MALIK TOUQEER

BBA(HONS) THE ISLAMIA UNIVERSITY BAHAWALPUR PAKISTAN

SECURING MANAGEMENT INFORMATION

SYSTEM

Introduction to MIS

An MIS provides managers with information and support for effective decision making, and provides feedback on daily operations.

MIS is a system, which makes available the Right Information to the Right Person at the Right place at the Right Time in the Right Form and at Right Cost.

The quality or state of being secure to be free from danger Security is achieved using several strategies simultaneously or used in

combination with one another Security is recognized as essential to protect vital processes and the

systems that provide those processes Security is not something you buy, it is something you do

What is security?

Vulnerability, Threat and Attack A vulnerability:- is a weakness in security system

Can be in design, implementation, etc. Can be hardware, or software

A threat:- is a set of circumstances that has the potential to cause loss or harm Or it’s a potential violation of security Threat can be:

Accidental (natural disasters, human error, …) Malicious (attackers, insider fraud, …)

An attack:- is the actual violation of security

Why Systems are Vulnerable?

Hardware problems-• Breakdowns, configuration errors, damage from

improper use or crime Software problems-

• Programming errors, installation errors, unauthorized changes)

Disasters-• Power failures, flood, fires, etc.

Use of networks and computers outside of firm’s control -• E.g. with domestic or offshore outsourcing vendors

SO HOW DO WE OVERCOME THESE PROBLEMS???

BUSINESS VALUE OF SECURITY AND CONTROL

• Inadequate security and control may create serious legal liability.• Businesses must protect not only their own information assets but also

those of customers, employees, and business partners. Failure to do so can lead to costly litigation for data exposure or theft.

• A sound security and control framework that protects business information assets can thus produce a high return on investment.

ESTABLISHING A MANAGEMENT FRAMEWORK FOR SECURITY AND CONTROL

General controls:Establish framework for controlling design, security, and use of computer programs

• Software controls

• Hardware controls

• Computer operations controls

• Data security controls

• Implementation controls

ESTABLISHING A MANAGEMENT FRAMEWORK FOR SECURITY AND CONTROL

Application controls:

• Input • Processing• Output

Unique to each computerized application

CREATING A CONTROL ENVIRONMENT

Controls:-

• Methods, policies, and procedures

• Ensures protection of organization’s assets

• Ensures accuracy and reliability of records, and operational adherence to management standards

Worldwide Damage from Digital Attacks

CREATING A CONTROL ENVIRONMENT

Disaster recovery plan: Runs business in event of computer outage

Load balancing: Distributes large number of requests for access among

multiple servers

CREATING A CONTROL ENVIRONMENT

• Mirroring: Duplicating all processes and transactions of server on

backup server to prevent any interruption

• Clustering: Linking two computers together so that a second computer can act

as a backup to the primary computer or speed up processing

CREATING A CONTROL ENVIRONMENT

Internet Security Challenges

Firewalls:-

• Hardware and software controlling flow of incoming and outgoing network traffic

• Prevent unauthorized users from accessing private networks

• Two types: proxies and stateful inspection

Intrusion Detection System:-

• Monitors vulnerable points in network to detect and deter unauthorized intruders

Figure 10-7

A Corporate Firewall

Because they can A large fraction of hacker attacks have been pranks

Financial Gain Espionage Venting anger at a company or organization Terrorism

Why do Hackers Attack?

Access Control - Physical

USER RESPONSIBILITIES

• Follow Security Procedures• Wear Identity Cards• Ask unauthorized visitor his credentials• Attend visitors in Reception and Conference Room only

• Bring visitors in operations area without prior permission

• Bring hazardous and combustible material in secure area

• Practice “Piggybacking”

• Bring and use pen drives, zip drives, ipods, other storage devices unless and otherwise authorized to do so

Password Guidelines

Always use at least 8 character password with combination of alphabets, numbers and special characters (*, %, @, #, $, ^)

Use passwords that can be easily remembered by you Change password regularly as per policy Use password that is significantly different from earlier passwords Use passwords which reveals your personal information or words found

in dictionaryWrite down or Store passwordsShare passwords over phone or EmailUse passwords which do not match above complexity criteria

Dictionary Attack

Hacker tries all words in dictionary to crack password 70% of the people use dictionary words as passwords

Brute Force Attack

Try all permutations of the letters & symbols in the alphabet Hybrid Attack

Words from dictionary and their variations used in attack Shoulder Surfing

Hackers slyly watch over peoples shoulders to steal passwords Dumpster Diving

People dump their trash papers in garbage which may contain information to crack passwords

Password Attacks - Types

Internet Usage

Use internet services for business purposes only

Do not access internet through dial-up connectivity Do not use internet for accessing auction sites Do not use internet for hacking other computer systems Do not use internet to download / upload commercial software /

copyrighted material Technology Department is continuously monitoring Internet

Usage. Any illegal use of internet and other assets shall call for Disciplinary Action.

CREATING A CONTROL ENVIRONMENTAntivirus Software

Antivirus software: -

Software that checks computer systems and drives for the presence of computer viruses and can eliminate the virus from the infected area

• Wi-Fi Protected Access specification

This NEC PC has a biometric fingerprint reader for fast yet secure access to files and networks. New models of PCs are starting to use biometric identification to authenticate users

MANAGEMENT CHALLENGES

Implementing an effective security policy Applying quality assurance standards in large systems projects

What are the most important software quality assurance techniques?

Why are auditing information systems and safeguarding data quality so important?

Solution Guidelines

• Security and control must become a more visible and explicit priority and area of information systems investment.

• Support and commitment from top management is required to show that security is indeed a corporate priority and vital to all aspects of the business.

• Security and control should be the responsibility of everyone in the organization.

. . . LET US BUILD A HUMAN WALL ALONG WITH FIREWALL

Human Wall Is Always Better Than A Firewall