information systems technology ross malaga "part iii - building and managing information...
TRANSCRIPT
Copyright © 2005 Prentice Hall, Inc.
12-1
Information Systems TechnologyRoss Malaga
"Part III - Building and Managing Information Systems
III12
MANAGING SECURITY,DISASTER RECOVERY,
AND DATA RETENTION
Copyright © 2005 Prentice Hall, Inc.
12-2
LEARNING GOALS
• Discuss the major threats to information systems.• Describe the major components of an information systems
security plan.• Explain the disaster planning and recovery process.• Describe the concepts of data retention and record
information management.
12-3Copyright © 2005 Prentice Hall, Inc.
Bead Bar Consultant
• Securing Information Systems• How to safeguard the Bead Bar technology against
natural or man-made disasters and business interruptions– Meredith – Worried about hackers or terrorists– Suzanne – What about studios located in Manhattan if
there should be another terrorist attack?– Leda – Do franchisee systems pose a security problem?– Mitch – How do I secure my laptop computer and the
data that it contains?
12-4Copyright © 2005 Prentice Hall, Inc.
Bead Bar Consultant (continued)
– Julia – Concerned over the accuracy of the data in financial systems
– Miriam – Security of marketing data and systems
– Rachel – Need for improved business continuity plans exposed by the reactions to 9/11 attack
– Jim – Need to update HR policies to include security actions
– Abe – Burden of all planning for security and business continuity
Copyright © 2005 Prentice Hall, Inc.
12-5
The Security Problem
• 2002 Computer Crime and Security Survey– 90% of large companies and government
agencies reported computer security breach– 80% reported sizeable financial loss– Only 40% indicated security attacks came from
outside the company– 85% reported as victim of computer virus
Copyright © 2005 Prentice Hall, Inc.
12-6
IS Security Threats
• Major security threats– Poorly written software or improperly
configured systems– Computer viruses or worms– External breaches– Internal breaches
Copyright © 2005 Prentice Hall, Inc.
12-7
Software & Systems Problems
• Check the CERT Web site for latest vulnerabilities
• Latest CERT statistics• Buffer overflow in Microsoft Windows shell
is one typical software vulnerability• Improper configuration of e-mail or database
servers are typical systems configuration problems
Copyright © 2005 Prentice Hall, Inc.
12-8
Improper Mail Server Configuration
Copyright © 2005 Prentice Hall, Inc.
12-9
Computer Viruses and Worms
• Virus – self-replicating program that loads itself onto a computer without the user’s knowledge
• Worm – a virus that spreads over a computer network, most often the Internet
Copyright © 2005 Prentice Hall, Inc.
12-10
External Security Breaches• Hackers
– People who perpetrate external breaches, or– Clever programmer who breaks into a computer system– Types
• Black hat – keeps security breach secret to exploit• White hat – informs hacked organization of problem
• Crackers – programmer who breaches system to cause damage and steal information
• Script kiddies – person with little or no programming skill who uses publicly available software to breach systems
Copyright © 2005 Prentice Hall, Inc.
12-11
Types of External Security Breaches
• Technical attack– Uses computer program to analyze systems– Looks for known vulnerabilities– Brute force attack tries millions of user names
and passwords – cNet article
• Social engineering– Tricking a person into doing something they
would not ordinarily do
Copyright © 2005 Prentice Hall, Inc.
12-12
Internal Security Breaches
• Most organizations’ security problems originate from within
• Disgruntled and former employees pose major security risks because they were authorized to access system – see IBM network security recommendations
Copyright © 2005 Prentice Hall, Inc.
12-13
Security Planning
• Goal of security plan – manage the risks and lessen the possibility that security breach occurs
• Information security plan– Includes technical methods, policies, and
education– Requires periodic review and revision
Copyright © 2005 Prentice Hall, Inc.
12-14Continued…
Copyright © 2005 Prentice Hall, Inc.
12-15
Copyright © 2005 Prentice Hall, Inc.
12-16
Risk Analysis• Assess what systems get what levels of
security• Two approaches
– Quantitative• Estimate probability of threat and monetary loss
– Qualitative• Determines each system’s importance and the
possible threats and vulnerabilities• Organization then ranks systems
Copyright © 2005 Prentice Hall, Inc.
12-17
Roles and Responsibilitiesof a Security Plan
• Determine who is responsible for the various aspects of security
• Information security
• Physical security
• Chief Security Officer– Charged with maintaining both physical and
information security
Copyright © 2005 Prentice Hall, Inc.
12-18
Systems Configuration
• Details how an organization’s information systems should be put together and connected
• Poorly written software can be a major security vulnerability– Software must be updated frequently
• CERT Advisory Mailing List• Microsoft Windows Update
– Software can be configured to locate updates automatically
Copyright © 2005 Prentice Hall, Inc.
