topic 6 -it_security
DESCRIPTION
TRANSCRIPT
MANAGEMENT INFORMATION SYSTEMS
Executive MBA PGSM
1
INFORMATION SECURITY
Management Information Systems
2
Information Security
• Background– Organizations face security threats from both
within and outside– Traditional security measures have addressed
external threats– Understanding the managerial aspects of
information security is important because of thechanging regulatory environment and thepotential risk exposure that some firms face
MANAGEMENT INFORMATION SYSTEMS
Executive MBA PGSM
3
E-Crime
• any criminal violation in whicha computer or e-media is usedin the commission of the crime
E-Crime
4
E-Crime
• Example of Credit card security breaches– TJX
– CardSystems Inc.
Figure 16.1
MANAGEMENT INFORMATION SYSTEMS
Executive MBA PGSM
5
E-Crime
• Many Types of E-Crime– All incur costs to organizations or individuals
Figure 16.2
6
E-Crime• Some common ways computers are attacked
• A small unit of code embedded in a file or program that when executed will replicate itself and maycause damage to infected computers
Virus
• A self-replicating virus
Worm
• A security-breaking program that is disguised as a legitimate program
Trojan horse
• A program, or code within a system that takes action when a certain even occurs
Logic bomb
• Occurs when a large number of messages are sent to a target computer simultaneously with thepurpose of disrupting the capability of the target
Denial of service attack
MANAGEMENT INFORMATION SYSTEMS
Executive MBA PGSM
7
E-Crime
• Other techniques used in E-Crime:
• Involves the solicitation of sensitive personal information fromusers, commonly in the form of email and instant messages
Phishing
• The use of a fraudulent Web site mimics a legitimate one. Oftenused in conjunction with phishing
Spoofing
8
E-Crime• Hacker vs. Cracker
Hacker• An individual with no malicious
intent who attacks computersystems for the purpose ofhighlighting securityvulnerabilities
Cracker• An individual who attacks
computer systems tointentionally steal informationor cause harm
MANAGEMENT INFORMATION SYSTEMS
Executive MBA PGSM
9
E-Crime
• All managers responsible for securitycompliance should have an understanding ofthe basics of security Technology
Security Basics (Figure 16.4)
• Firewall and Proxy Servers• Encryption and VPNs• Identity and Access Management Systems (IAM)• Content-Filtering Tools• Penetration-Testing Tools
10
Information Risk Management
• Steps in Risk Management– Determine the organization’s information assets
and their values– Decide how long can the organization function
without specific information assets– Develop and implement security procedures to
protect these information assets
MANAGEMENT INFORMATION SYSTEMS
Executive MBA PGSM
11
Information Risk Management
• Steps in Risk Management– Determine the organization’s information assets
and their values
– Example:• One organization determined that corporate
information found on employee laptops is an importantasset
• The organization estimates that a loss of theinformation on a single laptop may cost $50,000 onaverage
12
Information Risk Management
• Calculation of the expected losses due to avulnerability can be calculated by thefollowing formula:
AnnualizedExpected
Losses(AEL)
Single LossExpectancy
(SLE)
AnnualOccurrenceRate (AOR)
MANAGEMENT INFORMATION SYSTEMS
Executive MBA PGSM
13
Information Risk Management
• Quantitative example:– Losing the corporate data from a single laptop has
an estimated value of $50,000– The corporation identified three occurrences in
the last two years where a laptop had been lost• This is an Annual Occurrence Rate of 1.5
AnnualizedExpected
Losses(AEL)
Single LossExpectancy
(SLE)
AnnualOccurrenceRate (AOR)
14
Information Risk Management
• Quantitative example:– Therefore, the Annualized Expected Losses (AEL)
amount to $75,000
AnnualizedExpected
Losses(AEL)
Single LossExpectancy
(SLE)
AnnualOccurrenceRate (AOR)
$75,000 $50,000 1.5
MANAGEMENT INFORMATION SYSTEMS
Executive MBA PGSM
15
Information Risk Management
• After performing a quantitative risk analysis,the Annualized Expected Losses (AEL) are usedto perform security cost-benefit analysis
• A quantitative analysis IS managers may perform toexamine the potential business benefits and theintervention costs involved with mitigating security risks
Security Cost-Benefit Analysis
16
Information Risk Management
• Security Cost-Benefit Analysis– Managers must estimate the costs of the actions
performed to secure the information asset– The Return Benefit from the actions can be
estimated by the following formula:
ReturnBenefit
AnnualizedExpected
Losses(AEL)
AnnualizedCost ofActions
MANAGEMENT INFORMATION SYSTEMS
Executive MBA PGSM
17
Information Risk Management
• Security Cost-Benefit Analysis– From the laptop example, the company estimates
