information systems technology ross malaga "part iii - building and managing information...

Copyright © 2005 Prentice Hall, Inc.

12-1

Information Systems TechnologyRoss Malaga

"Part III - Building and Managing Information Systems

III12

MANAGING SECURITY,DISASTER RECOVERY,

AND DATA RETENTION


12-2

LEARNING GOALS

• Discuss the major threats to information systems.• Describe the major components of an information systems

security plan.• Explain the disaster planning and recovery process.• Describe the concepts of data retention and record

information management.

12-3Copyright © 2005 Prentice Hall, Inc.

Bead Bar Consultant

• Securing Information Systems• How to safeguard the Bead Bar technology against

natural or man-made disasters and business interruptions– Meredith – Worried about hackers or terrorists– Suzanne – What about studios located in Manhattan if

there should be another terrorist attack?– Leda – Do franchisee systems pose a security problem?– Mitch – How do I secure my laptop computer and the

data that it contains?


Bead Bar Consultant (continued)

– Julia – Concerned over the accuracy of the data in financial systems

– Miriam – Security of marketing data and systems

– Rachel – Need for improved business continuity plans exposed by the reactions to 9/11 attack

– Jim – Need to update HR policies to include security actions

– Abe – Burden of all planning for security and business continuity


12-5

The Security Problem

• 2002 Computer Crime and Security Survey– 90% of large companies and government

agencies reported computer security breach– 80% reported sizeable financial loss– Only 40% indicated security attacks came from

outside the company– 85% reported as victim of computer virus


12-6

IS Security Threats

• Major security threats– Poorly written software or improperly

configured systems– Computer viruses or worms– External breaches– Internal breaches


12-7

Software & Systems Problems

• Check the CERT Web site for latest vulnerabilities

• Latest CERT statistics• Buffer overflow in Microsoft Windows shell

is one typical software vulnerability• Improper configuration of e-mail or database

servers are typical systems configuration problems

http://www.cert.org/


12-8

Improper Mail Server Configuration


12-9

Computer Viruses and Worms

• Virus – self-replicating program that loads itself onto a computer without the user’s knowledge

• Worm – a virus that spreads over a computer network, most often the Internet


12-10

External Security Breaches• Hackers

– People who perpetrate external breaches, or– Clever programmer who breaks into a computer system– Types

• Black hat – keeps security breach secret to exploit• White hat – informs hacked organization of problem

• Crackers – programmer who breaches system to cause damage and steal information

• Script kiddies – person with little or no programming skill who uses publicly available software to breach systems


12-11

Types of External Security Breaches

• Technical attack– Uses computer program to analyze systems– Looks for known vulnerabilities– Brute force attack tries millions of user names

and passwords – cNet article

• Social engineering– Tricking a person into doing something they

would not ordinarily do


12-12

Internal Security Breaches

• Most organizations’ security problems originate from within

• Disgruntled and former employees pose major security risks because they were authorized to access system – see IBM network security recommendations


12-13

Security Planning

• Goal of security plan – manage the risks and lessen the possibility that security breach occurs

• Information security plan– Includes technical methods, policies, and

education– Requires periodic review and revision


12-14Continued…


12-15


12-16

Risk Analysis• Assess what systems get what levels of

security• Two approaches

– Quantitative• Estimate probability of threat and monetary loss

– Qualitative• Determines each system’s importance and the

possible threats and vulnerabilities• Organization then ranks systems


12-17

Roles and Responsibilitiesof a Security Plan

• Determine who is responsible for the various aspects of security

• Information security

• Physical security

• Chief Security Officer– Charged with maintaining both physical and

information security


12-18

Systems Configuration

• Details how an organization’s information systems should be put together and connected

• Poorly written software can be a major security vulnerability– Software must be updated frequently

• CERT Advisory Mailing List• Microsoft Windows Update

– Software can be configured to locate updates automatically


12-19

Antivirus Controls

• Each virus or worm has a unique program structure

• Key aspect of relying on antivirus software is ensuring that antivirus definitions are up-to-date

• Norton Antivirus definitions

• Updating can be scheduled regularly and automatically – Norton LiveUpdate


12-20

Physical Security

• Physical access control – securing the actual space where computer systems reside

• Physical controls apply to employees as well as outsiders

• Types of physical controls– Procedural– Mechanical– Biometric


12-21


12-22

Network Security

• Multiple layers– Passwords– Firewalls– Intrusion detection systems– Policies and procedures

• How often users must change passwords and prohibit the reusing of passwords

• Prescriptions for length and composition of passwords

– Security education


12-23

Data Access

• Details who should be given access to what data– Access security– Modify security


12-24

Outsourcing and Business Partners

• Security plan should contain – A description of the minimum security

standards required for outsourcing– The security standards required for business

partners– Depends on the sensitivity of the data being

shared


12-25

Intrusion Detection

• Monitor corporate systems for patterns of suspicious behavior

• Key component of intrusion detection systems is the formulation of procedures that employees need to follow when an intrusion occurs


12-26

Acceptable Use Policies

• Policy that states what employees can and cannot do with corporate information systems– General computer use– E-mail– WWW browsing– File sharing

• Presented to employees when hired


12-27

Disaster Planning and Recovery

• Business continuity planning• Disasters

– Natural• Hurricane • Earthquake• Tornado • Forest fire

– Man-made• Theft • Arson• Terrorism • Construction accident

• Time is of the essence• Importance of people [and backup alternates for

people]


12-28

Disaster Recovery Plan

• How to reduce risk of disaster

• How to recover when disaster occurs

• Components– Business impact analysis– Disaster mitigation– Data backup and recovery– System recovery– Testing!!


12-29

Business Impact Analysis

• Assign a level of risk and priority to each component of a company’s information systems– Mission critical– Important– Noncritical


12-30

Disaster Mitigation

• Techniques that will minimize the affect of disasters– Secondary telephone connections– Uninterruptible power supplies (UPS), possibly

including generators


12-31

Data Backup and Recovery

• Disaster recovery plan must specify procedures for the backup of business data and for the storage of the backups– A backup of company data files stored in the

room adjacent to the server would not be of much use in case of fire or tornado damage.

– How often to perform backups

• Procedures for recovering data in case of emergency


12-32

Systems Recovery• Rebuild

– Purchase and install replacement system components– Time intensive and not for critical systems – $

• Cold site– Contracted site with some hardware and network

cabling installed – $$

• Hot site– Ready to run site with support staff on hand – $$$

• Redundancy– Fully redundant system at remote location – $$$$


12-33

Data Retention andRecords Management

• Sarbanes-Oxley Act of 2002

• Policies and procedures that specify which data are to be kept and for how long


Bead Bar Consultant

• How Security, Disasters, and Data Retention Issues Affect the Bead Bar?– Meredith and Suzanne – “Security is

everyone’s business.”– Leda – Franchisee identification system– Mitch – Passwords must be complex to

duplicate and the passwords must be used– Julia – Sarbanes-Oxley has increased our data

retention requirements for financial data


Bead Bar Consultant (continued)

– Miriam – Need to develop policies on who can access confidential information

– Rachel and Jim – Work with Abe to develop comprehensive disaster recovery plan

– Abe – Work with Rachel and Jim on disaster recovery plan including technical, educational, and procedural approaches


12-36

Learning Goals Summary

In this chapter you have learned: The major threats to information systems The major components of an information systems

security plan The disaster planning and recovery process The concepts of data retention and record

information management

information systems technology ross malaga "part iii - building and managing information...

Documents

prentice hall

security problem

computer security breach

managing security

security survey

security attacks

franchisee systems

security breach secret