12-19
Antivirus Controls
• Each virus or worm has a unique program structure
• Key aspect of relying on antivirus software is ensuring that antivirus definitions are up-to-date
• Norton Antivirus definitions
• Updating can be scheduled regularly and automatically – Norton LiveUpdate
Copyright © 2005 Prentice Hall, Inc.
12-20
Physical Security
• Physical access control – securing the actual space where computer systems reside
• Physical controls apply to employees as well as outsiders
• Types of physical controls– Procedural– Mechanical– Biometric
Copyright © 2005 Prentice Hall, Inc.
12-21
Copyright © 2005 Prentice Hall, Inc.
12-22
Network Security
• Multiple layers– Passwords– Firewalls– Intrusion detection systems– Policies and procedures
• How often users must change passwords and prohibit the reusing of passwords
• Prescriptions for length and composition of passwords
– Security education
Copyright © 2005 Prentice Hall, Inc.
12-23
Data Access
• Details who should be given access to what data– Access security– Modify security
Copyright © 2005 Prentice Hall, Inc.
12-24
Outsourcing and Business Partners
• Security plan should contain – A description of the minimum security
standards required for outsourcing– The security standards required for business
partners– Depends on the sensitivity of the data being
shared
Copyright © 2005 Prentice Hall, Inc.
12-25
Intrusion Detection
• Monitor corporate systems for patterns of suspicious behavior
• Key component of intrusion detection systems is the formulation of procedures that employees need to follow when an intrusion occurs
Copyright © 2005 Prentice Hall, Inc.
12-26
Acceptable Use Policies
• Policy that states what employees can and cannot do with corporate information systems– General computer use– E-mail– WWW browsing– File sharing
• Presented to employees when hired
Copyright © 2005 Prentice Hall, Inc.
12-27
Disaster Planning and Recovery
• Business continuity planning• Disasters
– Natural• Hurricane • Earthquake• Tornado • Forest fire
– Man-made• Theft • Arson• Terrorism • Construction accident
• Time is of the essence• Importance of people [and backup alternates for
people]
Copyright © 2005 Prentice Hall, Inc.
12-28
Disaster Recovery Plan
• How to reduce risk of disaster
• How to recover when disaster occurs
• Components– Business impact analysis– Disaster mitigation– Data backup and recovery– System recovery– Testing!!
Copyright © 2005 Prentice Hall, Inc.
12-29
Business Impact Analysis
• Assign a level of risk and priority to each component of a company’s information systems– Mission critical– Important– Noncritical
Copyright © 2005 Prentice Hall, Inc.
12-30
Disaster Mitigation
• Techniques that will minimize the affect of disasters– Secondary telephone connections– Uninterruptible power supplies (UPS), possibly
including generators
Copyright © 2005 Prentice Hall, Inc.
12-31
Data Backup and Recovery
• Disaster recovery plan must specify procedures for the backup of business data and for the storage of the backups– A backup of company data files stored in the
room adjacent to the server would not be of much use in case of fire or tornado damage.
– How often to perform backups
• Procedures for recovering data in case of emergency
Copyright © 2005 Prentice Hall, Inc.
12-32
Systems Recovery• Rebuild
– Purchase and install replacement system components– Time intensive and not for critical systems – $
• Cold site– Contracted site with some hardware and network
cabling installed – $$
• Hot site– Ready to run site with support staff on hand – $$$
• Redundancy– Fully redundant system at remote location – $$$$
Copyright © 2005 Prentice Hall, Inc.
12-33
Data Retention andRecords Management
• Sarbanes-Oxley Act of 2002
• Policies and procedures that specify which data are to be kept and for how long
12-34Copyright © 2005 Prentice Hall, Inc.
Bead Bar Consultant
• How Security, Disasters, and Data Retention Issues Affect the Bead Bar?– Meredith and Suzanne – “Security is
everyone’s business.”– Leda – Franchisee identification system– Mitch – Passwords must be complex to
duplicate and the passwords must be used– Julia – Sarbanes-Oxley has increased our data
retention requirements for financial data
12-35Copyright © 2005 Prentice Hall, Inc.
Bead Bar Consultant (continued)
– Miriam – Need to develop policies on who can access confidential information
– Rachel and Jim – Work with Abe to develop comprehensive disaster recovery plan
– Abe – Work with Rachel and Jim on disaster recovery plan including technical, educational, and procedural approaches
Copyright © 2005 Prentice Hall, Inc.
12-36
Learning Goals Summary
In this chapter you have learned: The major threats to information systems The major components of an information systems
security plan The disaster planning and recovery process The concepts of data retention and record
information management