l9 - Security
Transcript of l9 - Security
-
8/3/2019 l9 - Security
1/20
SECURITY & ETHICAL ISSUES
-
8/3/2019 l9 - Security
2/20
4/29/2012 2
ISSUES & CONCERNS
Information systems are all encompassing
They contain enormous amounts of organizationalassets ( they process all kinds of data)
H-ware & S-ware are valuable assets in themselvesContain vital information
Contain sensitive personal & private information which
should not be viewed by unauthorized personnel
-
8/3/2019 l9 - Security
3/20
4/29/2012 3
WHAT TO SECURE?
Control the loss of assets
Ensure integrity & reliability of data
Improve efficiency / effectiveness of the data
To ensure all these, the manager must make sure thatall risks are identified and appropriate security controls
applied
-
8/3/2019 l9 - Security
4/20
4/29/2012 4
DANGERS
Natural disasters
Thieves
Industrial spies
Disgruntled employees
Computer viruses
Accidents
Poorly trained & nave employees
-
8/3/2019 l9 - Security
5/20
4/29/2012 5
RISKCould be total or partial monetary loss due to loss of
informationManager needs to understand & calculate the cost ofsecuring a system against the money lost if it isharmed
Compute the loss that could occur with the probabilityof the occurrence
Basic question is how will the organization respond toa specific loss. ( is how valuable is the asset )
Potential loss due to loss of data or an inaccuratesystem, which produces incorrect reports.
-
8/3/2019 l9 - Security
6/20
4/29/2012 6
COMMON CONTROLSPhysical controls Locks on doors, keyboards etc. Also ways to control natural
threats from heat, dust fire etcElectronic controlsHeat, motion, humidity sensors, log-on ID, passwords, hand/
voice/ retina print controls
Software controlsProgramming code to prevent errors, controls on login
beyond working hours, monitor who logs on and when
Management controls
Enforced backups, necessary employee training
Some of these may be simple, implemented by themanager, but others may requires specialists
-
8/3/2019 l9 - Security
7/204/29/2012 7
NATURAL DISASTERS
Floods, water damage, earthquakes, tornadoes,hurricanes, wind & storm damage
Disaster prevention
Backup power supplies, special building materials &locations, drainage systems or special construction
Disaster containment
Contingency plans in place, in case something happens
Hot site recovery firms provide computer facility for otherswhich can be used almost immediately
-
8/3/2019 l9 - Security
8/204/29/2012 8
EMPLOYEE ERRORS
Accidental formatting of hard disk instead of floppyIncorrect data entry, (price, or salary etc) which mightbe connected to many files & programs, compoundingthe error
Logical errors, like rounding off of whole numbers, onspreadsheets resulting in major losses
COMPUTER CRIMES LIKE FRAUD, FORGERY &THEFT CAN HAPPEN FROM WITHIN THEORGANIZATION OR FROM OUTSIDE
-
8/3/2019 l9 - Security
9/204/29/2012 9
INDUSTRIAL ESPIONAGE
Using scanners or phone taps to get faxes ofimportant documents
Dial-in access can be misused by spies
Laptops or notebooks could be physically stolen tocapture the data they contain
-
8/3/2019 l9 - Security
10/204/29/2012 10
HACKING
Unauthorized entry into computer systems
Infecting the system by sending virus, stealing data,
damaging it or vandalizing it
-
8/3/2019 l9 - Security
11/204/29/2012 11
COMPUTER VIRUSESA virus is a hidden program that inserts itself into yourcomputer system and forces the system to clone it. It
can travel over the network to all other computersconnected to it.
Some viruses disguise themselves as utility programs
May result in modifying data, erasing files, formattingdisks
Infection can come through email, or through anywebsite
Some viruses may lie dormant and start reproducingat a particular time
Best way to counter them is to use more than oneanti-virus program, and regularly upgrade them
-
8/3/2019 l9 - Security
12/20
4/29/2012 12
H-WARE, S-WARE THEFT
Any loss of hardware means loss of data on the h-ware as well. This could be many times more than thecost of the h-ware that was stolen
Software piracy is rampant in many countries. Alsomany individuals indulge in it by copying programsfrom office for home use, without registering
-
8/3/2019 l9 - Security
13/20
4/29/2012 13
PRIVACY VIOLATIONSPrivacy is the capacity of individuals or organizations to controlinformation about themselves. Privacy rights imply the types
and amount of data that may be collected about individuals ororganizations is limited; that individuals & organizations havethe ability to access, examine & correct the data stored aboutthem, and that disclosure, use or dissemination of those data is
limitedPrivacy also includes e-mail messages
EDI is also an issue, as it contains important financialinformation
Hard copies should be shredded & disks demagnetized &shredded
Automatic screen blanking to ensure that no one passing bycan view a screen of a computer left running
-
8/3/2019 l9 - Security
14/20
4/29/2012 14
SECURING INFO SYSTEM FACILITIESsystems on higher floors
Install pumps for waterbackup at another site
Buy insurance
Special construction
Store info off-site
fire extinguishers, smokedetectors
Surge protectors
Humidifiers
UPS
Orderly shut downs
Dedicated power lines for
major computer systemsWaterproof covers
Air filters /conditioners
Window bars & proper locks
Alarm systems, CC TVs
Security guards
Bond employees
Screen job applicants
Develop procedures fordisgruntled employees
Use ID, Passwords
-
8/3/2019 l9 - Security
15/20
4/29/2012 15
COMMUNICATION SYSTEMSLine conditioning /shielding
Error detection & correction
methodsRedundant lines & backuptransmission lines
Archived files
Firewalls
Auditing software
Insurance
Log of h-ware & line failures
User ID, passwords
Modem dial-back
Access of logs of users &terminals including invalid
access logs
Lockout after hours
Encryption of transmittedpasswords
Encrypted data transmission
Restrict access to other filedirectories & files
Terminals in secure areas
Train comm. Employees
Enforce info sys compatibilitystandards
-
8/3/2019 l9 - Security
16/20
4/29/2012 16
SECURING INFORMATION SYSTEMS
Make or buy
Compare costs
Compare functions
Compare installation & implementation
Check maintenance & up-gradation - How and when, andhow secure is it
What if vendor goes out of business
What if vendor bought by a competitor
-
8/3/2019 l9 - Security
17/20
4/29/2012 17
TESTING & EVALUATING S-WAREAppropriateness
How suitable to company's requirements
StabilityCompatible with all possible platforms,
Security featuresAutomatic backups, encryption, decryption, password protection
Access & update securityRestrict access & control fraudulent change in codes
Input /output controlsData validation, GIGO - reduces input of inaccurate data or re-entry
Outputs should reach the right person & not unauthorized ones
Process controlsFaulty logic or other incorrect formulae
Cured by exception reports, end of file checks, sequence checks
-
8/3/2019 l9 - Security
18/20
4/29/2012 18
ETHICAL / PRIVACY ISSUES
Ethics is the moral quality of a course of action, mostlyillegal behavior
Copying copyrighted software
Privacy deals with how personal data is usedReading others email
Selling data to others
Using data for purposes other than actually meant for
-
8/3/2019 l9 - Security
19/20
Thank you
4/29/2012 19
-
8/3/2019 l9 - Security
20/20
Practice Questions
Q1. List and explain the common threats to computersystems
Q2. Explain how client / server information systems can help
managers
Q3. Give out some recommendation for managing password
Q4. What is Virus and Hacking.
Q5. List the common threats and controls for informationtechnology
4/29/2012 20