that adding strong encryption to the corporatedata on the laptops will cost $100 per year foreach of the 200 laptops in the company
– Overall, a $20,000 annualized cost for thisintervention would be realized
ReturnBenefit
AnnualizedExpected
Losses(AEL)
AnnualizedCost ofActions
18
Information Risk Management• Security Cost-Benefit Analysis
– After performing a the analysis, we find that thisaction has an estimated return benefit of $55,000per year
ReturnBenefit
AnnualizedExpected
Losses(AEL)
AnnualizedCost ofActions
$55,000 $75,000 $20,000
MANAGEMENT INFORMATION SYSTEMS
Executive MBA PGSM
19
Compliance with Current Security Laws
• Legal and Regulatory Environment– Impacts information security practices
Figure 16.7
20
Compliance with Current Security Laws
• Sarbanes-Oxley Act of 2002 (SOX)– Created as a response to the scandals at Enron,
Tyco, WorldCom, and others– Applies to publically traded US companies
MANAGEMENT INFORMATION SYSTEMS
Executive MBA PGSM
21
Compliance with Current Security Laws
• Sarbanes-Oxley Act of 2002 (SOX)
"Sarbanes is the most sweeping legislationto affect publicly traded companies sincethe reforms during the Great Depression"
- Gartner Analyst John Bace
22
Compliance with Current Security Laws
• SOX affects IS leaders in two major ways:– Records retention
• The act states that companies must retain electroniccommunication such as email and instant messaging fora period of at least five years
– IT audit controls• Officers must certify that they are responsible for
establishing and maintaining internal controls
MANAGEMENT INFORMATION SYSTEMS
Executive MBA PGSM
23
Compliance with Current Security Laws
• Section 404 of SOX states that companiesmust use an internal control framework suchas COSO
• COSO is an a framework for auditors to use whenassessing internal controls that was created by theCommittee of Sponsoring Organizations (COSO)
COSO
24
Compliance with Current Security Laws
• Internal controls are assurance processes• COSO defines internal controls:
• COSO Definition of Internal Control: “a process,effected by an entity’s board of directors, managementand other personnel, designed to provide reasonableassurance regarding the achievement of objectives inthe following categories:• Effectiveness and efficiency of operations• Reliability of financial reporting• Compliance with applicable laws and regulations”
Internal Controls
MANAGEMENT INFORMATION SYSTEMS
Executive MBA PGSM
25
Compliance with Current Security Laws
• The COSO framework contains fiveinterrelated categories:– Risk Assessment– Control Environment– Control Activities– Monitoring– Information and Communication
26
Compliance with Current Security Laws
• Gramm-Leach-Bliley Act of 1999 (GBLA)– Mandates that all organizations maintain a high
level of confidentiality of all financial informationof their clients or customers
– The act gives federal agencies and states toenforce the following rules:
• Financial Privacy Rule• Safeguards Rule
MANAGEMENT INFORMATION SYSTEMS
Executive MBA PGSM
27
Compliance with Current Security Laws
• Gramm-Leach-Bliley Act of 1999 (GBLA)– Financial Privacy Rule
• Requires financial institutions to provide customerswith privacy notices
• Organizations must clearly state their privacy policieswhen establishing relationships with customers
• Organizations cannot disclose nonpublic personalinformation to a third-party
– Safeguards Rule
28
Compliance with Current Security Laws
• Gramm-Leach-Bliley Act of 1999 (GBLA)– Safeguards Rule
• Organizations must have a written security plan in placeto protect customer’s nonpublic confidentialinformation
MANAGEMENT INFORMATION SYSTEMS
Executive MBA PGSM
29
Compliance with Current Security Laws
• Health Insurance Portability andAccountability Act (HIPAA)– HIPPA requires organizations to secure nonpublic
confidential medical information– Noncompliance can lead to serious penalties and
fines
30
Compliance with Current Security Laws
• Uniting and Strengthening America byProviding Appropriate Tools Required toIntercept and Obstruct Terrorism Act of 2001(USA PATRIOT)– Commonly called the PATRIOT Act– Gives the US government greater ability to access
information– Victims of computer hacking can now request law
enforcement assistance
MANAGEMENT INFORMATION SYSTEMS
Executive MBA PGSM
31
Compliance with Current Security Laws
• California Information Practices Act (SenateBill 1386)– In the past, companies have often been silent
when information theft occurred– This act requires organizations that store
nonpublic information on California residents toreport information theft within 96 hours
– Noncompliance may lead to civil or criminalconsequences
32
Developing and Information SecurityPolicy
• Information Security Policies– Required by many regulations (e.g., SOX)– Required to obtain insurance
