chapter 5 securing the enterprise and business continuity information technology for management...
TRANSCRIPT
Copyright 2010 John Wiley & Sons, Inc.
Chapter 5
Securing the Enterprise and Business Continuity
Information Technology for ManagementImproving Performance in the Digital Economy
7th editionJohn Wiley & Sons, Inc.
Slides contributed by Dr. Sandra ReidChair, Graduate School of Business & Professor, Technology
Dallas Baptist University
Turban and
Volonino
5-1
Copyright 2010 John Wiley & Sons, Inc.
Chapter Outline
• 5.1 Data and Enterprise Security Incidents• 5.2 IS Vulnerabilities and Threats• 5.3 Fraud and Computer-Mediated Crimes• 5.4 IT Security Management Practices• 5.5 Network Security
5-2
Copyright 2010 John Wiley & Sons, Inc.
Chapter Outline (cont’d)
• 5.6 Internal Control and Compliance Management
• 5.7 Business Continuity and Disaster Recovery Planning
• 5.8 Auditing and Risk Management• 5.9 Managerial Issues
5-3
Copyright 2010 John Wiley & Sons, Inc.
Learning Objectives
1. Recognize the business and financial value of information security.
2. Recognize IS vulnerabilities, threats, attack methods, and cybercrime symptoms.
3. Describe the factors that contribute to risk exposure and methods to mitigate them.
4. Explain key methods of defending information systems, networks, and wireless devices.
5. Describe internal control and fraud and related legislation.
5-4
Copyright 2010 John Wiley & Sons, Inc.
Learning Objectives cont’d
6. Understand business continuity and disaster recovery planning methods.
7. Discuss the role of IT in defending critical infrastructures.
5-5
Copyright 2010 John Wiley & Sons, Inc. 5-6
Figure IT7eU
Copyright 2010 John Wiley & Sons, Inc.
ChoicePoint
• Problem – Personal & financial data of 145,000 individuals compromised
* Perpetrator sentenced & fined* $55M loss to company in fines, compensation to victims, lawsuits, & legal fees* Public loss of goodwill causes serious revenue losses
5-7
Copyright 2010 John Wiley & Sons, Inc.
Figure 5.1
5-8
Impact of data breach on ChoicePoint’s stock price.
Copyright 2010 John Wiley & Sons, Inc.
ChoicePoint (cont’d)
• Solution – Implement new procedures to ensure that consumers are protected from illegitimate access to personal data.
* Establish & maintain comprehensive information security program.* Obtain audits by independent third-party security professionals.
5-9
Copyright 2010 John Wiley & Sons, Inc.
ChoicePoint (cont’d)
• Results – Business practices reformed.
* Security policies gained national attention.* Improved corporate governance.* Increased laws & government involvement.* Need for more improvement.
5-10
Copyright 2010 John Wiley & Sons, Inc.
ChoicePoint Suffers….Dramatically with Data Breach
5-11
ChoicePoint data leak losses exceed $55M
ChoicePoint's data breach losses reach $26.4M
Relatively big breaches and one huge but not confirmed
Copyright 2010 John Wiley & Sons, Inc. 5-12
5.1 Data and Enterprise Security Incidents
Copyright 2010 John Wiley & Sons, Inc.
Table 5.1
5-13
Copyright 2010 John Wiley & Sons, Inc.
Internal Threats
5-14
Veterans Affairs Data Theft
TJX says 45.7 million customer records were compromised
Bank Group Sues TJX over Data Breach.(Massachusetts Bankers Association, TJX Companies Inc.)
Data Breach Reported at Walter Reed Medical Center
Staten Island University Hospital Patients Personal Records Stolen In December
University Of California At San Francisco Patients Records Exposed
$100 Million Data Breach at US Department of Veterans Affairs
Copyright 2010 John Wiley & Sons, Inc.
Internal IT Threats – cont’d
5-15
The Top 5 Internal Security Threats The 25 Most Common Mistakes in Email Security
Deconstructing a 20 Billion Message Spam Attack
Positive Security: Worth The Work?
Insider Threats: Beware the Enemy from Within
Change Management: A Required Element of Business Transformation
Copyright 2010 John Wiley & Sons, Inc.
IT Governance
5-16
Information Governance: The Cost, The Risk, The Value
Information Governance: Strategy, Best Practices, Results
IT Governance Trends
Copyright 2010 John Wiley & Sons, Inc.
Government Regulation
5-17
The Sarbanes-Oxley Act
Gramm-Leach-Bliley Act
Federal Information Security Management Act
USA Patriot Act
Canada’s Personal Information Protection and Electronic Documents Act
Copyright 2010 John Wiley & Sons, Inc.
Industry Standards
5-18
Summary of “Information Security: A CompTIA Analysis of IT Security and the Workforce
Copyright 2010 John Wiley & Sons, Inc.
Breakdowns Beyond Company Control
5-19
E-Payment Provider Hit With Denial-Of-Service
BOMA honors Verizon for actions taken on Sept. 11
7 World Trade Center
Copyright 2010 John Wiley & Sons, Inc.
