Environment for Information Security

Distributed computing

Decentralization of IS function

Outsourcing

Environment for Information Security

Close relationships with suppliers and customers

Portable computers

Internet connections

Role of Information Security

Ensure availability of valid information when users need it to run the business

Protect confidentiality of sensitive corporate information

Protect the privacy of users

Role of Information Security

Protect information assets from unauthorized modification

Ensure ability to continue operation in event of a disaster

What Needs to be Protected?

Not all information has same value or importance

Classify the sensitivity of both information and applications

What Needs to be Protected?

Estimate costs to the business if an application were unavailable for one, two days or longer

Estimate damage if competitor gains access or information becomes corrupted

Reappraisal Issues

What are the threats and risks?

Who or what is the enemy?

What are the targets?

Who “owns” the targets?

Reappraisal Issues

How vulnerable are the targets?

How much loss can the company bear?

Which assets are not worth protecting?

Technologies for Security

Expert systems and neural networks– recognizing patterns of behavior

– configuring human interface to suit individual users and their permitted accesses

Technologies for Security

Expert systems and neural networks– detection of intrusion through sensors

– reconfiguring networks and systems to maintain availability and circumvent failed components

Technologies for Security

Smart cards– contain own software and data– recognize signatures, voices– store personal identification information– may use cryptographic keys

Personal communications numbers

Technologies for Security

Voice recognition

Wireless tokens

Prohibited passwords lists

Third party authentication

Threats to Security

Document imaging systems– reading and storing images of paper documents

– character recognition of texts for abstracting and indexing

– retrieval of stored documents by index entry

Threats to Security

Document imaging systems (cont’d.)– manipulation of stored images

– appending notes to stored images through text, voice

– workflow management tools to program the distribution of documents

Threats to Security

Massively parallel mini-supercomputers– used for signal processing, image recognition, large-

scale computation, neural networks

– can be connected to workstations, file servers, local area networks

– good platform for cracking encryption codes

Threats to Security

Neural networks– can “learn” how to penetrate a network or computer

system

Wireless local area networks– use radio frequencies or infrared transmission

– subject to signal interruption or message capture

Threats to Security

Wide area network radio communications– direct connectivity no longer needed to connect to a

network

– uses satellite transmission or radio/telephone technology, wireless modems

Threats to Security

Videoconferencing– open telephone lines can be tapped

Embedded systems– computers embedded in mechanical devices

– potential to endanger customers

– potential to access host computers

Threats to Security

Smart cards– can be lost or damaged

Notebooks and palmtop computers– subject to loss or theft

– wireless modems

Defensive Measures

Frequent backups and storage of backups in secure areas

Highly restricted access to workflow management programs

Defensive Measures

Password controls and user profiles

Unannounced audits of high-value documents

Restricted access at the document level

What Security Services Are Required?

Policy and procedure development

Employee training, motivation, and awareness

Secure facilities and architectures

What Security Services Are Required?

Security for applications

Ongoing operational administration and control

Procedural advisory services

Technical advisory services

What Security Services Are Required?

Emergency response support

Compliance monitoring

Public relations

Disaster Recovery Needs Assessment

Who should be involved?– computer and network operations staff

– information security specialist

– systems analysts for mission-critical operations

– end users

– external consultants

Disaster Recovery Needs Assessment

Assessing the disaster plan– what kinds of disasters are anticipated?

– which applications are mission-critical?

– which computer/communications architectures are covered?

– when was the plan last updated?

Disaster Recovery Needs Assessment

Assessing the disaster plan– what is the annual cost for maintaining and operating

the recovery strategy?

– what strategies are used?

– how often is the plan tested?

– would failure of mission-critical applications incur liability to other firms?

Disaster Recovery Models

“Cold site” backup agreement with another firm specializing in backup services

“Hot site” backup through building or leasing another facility with excess capacity

Distributed processing backup

Replacement