• A written document describing what is, and is not,permissible use of information in the organizationand the consequences for violation of the policy
Information Security Policy
MANAGEMENT INFORMATION SYSTEMS
Executive MBA PGSM
33
Developing and Information SecurityPolicy
• Who should develop the security policy?– Representatives of all affected user groups and
stakeholders– Must have support of managers who train and
enforce the policy– Committee who develops policy should meet
regularly to ensure that security policy meets theorganization’s needs and satisfies currentregulations
34
Developing and Information SecurityPolicy
• What should be in the policy?– Common Topics
• Access control policies• External access policies• User a physical policies
– Example Policies• SANS Institute provides template of many policy types
MANAGEMENT INFORMATION SYSTEMS
Executive MBA PGSM
35
Developing and Information SecurityPolicy
• Policy should be appropriate to the estimatedrisks of the organization
• They should be quickly modified when newsituations arise affecting security
• Organizations should make it easy foremployees to access the most recent policy
36
Planning for Business Continuity
• This is more than simple disaster recovery• When an organization cannot resume
operations in a reasonable time frame, it leadsto business failure
• Putting specific plans in place that ensure thatemployees and business processes can continuewhen faced with any major unanticipated disruption
Business Continuity Planning (PCP)
MANAGEMENT INFORMATION SYSTEMS
Executive MBA PGSM
37
Planning for Business Continuity
• McNurlin & Sprague identified the followingcomponents of BCP that were oftenoverlooked before the 9/11 terrorist attacks:– Alternate workspaces for people with working
computers and phone lines– Backup IT sites that are not too close, but not too
far away– Up-to-date evacuation plans that everyone knows
and has practiced
38
Planning for Business Continuity
• McNurlin & Sprague identified the followingcomponents of BCP that were oftenoverlooked before the 9/11 terrorist attacks:– Backed-up laptops and departmental servers,
because a lot of corporate information is housedon these machines rather than in the data center
– Helping people cope with a disaster by havingeasily accessible phone lists, e-mail lists, and eveninstant-messenger lists so that people cancommunicate with loved ones and colleagues
MANAGEMENT INFORMATION SYSTEMS
Executive MBA PGSM
39
Planning for Business Continuity
• Creating a BCP begins with a business impactanalysis with the following steps:1. Define the critical business processes and
departments2. Identify interdependencies between them3. Examine all possible disruptions to these
systems4. Gather quantitative and qualitative information
on these threats5. Provide remedies for restoring systems
40
Planning for Business Continuity• Disruptions are usually ranked based on the
following categories:
Lower-priority• 30 days
Normal• 7 days
Important• 72 hours
Urgent• 24 hours
Critical• < 12 hours
MANAGEMENT INFORMATION SYSTEMS
Executive MBA PGSM
41
Planning for Business Continuity
• Electronic Records Management (ERM)– Covers the retention of important digital
documents– Grew out of the need to satisfy regulation such as
SOX and HIPAA– May require a centralized approach– eDiscovery amendments to rules for civil
procedures make ERM even more important
42
Planning for Business Continuity
• Electronic Records Management (ERM)– ERM managers are responsible for the following
• Defining what constitutes an electronic record• Analyzing the current business environment and
developing appropriate ERM policies• Classifying specific records based upon their
importance, regulatory requirements, and duration• Authenticating records by maintaining accurate logs
and procedures to prove that these are the actualrecords, and that they have not been altered
• Managing policy compliance
MANAGEMENT INFORMATION SYSTEMS
Executive MBA PGSM
43
Planning for Business Continuity
• Electronic Records Management (ERM)– Managers must realize that businesses may be
digitally liable for actions their employees havetaken when communicating electronically
– Electronic corporate information may reside oncomputers external to the company (e.g. cachedemail)
44
The Chief Information Security Role
• With increasing pressure to comply with lawsand regulations, many companies have addeda chief information security officer (CISO) tothere is organization
• Responsible for monitoring informationsecurity risks and developing strategies tomitigate that risk
MANAGEMENT INFORMATION SYSTEMS
Executive MBA PGSM
45
The Chief Information Security Role
• As it is impossible to eliminate all risk, theCISO must balance the trade-offs betweenrisks and the costs of eliminating them
Cost ofPrevention
Risk