prepared by natalie rose1 managing information resources, control and security lecture 9

Prepared by Natalie Rose 1

Managing Information Resources, Control and Security

Lecture 9


Risks to Information Systems

• Risks to Hardware

– Natural disasters

– Blackouts and brownouts

– Vandalism


Risks to Information Systems (Cont.)

• Risks to Applications and Data

– Theft of information

– Social engineering and identity theft

– Data alteration, data destruction, and Web defacement

– Computer viruses, worms, and logic bombs

– Nonmalicious mishaps


• Denial of service

• Hijacking

• Spoofing

Risks to Online Operations


Risks to Online Operations


Controls


Controls (Cont.)• Program Robustness and Data Entry Controls

– Provide a clear and sound interface with the user

– Menus and limits

• Backup– Periodic duplication of all data

• Access Controls– Ensure that only authorized people can gain access to systems

and files

– Access codes and passwords


Controls (Cont.)


Controls (Cont.)• Atomic Transactions

– Ensures that transaction data are recorded properly in all the pertinent files to ensure integrity

• Audit Trails

– Built into an IS so that transactions can be traced to people, times, and authorization information


Controls (Cont.)


Security Measures• Firewalls

– Defense against unauthorized access to systems over the Internet

– Controls communication between a trusted network and the “untrusted” Internet

– Proxy Server: represents another server for all information requests and acts as a buffer


Security Measures (Cont.)


• Keeps communications secret

• Authentication: the process of ensuring the identity of the person sending the message

• Encryption: coding a message into a form unreadable to an interceptor

Authentication and Encryption


Authentication and Encryption (Cont.)


• Encryption Strength

• Distribution Restrictions

• Public-key Encryptions

– Symmetric and asymmetric encryption

• Secure Sockets Layer and Secure Hypertext Transport Protocol

• Pretty Good Privacy



• Electronic Signatures

• Digital Signatures

• Digital Certificates

Digital Signatures and Digital Certificates


Digital Signatures and Digital Certificates (Cont.)


• Obtain management’s commitment to the plan

• Establish a planning committee

• Perform risk assessment and impact analysis

• Prioritize recovery needs: critical, vital, sensitive, noncritical

The business recovery plan


• Select a recovery plan

• Select vendors

• Develop and implement the plan

• Test the plan

• Continually test and evaluate

The business recovery plan (Cont.)


• Companies that specialize in either disaster recovery planning or provision of alternate sites

• Small companies can opt for Web-based services

Recovery plan providers


The IS Security Budget


• How much security is enough security?

• Calculating downtime

The IS Security Budget (Cont.)


The IS Security Budget (Cont.)


Ethical and Societal IssuesTerrorism, Carnivores, and Echelons

• Carnivorous methods

– FBI developed Carnivore

• Device is attached to the ISP servers to monitor email

• Top Echelon

– Surveillance system

prepared by natalie rose1 managing information resources, control and security lecture 9

Documents

natalie roseauthentication

natalie roserisks

natalie rosecontrols

natalie rosecontrolsprepared

natalie rosedigital

encryption cont

information systems

digital certificates