chapter 5 securing the enterprise and business continuity information technology for management...

Copyright 2010 John Wiley & Sons, Inc.

Chapter 5

Securing the Enterprise and Business Continuity

Information Technology for ManagementImproving Performance in the Digital Economy

7th editionJohn Wiley & Sons, Inc.

Slides contributed by Dr. Sandra ReidChair, Graduate School of Business & Professor, Technology

Dallas Baptist University

Turban and

Volonino

5-1

Copyright 2010 John Wiley & Sons, Inc.

Chapter Outline

• 5.1 Data and Enterprise Security Incidents• 5.2 IS Vulnerabilities and Threats• 5.3 Fraud and Computer-Mediated Crimes• 5.4 IT Security Management Practices• 5.5 Network Security

5-2

Copyright 2010 John Wiley & Sons, Inc.

Chapter Outline (cont’d)

• 5.6 Internal Control and Compliance Management

• 5.7 Business Continuity and Disaster Recovery Planning

• 5.8 Auditing and Risk Management• 5.9 Managerial Issues

5-3

Copyright 2010 John Wiley & Sons, Inc.

Learning Objectives

1. Recognize the business and financial value of information security.

2. Recognize IS vulnerabilities, threats, attack methods, and cybercrime symptoms.

3. Describe the factors that contribute to risk exposure and methods to mitigate them.

4. Explain key methods of defending information systems, networks, and wireless devices.

5. Describe internal control and fraud and related legislation.

5-4

Copyright 2010 John Wiley & Sons, Inc.

Learning Objectives cont’d

6. Understand business continuity and disaster recovery planning methods.

7. Discuss the role of IT in defending critical infrastructures.

5-5

Copyright 2010 John Wiley & Sons, Inc. 5-6

Figure IT7eU

Copyright 2010 John Wiley & Sons, Inc.

ChoicePoint

• Problem – Personal & financial data of 145,000 individuals compromised

* Perpetrator sentenced & fined* $55M loss to company in fines, compensation to victims, lawsuits, & legal fees* Public loss of goodwill causes serious revenue losses

5-7

Copyright 2010 John Wiley & Sons, Inc.

Figure 5.1

5-8

Impact of data breach on ChoicePoint’s stock price.

Copyright 2010 John Wiley & Sons, Inc.

ChoicePoint (cont’d)

• Solution – Implement new procedures to ensure that consumers are protected from illegitimate access to personal data.

* Establish & maintain comprehensive information security program.* Obtain audits by independent third-party security professionals.

5-9

Copyright 2010 John Wiley & Sons, Inc.

ChoicePoint (cont’d)

• Results – Business practices reformed.

* Security policies gained national attention.* Improved corporate governance.* Increased laws & government involvement.* Need for more improvement.

5-10

Copyright 2010 John Wiley & Sons, Inc.

ChoicePoint Suffers….Dramatically with Data Breach

5-11

ChoicePoint data leak losses exceed $55M

ChoicePoint's data breach losses reach $26.4M

Relatively big breaches and one huge but not confirmed

Copyright 2010 John Wiley & Sons, Inc. 5-12

5.1 Data and Enterprise Security Incidents

Copyright 2010 John Wiley & Sons, Inc.

Table 5.1

5-13

Copyright 2010 John Wiley & Sons, Inc.

Internal Threats

5-14

Veterans Affairs Data Theft

TJX says 45.7 million customer records were compromised

Bank Group Sues TJX over Data Breach.(Massachusetts Bankers Association, TJX Companies Inc.)

Data Breach Reported at Walter Reed Medical Center

Staten Island University Hospital Patients Personal Records Stolen In December

University Of California At San Francisco Patients Records Exposed

$100 Million Data Breach at US Department of Veterans Affairs

Copyright 2010 John Wiley & Sons, Inc.

Internal IT Threats – cont’d

5-15

The Top 5 Internal Security Threats The 25 Most Common Mistakes in Email Security

Deconstructing a 20 Billion Message Spam Attack

Positive Security: Worth The Work?

Insider Threats: Beware the Enemy from Within

Change Management: A Required Element of Business Transformation

Copyright 2010 John Wiley & Sons, Inc.

IT Governance

5-16

Information Governance: The Cost, The Risk, The Value

Information Governance: Strategy, Best Practices, Results

IT Governance Trends

Copyright 2010 John Wiley & Sons, Inc.

Government Regulation

5-17

The Sarbanes-Oxley Act

Gramm-Leach-Bliley Act

Federal Information Security Management Act

USA Patriot Act

Canada’s Personal Information Protection and Electronic Documents Act

Copyright 2010 John Wiley & Sons, Inc.

Industry Standards

5-18

Summary of “Information Security: A CompTIA Analysis of IT Security and the Workforce

Copyright 2010 John Wiley & Sons, Inc.

Breakdowns Beyond Company Control

5-19

E-Payment Provider Hit With Denial-Of-Service

BOMA honors Verizon for actions taken on Sept. 11

7 World Trade Center

Copyright 2010 John Wiley & Sons, Inc.

Figure 5.2

5-20

Lower Manhattan, the most communications-intensive real estate in the world. (Photo courtesy of Verizon Communications. Used with permission.)

