IS 425 Enterprise Information I LECTURE 3 Autumn 2004-2005 2004 Norma Sutcliffe.
IS 425 Enterprise Information LECTURE 3 Winter 2006-2007.
-
date post
21-Dec-2015 -
Category
Documents
-
view
215 -
download
0
Transcript of IS 425 Enterprise Information LECTURE 3 Winter 2006-2007.
![Page 1: IS 425 Enterprise Information LECTURE 3 Winter 2006-2007.](https://reader033.fdocuments.in/reader033/viewer/2022051415/56649d5f5503460f94a3f62e/html5/thumbnails/1.jpg)
IS 425
Enterprise Information LECTURE 3
Winter 2006-2007
![Page 2: IS 425 Enterprise Information LECTURE 3 Winter 2006-2007.](https://reader033.fdocuments.in/reader033/viewer/2022051415/56649d5f5503460f94a3f62e/html5/thumbnails/2.jpg)
IS425 Winter 2004-2005 Session 3 2
Agenda
IT architecture & infrastructure (cont.) Exercise reviewing Week 2 materials Risk Management Analysis Primer Software Development / Architecting Security Disaster Recovery
![Page 3: IS 425 Enterprise Information LECTURE 3 Winter 2006-2007.](https://reader033.fdocuments.in/reader033/viewer/2022051415/56649d5f5503460f94a3f62e/html5/thumbnails/3.jpg)
IS425 Winter 2004-2005 Session 3 3
![Page 4: IS 425 Enterprise Information LECTURE 3 Winter 2006-2007.](https://reader033.fdocuments.in/reader033/viewer/2022051415/56649d5f5503460f94a3f62e/html5/thumbnails/4.jpg)
IS425 Winter 2004-2005 Session 3 4
![Page 5: IS 425 Enterprise Information LECTURE 3 Winter 2006-2007.](https://reader033.fdocuments.in/reader033/viewer/2022051415/56649d5f5503460f94a3f62e/html5/thumbnails/5.jpg)
IS425 Winter 2004-2005 Session 3 5
Hot Topics from Week 2 Web 2.0 Storage consolidation –server
virtualization Staffing for PM positions E-commerce Business intelligence (data
mining) Quality assurance IT information management IT staffing with business
knowledge Growing the business Information & data security,
identity management
Disaster recovery Service oriented architecture Portfolio management IT offshore outsourcing and IT
skills Service oriented architecture Regulatory Compliance Reduce architecture
complexity Information and data security Software as service
![Page 6: IS 425 Enterprise Information LECTURE 3 Winter 2006-2007.](https://reader033.fdocuments.in/reader033/viewer/2022051415/56649d5f5503460f94a3f62e/html5/thumbnails/6.jpg)
IS425 Winter 2004-2005 Session 3 6
ExerciseHow do you reconcile the issue rankings below from 1996 to the
“hot topics” that we discussed last week? What pressures are different and what pressures are the same for
the issues and topics?1. Building a responsive IT infrastructure2. Facilitating and Managing Business Process Redesign3. Developing and managing distributed systems4. Developing and implementing an information architecture5. Planning and managing communication networks6. Improving the effectiveness of software development7. Making effective use of the data resource8. Recruiting and developing IS human resources9. Aligning the IS organization within the enterprise10. Improving IS strategic planning11. Implementing and managing collaborative support systems12. Measuring IS effectiveness and productivity
![Page 7: IS 425 Enterprise Information LECTURE 3 Winter 2006-2007.](https://reader033.fdocuments.in/reader033/viewer/2022051415/56649d5f5503460f94a3f62e/html5/thumbnails/7.jpg)
IS425 Winter 2004-2005 Session 3 7
The Debate
Discussion Forum “Debate Topics”. If you have a topic that you would like to
debate – add a message giving a short description of the topic.
If you see a topic that interests you particularly – reply to the topic message stating you are interested giving your section number and your group’s name.
