Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 12 Information Security Management © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Chapter 12 Information Security Management © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke."— Presentation transcript:

1 Chapter 12 Information Security Management © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke

2 12-2 This Could Happen to You Emerson Pharmaceuticals – $800M in sales – 200 person IT department DSI – $50M in sales – 1 person IT department – No in-house software development Why the difference? – Directors and project managers at DSI are knowledgeable in IT – Support users at DSI want only reliable IT infrastructure – DSI has a wired/wireless LAN with two servers What about security?

3 © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke 12-3 Study Questions What are the sources and types of security threats? What are the elements of a security program? How can technical safeguards protect against security threats? How can data safeguards protect against security threats? How can human safeguards protect against security threats? What is necessary for disaster preparedness? How should organizations respond to security incidents? How does knowledge from this chapter help you at DSI?

4 © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke 12-4 Sources of Security Threats Human errors and mistakes – Accidental problems – Poorly written programs – Poorly designed procedures – Physical accidents Malicious human activity – Intentional destruction of data – Destroying system components – Hackers – Virus and worm writers – Criminals – Terrorists

5 © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke 12-5 Sources of Security Threats, continued Natural events and disasters – Fires, floods, hurricanes, earthquakes, tsunamis,avalanches, tornados – Initial losses of capability – Losses from recovery actions

6 © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke 12-6 Types of Problems Unauthorized data disclosure – Human error Posting private information in public place Placing restricted information on searchable Web sites Inadvertent disclosure – Malicious release Pretexting Phishing Spoofing Sniffing Breaking into networks

7 © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke 12-7 Types of Problems, continued Incorrect data modifications – Human errors Incorrect entries and information Procedural problems – Incorrect data modifications Systems errors – Hacking – Faulty recovery actions Faulty Service – Incorrect systems operations – Usurpation

8 © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke 12-8 Types of Problems, continued Denial of service – Human error – Attacks Loss of infrastructure – Accidental – Theft – Terrorism – Natural disasters

9 © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke 12-9 MIS in Use: Phishing for Credit Card Accounts Phishing – Operation that spoofs legitimate companies in an attempt to get credit card information, driver’s licenses, and other data – Usually initiated by e-mail request Designed to cause you to click Asks for personal data May install spyware, malware, adware – Defenses Know your purchases and deal directly with vendors Implausibility of e-mail Don’t be misled by legitimate-looking graphics, addresses

10 © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke 12-10 Elements of a Security Program Senior management involvement – Must establish a security policy – Manage risk Balancing costs and benefits Safeguards – Protections against security threats Incident response – Must plan for prior to incidents

11 © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke 12-11 Technical Safeguards Involves hardware and software components User names and passwords – Identification – Authentication Smart cards – Personal identification number (PIN) Biometric authentication – Fingerprints, facial scans, retina scans Single sign-on

12 © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke 12-12 Technical Safeguards, continued Malware – Viruses – Worms – Trojan horses – Spyware programs – Adware Malware safeguards – Antivirus and anti-spyware programs – Scan hard drive and e-mail – Update definitions – Open e-mail attachments only from known sources – Install updates promptly – Browse only reputable Web sites

13 © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke 12-13 Security Threat Protection by Data Safeguards Data administration – Organization-wide function Develops data policies Enforce data standards Database administration – Database function Procedures for multi-user processing Change control to structure Protection of database

14 © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke 12-14 Data Safeguards Encryption keys – Key escrow Backup copies – Store off-premise – Check validity Physical security – Lock and control access to facility – Maintain entry log Third party contracts – Safeguards are written into contracts – Right to inspect premises and interview personnel

15 © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke 12-15 Human Safeguards People and procedure component Access restriction requires authentication and account management User accounts considerations – Define job tasks and responsibility – Separate duties and authorities – Grant least possible privileges – Document security sensitivity Hiring and screening employees

16 © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke 12-16 Human Safeguards, continued Employees need to be made aware of policies and procedures – Employee security training Enforcement of policies – Define responsibilities – Hold employees accountable – Encourage compliance – Management attitude is crucial Create policies and procedures for employee termination – Protect against malicious actions in unfriendly terminations – Remove user accounts and passwords

17 © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke 12-17 Non-Employee Personnel Temporary personnel and vendors – Screen personnel – Training and compliance – Contract should include specific security provisions – Provide accounts and passwords with the least privileges Public users – Harden Web site and facility – Take extraordinary measures to reduce system’s vulnerability Partners and public that receive benefits from system – Protect these users from internal company security problems