Copyright 2010 John Wiley & Sons, Inc.

Figure 5.3

5-21

Verizon’s Central Office (CO) at 140 West St., harpooned by steel girders. (Photo courtesy of Verizon Communications. Used with permission.)

Copyright 2010 John Wiley & Sons, Inc.

Cybercrime

5-22

Cyber Crime Growing Global Threat

The New Face of Cybercrime

Cyber Crime Toolkits

FBI on fighting cyber crime

Fight against cyber crime intensifies - 27 Apr 08

Copyright 2010 John Wiley & Sons, Inc.

Figure 5.4

5-23

Enterprise wide information security and internal control model.

Copyright 2010 John Wiley & Sons, Inc.

Table 5.2

5-24

Copyright 2010 John Wiley & Sons, Inc. 5-25

5.2 IS Vulnerabilities and Threats

Copyright 2010 John Wiley & Sons, Inc.

Unintentional or not – IT Security Threats?

5-26

Hunting The Hackers

Stolen data on 'crime server'

Top 5 Social Engineering Techniques

Hacker Speak

Hackers - A Brief Look Into Their World

Copyright 2010 John Wiley & Sons, Inc.

Methods of Attack

5-27

A Brief History of Malware and Cybercrime

How You Can Fight Cybercrime

How Organized Crime Uses Technology to Make Money

Top 10 Security Stories Of 2008

Computer virus

Copyright 2010 John Wiley & Sons, Inc.

Figure 5.5 - How a computer virus can spread.

5-28

THE HISTORY OF COMPUTER VIRUSES – for chronology….

Copyright 2010 John Wiley & Sons, Inc. 5-29

5.3 Fraud and Computer-Mediated Crimes

Copyright 2010 John Wiley & Sons, Inc.

Table 5.3

5-30

Copyright 2010 John Wiley & Sons, Inc.

Fraud

5-31

ANALYZING Organizational Fraud

Adelphia founder John Rigas found guilty

Ex-Tyco executives get up to 25 years in prison

Copyright 2010 John Wiley & Sons, Inc.

Table 5.4

5-32

Copyright 2010 John Wiley & Sons, Inc.

Fraud Trends

5-33

Top Ten Cyber Security Menaces for 2008

Copyright 2010 John Wiley & Sons, Inc. 5-34

5.4 IT Security Management Practices

Copyright 2010 John Wiley & Sons, Inc.

Figure 5.6

5-35

Major defense controls.

Copyright 2010 John Wiley & Sons, Inc.

Table 5.5

5-36

Copyright 2010 John Wiley & Sons, Inc.

Figure 5.7

5-37

Intelligent agents. (Source: Courtesy of Sandia National Laboratories.)

Copyright 2010 John Wiley & Sons, Inc. 5-38

5.5 Network Security

Copyright 2010 John Wiley & Sons, Inc.

Figure 5.8

5-39

Three layers of network security measures.

Copyright 2010 John Wiley & Sons, Inc.

Network Authentication & Authorization

5-40

How Firewalls Work

How Phishing Works

Protection from Phishers

Copyright 2010 John Wiley & Sons, Inc.

Figure 5.9

5-41

Where the defense mechanisms are located.

Copyright 2010 John Wiley & Sons, Inc.

War Driving

5-42

War Driving (hacking WiFi)

Wardriving Documentary

Wireless Hack Data Breach www.IDTheftSecurity.com

Copyright 2010 John Wiley & Sons, Inc. 5-43

5.6 Internal Control & Compliance Management

Copyright 2010 John Wiley & Sons, Inc.

Figure 5.10

5-44

Increasing role of IT in internal control.

Copyright 2010 John Wiley & Sons, Inc.

Table 5.6

5-45

Copyright 2010 John Wiley & Sons, Inc.

WorldWide Anti-Fraud Regulations

5-46

Financial Services Authority

U.S. Securities and Exchange Commission

Basel II Accord

Copyright 2010 John Wiley & Sons, Inc. 5-47

5.7 Business Continuity & Disaster Recovery Planning

Copyright 2010 John Wiley & Sons, Inc.

Figure 5.11

5-48

Business continuity services managed by IBM. (Courtesy of IBM)

Copyright 2010 John Wiley & Sons, Inc. 5-49

5.9 Managerial Issues

Copyright 2010 John Wiley & Sons, Inc.

Managerial Issues

• Value to business of IT security & internal control?• Legal obligations?• Important to management beginning at top?• Acceptable use policies & security awareness training?• Digital assets relied upon for competitive advantage?• What does risk management involve?• Impacts of IT security breaches?• Federal & state regulations.• Internal control.

5-50

Copyright 2010 John Wiley & Sons, Inc.

Copyright 2010 John Wiley & Sons, Inc.

All rights reserved. Reproduction or translation of this work beyond that permitted in section 117 of the 1976 United States Copyright Act without express permission of the copyright owner is unlawful. Request for further information should be addressed to the Permission Department, John Wiley & Sons, Inc. The purchaser may make back-up copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages caused by the use of these programs or from the use of the Information herein.

5-51