![Page 8: IS 425 Enterprise Information LECTURE 3 Winter 2006-2007.](https://reader033.fdocuments.in/reader033/viewer/2022051415/56649d5f5503460f94a3f62e/html5/thumbnails/8.jpg)
IS425 Winter 2004-2005 Session 3 8
This Session
Software engineering/architecting is about ensuring that certain thing happen
Security engineering is about ensuring that certain things do NOT happen
![Page 9: IS 425 Enterprise Information LECTURE 3 Winter 2006-2007.](https://reader033.fdocuments.in/reader033/viewer/2022051415/56649d5f5503460f94a3f62e/html5/thumbnails/9.jpg)
IS425 Winter 2004-2005 Session 3 9
Risk Management Analysis Primer
A process for assessing threats and determining which ones to
ignore, reduce, eliminate
level of feasible support for efforts to reduce and eliminate
![Page 10: IS 425 Enterprise Information LECTURE 3 Winter 2006-2007.](https://reader033.fdocuments.in/reader033/viewer/2022051415/56649d5f5503460f94a3f62e/html5/thumbnails/10.jpg)
IS425 Winter 2004-2005 Session 3 10
Risk Management Analysis Primer
Expected Loss or EL = P1 x P2 x L
where:
P1 = Probability of attack
P2 = Probability attack is successful
L = Loss occurring is attack is successful
PC = Prevention costs
If EL < PC then ignore
If EL > PC then investing in PC is reasonable
![Page 11: IS 425 Enterprise Information LECTURE 3 Winter 2006-2007.](https://reader033.fdocuments.in/reader033/viewer/2022051415/56649d5f5503460f94a3f62e/html5/thumbnails/11.jpg)
IS425 Winter 2004-2005 Session 3 11
Risk Analysis Steps
![Page 12: IS 425 Enterprise Information LECTURE 3 Winter 2006-2007.](https://reader033.fdocuments.in/reader033/viewer/2022051415/56649d5f5503460f94a3f62e/html5/thumbnails/12.jpg)
IS425 Winter 2004-2005 Session 3 12
Enterprise Architecture Business (process) architecture
Business strategy Governance Organization Key business processes (BPs)
Information Technology (IT) architecture Software infrastructure supporting BPs
Information (Data) architecture Logical and physical data assets Data management resources
Software/Application architecture Internal physical structure Problem models to aid developing implementation-independent
models
![Page 13: IS 425 Enterprise Information LECTURE 3 Winter 2006-2007.](https://reader033.fdocuments.in/reader033/viewer/2022051415/56649d5f5503460f94a3f62e/html5/thumbnails/13.jpg)
IS425 Winter 2004-2005 Session 3 13
Software Development/Architecting
The design on a system from multiple viewpoints – some common are: Technology stack (physical) view Object (data) view Use (behavioral) view
But need to see attributes such as: Modifiability, Build-ability, Security, Reliability, Performance, Business-oriented qualities.
![Page 14: IS 425 Enterprise Information LECTURE 3 Winter 2006-2007.](https://reader033.fdocuments.in/reader033/viewer/2022051415/56649d5f5503460f94a3f62e/html5/thumbnails/14.jpg)
IS425 Winter 2004-2005 Session 3 14
Software Development/Architecting
The architectural view is a component or subsystem view of the system
Module approach where a module is something that can be replaced by another implementation without causing other elements to change.
Relatively small amounts of information are exchanged between modules.
Modules are loosely coupled Allows concurrent development
![Page 15: IS 425 Enterprise Information LECTURE 3 Winter 2006-2007.](https://reader033.fdocuments.in/reader033/viewer/2022051415/56649d5f5503460f94a3f62e/html5/thumbnails/15.jpg)
IS425 Winter 2004-2005 Session 3 15
Software Development/Architecting
Software Architecture definitions-- 1. the description of the elements that compose the system, their
interactions, the patterns and principles that guide their composition and design, and the constraints on those patterns.
2. The observable properties of a software system (aka the form of the system) including:
1. Static forms2. Dynamic forms
3. Encompasses OO and Analysis methodologies
Software Architecting means process of creating software architectures.