18 © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke 12-18 Account Administration Account management procedures – Creation of new accounts, modification of existing accounts, removal of terminated accounts Password management – Acknowledgment forms – Change passwords frequently Help-desk policies – Authentication of users who have lost password – Password should not be e-mailed

19 © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke 12-19 Guide: Metasecurity Metadata is data about data Securing the security system – Accounting controls – Storage of file accounts and passwords – Encryption and keys Use temporary keys Encourage reporting of flaws – Using white hats Do you trust them? What do you do with them when they’ve completed their check of system? – Code control

20 © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke 12-20 Information Systems Safety Procedures Procedure types – Normal operations – Backup – Recovery Should be standardized for each procedure type Each procedure type should be defined for both system users and operations personnel – Different duties and responsibilities – Varying needs and goals

21 © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke 12-21 Security Monitoring Activity log analyses – Firewall logs – DBMS log-in records – Web server logs Security testing – In-house and external security professionals Investigation of incidents – How did the problem occur? Lessons learned – Indication of potential vulnerability and corrective actions

22 © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke 12-22 Disaster Preparedness Disaster – Substantial loss of infrastructure caused by acts of nature, crime, or terrorism Best safeguard is location of infrastructure Backup processing centers in geographically removed site Create backups for critical resources – Hot and cold sites – Train and rehearse cutover of operations

23 © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke 12-23 Incident Response Organization must have plan – Detail reporting and response – Centralized reporting of incidents Allows for application of specialized expertise Speed is of the essence – Preparation pays off Identify critical employees and contact numbers Training is vital – Practice incidence response

24 © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke 12-24 How Does Knowledge from This Chapter Help You at DSI? Use it personally – Limit DSI’s exposure – Limit your own exposure – Create strong passwords Follow appropriate data procedures – Do not store sensitive data on computer – Limit data on laptops – Recognize phishing attacks Send information on disaster preparedness and incidence response to management

25 © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke 12-25 Active Review What are the sources and types of security threats? What are the elements of a security program? How can technical safeguards protect against security threats? How can data safeguards protect against security threats? How can human safeguards protect against security threats? What is necessary for disaster preparedness? How should organizations respond to security incidents? How does knowledge from this chapter help you at DSI?

Download ppt "Chapter 12 Information Security Management © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke."

Similar presentations

Information Security Management Chapter 12. 12-2 “We Have to Design It for Privacy and Security.” Copyright © 2014 Pearson Education, Inc. Publishing.

Information Security Management Chapter “We Have to Design It for Privacy and Security.” Copyright © 2014 Pearson Education, Inc. Publishing.
Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.

Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
1 MIS 2000 Class 22 System Security Update: Winter 2015.

1 MIS 2000 Class 22 System Security Update: Winter 2015.
Crime and Security in the Networked Economy Part 4.

Crime and Security in the Networked Economy Part 4.
Information Security Management Chapter 12. 12-2 “We Have to Design It for Privacy and Security. ” Tension between Maggie and Ajit regarding terminology.

Information Security Management Chapter “We Have to Design It for Privacy and Security. ” Tension between Maggie and Ajit regarding terminology.
Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.

Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.
Using Your Knowledge – Security Threats

Using Your Knowledge – Security Threats
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Chapter 4 McGraw-Hill/Irwin Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved. Ethics and Information Security.

Chapter 4 McGraw-Hill/Irwin Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved. Ethics and Information Security.
© Pearson Prentice Hall 2009 12-1 Using MIS 2e Chapter 12 Information Security Management David Kroenke.

© Pearson Prentice Hall Using MIS 2e Chapter 12 Information Security Management David Kroenke.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Information Security Management

Information Security Management
Security, Privacy, and Ethics Online Computer Crimes.

Security, Privacy, and Ethics Online Computer Crimes.
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
1 Management Information Systems Information Security Management Chapter 12.

1 Management Information Systems Information Security Management Chapter 12.
1 Using Management Information Systems David Kroenke Information Security Management Chapter 11.

1 Using Management Information Systems David Kroenke Information Security Management Chapter 11.
Copyright © 2002 Pearson Education, Inc. Slide 5-1 PERTEMUAN 8.

Copyright © 2002 Pearson Education, Inc. Slide 5-1 PERTEMUAN 8.

Similar presentations

Ads by Google