Figure 5.2
5-20
Lower Manhattan, the most communications-intensive real estate in the world. (Photo courtesy of Verizon Communications. Used with permission.)
Copyright 2010 John Wiley & Sons, Inc.
Figure 5.3
5-21
Verizon’s Central Office (CO) at 140 West St., harpooned by steel girders. (Photo courtesy of Verizon Communications. Used with permission.)
Copyright 2010 John Wiley & Sons, Inc.
Cybercrime
5-22
Cyber Crime Growing Global Threat
The New Face of Cybercrime
Cyber Crime Toolkits
FBI on fighting cyber crime
Fight against cyber crime intensifies - 27 Apr 08
Copyright 2010 John Wiley & Sons, Inc.
Figure 5.4
5-23
Enterprise wide information security and internal control model.
Copyright 2010 John Wiley & Sons, Inc.
Table 5.2
5-24
Copyright 2010 John Wiley & Sons, Inc. 5-25
5.2 IS Vulnerabilities and Threats
Copyright 2010 John Wiley & Sons, Inc.
Unintentional or not – IT Security Threats?
5-26
Hunting The Hackers
Stolen data on 'crime server'
Top 5 Social Engineering Techniques
Hacker Speak
Hackers - A Brief Look Into Their World
Copyright 2010 John Wiley & Sons, Inc.
Methods of Attack
5-27
A Brief History of Malware and Cybercrime
How You Can Fight Cybercrime
How Organized Crime Uses Technology to Make Money
Top 10 Security Stories Of 2008
Computer virus
Copyright 2010 John Wiley & Sons, Inc.
Figure 5.5 - How a computer virus can spread.
5-28
THE HISTORY OF COMPUTER VIRUSES – for chronology….
Copyright 2010 John Wiley & Sons, Inc. 5-29
5.3 Fraud and Computer-Mediated Crimes
Copyright 2010 John Wiley & Sons, Inc.
Table 5.3
5-30
Copyright 2010 John Wiley & Sons, Inc.
Fraud
5-31
ANALYZING Organizational Fraud
Adelphia founder John Rigas found guilty
Ex-Tyco executives get up to 25 years in prison
Copyright 2010 John Wiley & Sons, Inc.
Table 5.4
5-32
Copyright 2010 John Wiley & Sons, Inc.
Fraud Trends
5-33
Top Ten Cyber Security Menaces for 2008
Copyright 2010 John Wiley & Sons, Inc. 5-34
5.4 IT Security Management Practices
Copyright 2010 John Wiley & Sons, Inc.
Figure 5.6
5-35
Major defense controls.
Copyright 2010 John Wiley & Sons, Inc.
Table 5.5
5-36
Copyright 2010 John Wiley & Sons, Inc.
Figure 5.7
5-37
Intelligent agents. (Source: Courtesy of Sandia National Laboratories.)
Copyright 2010 John Wiley & Sons, Inc. 5-38
5.5 Network Security
Copyright 2010 John Wiley & Sons, Inc.
Figure 5.8
5-39
Three layers of network security measures.
Copyright 2010 John Wiley & Sons, Inc.
Network Authentication & Authorization
5-40
How Firewalls Work
How Phishing Works
Protection from Phishers
Copyright 2010 John Wiley & Sons, Inc.
Figure 5.9
5-41
Where the defense mechanisms are located.
Copyright 2010 John Wiley & Sons, Inc.
War Driving
5-42
War Driving (hacking WiFi)
Wardriving Documentary
Wireless Hack Data Breach www.IDTheftSecurity.com
Copyright 2010 John Wiley & Sons, Inc. 5-43
5.6 Internal Control & Compliance Management
Copyright 2010 John Wiley & Sons, Inc.
Figure 5.10
5-44
Increasing role of IT in internal control.
Copyright 2010 John Wiley & Sons, Inc.
Table 5.6
5-45
Copyright 2010 John Wiley & Sons, Inc.
WorldWide Anti-Fraud Regulations
5-46
Financial Services Authority
U.S. Securities and Exchange Commission
Basel II Accord
Copyright 2010 John Wiley & Sons, Inc. 5-47
5.7 Business Continuity & Disaster Recovery Planning
Copyright 2010 John Wiley & Sons, Inc.
Figure 5.11
5-48
Business continuity services managed by IBM. (Courtesy of IBM)
Copyright 2010 John Wiley & Sons, Inc. 5-49
5.9 Managerial Issues
Copyright 2010 John Wiley & Sons, Inc.
Managerial Issues
• Value to business of IT security & internal control?• Legal obligations?• Important to management beginning at top?• Acceptable use policies & security awareness training?• Digital assets relied upon for competitive advantage?• What does risk management involve?• Impacts of IT security breaches?• Federal & state regulations.• Internal control.
5-50
Copyright 2010 John Wiley & Sons, Inc.
Copyright 2010 John Wiley & Sons, Inc.
All rights reserved. Reproduction or translation of this work beyond that permitted in section 117 of the 1976 United States Copyright Act without express permission of the copyright owner is unlawful. Request for further information should be addressed to the Permission Department, John Wiley & Sons, Inc. The purchaser may make back-up copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages caused by the use of these programs or from the use of the Information herein.
5-51