![Page 16: IS 425 Enterprise Information LECTURE 3 Winter 2006-2007.](https://reader033.fdocuments.in/reader033/viewer/2022051415/56649d5f5503460f94a3f62e/html5/thumbnails/16.jpg)
IS425 Winter 2004-2005 Session 3 16
Software Development/Architecting
VIEWS have PHASES which Distinct – once completed Never Overlap Contain ACTIVITIES which
Overlap Repeat Can contain many non-decomposable STEPS Part of problem-specific TASKS
![Page 17: IS 425 Enterprise Information LECTURE 3 Winter 2006-2007.](https://reader033.fdocuments.in/reader033/viewer/2022051415/56649d5f5503460f94a3f62e/html5/thumbnails/17.jpg)
IS425 Winter 2004-2005 Session 3 17
Software Product Life Cycle
Management View
Software Engineering View
EngineeringDesign View
ArchitecturalView
![Page 18: IS 425 Enterprise Information LECTURE 3 Winter 2006-2007.](https://reader033.fdocuments.in/reader033/viewer/2022051415/56649d5f5503460f94a3f62e/html5/thumbnails/18.jpg)
IS425 Winter 2004-2005 Session 3 18
Management View
Phases constitute a development cycle
Inception when need identified Gathering or capturing
requirements aka specification of requirements
Construction when product is implemented (coded), unit tested & system tested
When transitioned to users--
![Page 19: IS 425 Enterprise Information LECTURE 3 Winter 2006-2007.](https://reader033.fdocuments.in/reader033/viewer/2022051415/56649d5f5503460f94a3f62e/html5/thumbnails/19.jpg)
IS425 Winter 2004-2005 Session 3 19
Software Engineering View Multiple chains of activities
running concurrently & overlapping
Inputs to activities are “whats” Outputs are “hows” RAS – understand the actual
problems Design – transforming reqs into
a technically feasible solution I & T – source code D & M – to users
![Page 20: IS 425 Enterprise Information LECTURE 3 Winter 2006-2007.](https://reader033.fdocuments.in/reader033/viewer/2022051415/56649d5f5503460f94a3f62e/html5/thumbnails/20.jpg)
IS425 Winter 2004-2005 Session 3 20
Engineering Design View
Taken from mechanical engineering Phases are sequential but can be
overlapping Information flows from phase to phase PP –problem is defined and req list
created CD –problem analyzed and solution
concepts created/revised ED –main design or draft design DD –physical arrangement, dimensions
and other material properties are specified
![Page 21: IS 425 Enterprise Information LECTURE 3 Winter 2006-2007.](https://reader033.fdocuments.in/reader033/viewer/2022051415/56649d5f5503460f94a3f62e/html5/thumbnails/21.jpg)
IS425 Winter 2004-2005 Session 3 21
Architectural View
Phases are sequential and milestone driven
Product planning and study the entire enterprise context
DA- understand completely needs of acquirers and users
SD- prepares the architectural-level design DD- refining the architectural description
and selecting among alternative designs BP- construct system
![Page 22: IS 425 Enterprise Information LECTURE 3 Winter 2006-2007.](https://reader033.fdocuments.in/reader033/viewer/2022051415/56649d5f5503460f94a3f62e/html5/thumbnails/22.jpg)
IS425 Winter 2004-2005 Session 3 22
Source: Verdon & McGraw: Risk analysis in software design, IEEE Security & Privacy, July 2004
![Page 23: IS 425 Enterprise Information LECTURE 3 Winter 2006-2007.](https://reader033.fdocuments.in/reader033/viewer/2022051415/56649d5f5503460f94a3f62e/html5/thumbnails/23.jpg)
IS425 Winter 2004-2005 Session 3 23
Source: Verdon & McGraw: Risk analysis in software design, IEEE Security & Privacy, July 2004
![Page 24: IS 425 Enterprise Information LECTURE 3 Winter 2006-2007.](https://reader033.fdocuments.in/reader033/viewer/2022051415/56649d5f5503460f94a3f62e/html5/thumbnails/24.jpg)
IS425 Winter 2004-2005 Session 3 24
Pulling It Together
If firms are trying to minimize costs why would they embrace “software architecting”?
Is there a possible relationship between software architecting and the value chain?
Is this type of software architecture prevalent now?
What kind of risk analysis can be done on a software development project?
![Page 25: IS 425 Enterprise Information LECTURE 3 Winter 2006-2007.](https://reader033.fdocuments.in/reader033/viewer/2022051415/56649d5f5503460f94a3f62e/html5/thumbnails/25.jpg)
IS425 Winter 2004-2005 Session 3 25
Security Engineering
Definition == building systems to remain dependable in the face of Malice Error Mischance.
To mitigate, reduce, the effects of threats Unintentional Intentional
![Page 26: IS 425 Enterprise Information LECTURE 3 Winter 2006-2007.](https://reader033.fdocuments.in/reader033/viewer/2022051415/56649d5f5503460f94a3f62e/html5/thumbnails/26.jpg)
IS425 Winter 2004-2005 Session 3 26
Security Threats
![Page 27: IS 425 Enterprise Information LECTURE 3 Winter 2006-2007.](https://reader033.fdocuments.in/reader033/viewer/2022051415/56649d5f5503460f94a3f62e/html5/thumbnails/27.jpg)
IS425 Winter 2004-2005 Session 3 27
General Controls Physical controls
Physical design of data center to limit access and protect from elements
Access controls Restriction of unauthorized user access to a system
Data Security controls Protecting data
From disclosure to unauthorized persons From destruction/modification by unauthorized
Administrative Controls Issuing guidelines / monitoring compliance
Programming Controls Development/Testing standards and procedures
Application Controls Inputs/Processing/Output
![Page 28: IS 425 Enterprise Information LECTURE 3 Winter 2006-2007.](https://reader033.fdocuments.in/reader033/viewer/2022051415/56649d5f5503460f94a3f62e/html5/thumbnails/28.jpg)
IS425 Winter 2004-2005 Session 3 28
Source: Verdon & McGraw: Risk analysis in software design, IEEE Security & Privacy, July 2004
![Page 29: IS 425 Enterprise Information LECTURE 3 Winter 2006-2007.](https://reader033.fdocuments.in/reader033/viewer/2022051415/56649d5f5503460f94a3f62e/html5/thumbnails/29.jpg)
IS425 Winter 2004-2005 Session 3 29
What is the appropriate level?
