Many computer crimes are undetected for a long period of time. People tend to violate security procedures because they are inconvenient. Defending information systems is not a simple or inexpensive task for the following reasons:

14 www.sims.monash.edu.au 14 Defense Strategies The following are the major objectives of defense strategies:  Prevention & deterrence  Detection  Limitation  Recovery  Correction

15 www.sims.monash.edu.au 15 Types of Controls General Controls –Physical controls –Access controls –Biometric controls –Data security controls –Communications (networks) controls –Administrative controls Application Controls –Input controls – Processing controls –Output controls

16 www.sims.monash.edu.au 16 Security Measures An access control system guards against unauthorized dial-in attempts. –The use of preassigned personal identification number (PIN). Modems. It is quite easy for attackers to penetrate them and for employees to leak secret corporate information to external networks. Encryption is used extensively in EC for protecting payments and privacy. Troubleshooting packages such as cable tester can find almost any fault that can occur with LAN cabling.

17 www.sims.monash.edu.au 17 Security Measures (cont.) Payload security involves encryption or other manipulation of data being sent over networks. Commercial Products. Hundreds of commercial security products exist on the market. Intrusion Detecting. It is worthwhile to place an intrusion detecting device near the entrance point of the Internet to the intranet. A Firewall is commonly used as a barrier between the secure corporate intranet, or other internal networks, and the Internet.

18 www.sims.monash.edu.au 18 IT Auditing In the information system environment, auditing can be viewed as an additional layer of controls or safeguards. –It involves a periodical examination and check of financial and accounting records and procedures. Two types of auditors (and audits): –Internal >An internal auditor is usually a corporate employee who is not a member of the ISD. –External >An external auditor is a corporate outsider.

19 www.sims.monash.edu.au 19 IT Auditing (cont.) Auditors attempt to answer questions such as: 1.Are there sufficient controls in the system? 2.Which areas are not covered by controls? 3.Which controls are not necessary? 4.Are the controls implemented properly? 5.Are the controls effective; do they check the output of the system? 6.Is there a clear separation of duties of employees? 7.Are there procedures to ensure compliance with the controls? 8.Are there procedures to ensure reporting and corrective actions in case of violations of controls?

20 www.sims.monash.edu.au 20 Disaster Recovery Plan  A disaster recovery plan is essential to any security system. –The purpose of a recovery plan is to keep the business running after a disaster occurs. –Recovery planning is part of asset protection. –Planning should focus first on recovery from a total loss of all capabilities. –Proof of capability usually involves some kind of what-if analysis that shows that the recovery plan is current. –All critical applications must be identified and their recovery procedures addressed in the plan.

21 www.sims.monash.edu.au 21 Backup Location In the event of a major disaster, it is often necessary to move a centralized computing facility to a far-away backup location. External hot-site vendors provide access to a fully configured backup data center.

22 www.sims.monash.edu.au 22 Risk Management

23 www.sims.monash.edu.au 23 IT Security in the 21 st Century Increasing the Reliability of Systems. The objective relating to reliability is to use fault tolerance to keep the information systems working, even if some parts fail. Artificial Intelligence in Biometrics. Expert systems, neural computing, voice recognition, and fuzzy logic can be used to enhance the capabilities of several biometric systems.

24 www.sims.monash.edu.au 24 IT Security in the 21 st Century (cont.) Smart Cards. Smart card technology can be used to protect PCs on LANs. Fighting Hackers. Several new products are available for fighting hackers.

25 www.sims.monash.edu.au 25 Control What is controlled? assets physical access operational procedures financial transactions inventory related transactions personnel related transactions management procedures

26 www.sims.monash.edu.au 26 Access controls to the computer centre equipment to the application software to offices to product warehouses control technologies

27 www.sims.monash.edu.au 27 Operational controls rationale for operational (process) controls goals mechanisms a control framework

28 www.sims.monash.edu.au 28 Control objectives operation of a business process achieves the goal set for it correct information is provided to a business process operation of the business process is available only to authorised personnel the business process only occurs in appropriate operational circumstances

29 www.sims.monash.edu.au 29 Privacy — a security issue corporate information customer/client information liability and responsibility

30 www.sims.monash.edu.au 30 References Chapter 16, Frenzel and Frenzel Chapter 8, Gelinas, Sutton & Fedorowicz(2004) "Business Processes & Information Technology“ Turban, Leidner, McLean & Wetherbe Chapter 15

Download ppt "Www.sims.monash.edu.au 1 IMS9043 - INFORMATION TECHNOLOGY IN ORGANISATIONS Week 9 Control, audit and security."

Similar presentations

Computer Fraud Chapter 5.

Computer Fraud Chapter 5.
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
Control and Accounting Information Systems

Control and Accounting Information Systems
9 - 1 Computer-Based Information Systems Control.

9 - 1 Computer-Based Information Systems Control.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
The Islamic University of Gaza

The Islamic University of Gaza
1 Telstra in Confidence Managing Security for our Mobile Technology.

1 Telstra in Confidence Managing Security for our Mobile Technology.
Security Controls – What Works

Security Controls – What Works
Chapter 17 Controls and Security Measures

Chapter 17 Controls and Security Measures
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
1 Average: 85%, Median: 90%…Good Work!. 2 Chapter 15 Managing Information Resources & Security.

1 Average: 85%, Median: 90%…Good Work!. 2 Chapter 15 Managing Information Resources & Security.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Risks, Controls and Security Measures

Risks, Controls and Security Measures
Introduction to Information Technology, 2nd Edition Turban, Rainer & Potter © 2003 John Wiley & Sons, Inc. 15-1 Introduction to Information Technology.

Introduction to Information Technology, 2nd Edition Turban, Rainer & Potter © 2003 John Wiley & Sons, Inc Introduction to Information Technology.
1 Chapter 15 Managing Information Resources & Security.

1 Chapter 15 Managing Information Resources & Security.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Factors to be taken into account when designing ICT Security Policies

Factors to be taken into account when designing ICT Security Policies

Similar presentations

Ads by Google