Source: Chokhani: Trusted products evaluation, CACM, july 92
NCSC Guidelines
![Page 30: IS 425 Enterprise Information LECTURE 3 Winter 2006-2007.](https://reader033.fdocuments.in/reader033/viewer/2022051415/56649d5f5503460f94a3f62e/html5/thumbnails/30.jpg)
IS425 Winter 2004-2005 Session 3 30
Source: Chokhani: Trusted products evaluation, CACM, july 92
![Page 31: IS 425 Enterprise Information LECTURE 3 Winter 2006-2007.](https://reader033.fdocuments.in/reader033/viewer/2022051415/56649d5f5503460f94a3f62e/html5/thumbnails/31.jpg)
IS425 Winter 2004-2005 Session 3 31
Security Engineering Tools
Protocols Passwords Access controls Cryptography Distributed Systems Monitoring Systems
![Page 32: IS 425 Enterprise Information LECTURE 3 Winter 2006-2007.](https://reader033.fdocuments.in/reader033/viewer/2022051415/56649d5f5503460f94a3f62e/html5/thumbnails/32.jpg)
IS425 Winter 2004-2005 Session 3 32
Encryption & Transaction SecuritySecret vs. Public Key Encryption
Secret-Key Encryption (single key) Symmetric encryption,
DES Use a shared secret key
for encryption and decryption
Key distribution & disclosure
fast, for bulk data encryption
Public-Key Encryption (Pair of keys) Asymmetric encryption,
RSA (Rivest, Shamin, Adlemann)
Private/Public keys Need digital certificates
and trusted 3rd parties Slower For less demanding
applications
![Page 33: IS 425 Enterprise Information LECTURE 3 Winter 2006-2007.](https://reader033.fdocuments.in/reader033/viewer/2022051415/56649d5f5503460f94a3f62e/html5/thumbnails/33.jpg)
IS425 Winter 2004-2005 Session 3 33
Network Protection
To protect Internet and E-Commerce Most common security measures are:
Access control (PINs) Encryption Cable testers with protocol analyzers Firewall systems that enforce access control
between two networks
![Page 34: IS 425 Enterprise Information LECTURE 3 Winter 2006-2007.](https://reader033.fdocuments.in/reader033/viewer/2022051415/56649d5f5503460f94a3f62e/html5/thumbnails/34.jpg)
IS425 Winter 2004-2005 Session 3 34
Internet security Consumers entering highly confidential information Number of security attacks increasing Four requirements of a secure transaction
Privacy – information not read by third party Integrity – information not compromised or altered Authentication – sender and receiver prove identities Non-repudiation – legally prove message was sent and
received Availability
Computer systems continually accessible
![Page 35: IS 425 Enterprise Information LECTURE 3 Winter 2006-2007.](https://reader033.fdocuments.in/reader033/viewer/2022051415/56649d5f5503460f94a3f62e/html5/thumbnails/35.jpg)
IS425 Winter 2004-2005 Session 3 35
Disaster Recovery Planning Purpose is to keep business running after a
disaster. Backups –onsite and offsite Offsite computing arrangements made in
advance with hot-site vendors Offsite office arrangement made in advance
with cold-site vendors Critical applications identified and recovery
procedures addressed Written plan kept in several locations
![Page 36: IS 425 Enterprise Information LECTURE 3 Winter 2006-2007.](https://reader033.fdocuments.in/reader033/viewer/2022051415/56649d5f5503460f94a3f62e/html5/thumbnails/36.jpg)
IS425 Winter 2004-2005 Session 3 36
Pulling It Together
What kind of aptitude does a security engineer need?
What skills does a security engineer need? What kind of aptitude does a software
engineer need? What skills does a software architect need? Are they different?
![Page 37: IS 425 Enterprise Information LECTURE 3 Winter 2006-2007.](https://reader033.fdocuments.in/reader033/viewer/2022051415/56649d5f5503460f94a3f62e/html5/thumbnails/37.jpg)
IS425 Winter 2004-2005 Session 3 37
Quiz Next Week
DL students should download the quiz from COL. Complete the form and then submit it on COL.