topic 6 -it_security

MANAGEMENT INFORMATION SYSTEMS

Executive MBA PGSM

1

INFORMATION SECURITY

Management Information Systems

2

Information Security

• Background– Organizations face security threats from both

within and outside– Traditional security measures have addressed

external threats– Understanding the managerial aspects of

information security is important because of thechanging regulatory environment and thepotential risk exposure that some firms face


Executive MBA PGSM

3

E-Crime

• any criminal violation in whicha computer or e-media is usedin the commission of the crime

E-Crime

4

E-Crime

• Example of Credit card security breaches– TJX

– CardSystems Inc.

Figure 16.1


Executive MBA PGSM

5

E-Crime

• Many Types of E-Crime– All incur costs to organizations or individuals

Figure 16.2

6

E-Crime• Some common ways computers are attacked

• A small unit of code embedded in a file or program that when executed will replicate itself and maycause damage to infected computers

Virus

• A self-replicating virus

Worm

• A security-breaking program that is disguised as a legitimate program

Trojan horse

• A program, or code within a system that takes action when a certain even occurs

Logic bomb

• Occurs when a large number of messages are sent to a target computer simultaneously with thepurpose of disrupting the capability of the target

Denial of service attack


Executive MBA PGSM

7

E-Crime

• Other techniques used in E-Crime:

• Involves the solicitation of sensitive personal information fromusers, commonly in the form of email and instant messages

Phishing

• The use of a fraudulent Web site mimics a legitimate one. Oftenused in conjunction with phishing

Spoofing

8

E-Crime• Hacker vs. Cracker

Hacker• An individual with no malicious

intent who attacks computersystems for the purpose ofhighlighting securityvulnerabilities

Cracker• An individual who attacks

computer systems tointentionally steal informationor cause harm


Executive MBA PGSM

9

E-Crime

• All managers responsible for securitycompliance should have an understanding ofthe basics of security Technology

Security Basics (Figure 16.4)

• Firewall and Proxy Servers• Encryption and VPNs• Identity and Access Management Systems (IAM)• Content-Filtering Tools• Penetration-Testing Tools

10

Information Risk Management

• Steps in Risk Management– Determine the organization’s information assets

and their values– Decide how long can the organization function

without specific information assets– Develop and implement security procedures to

protect these information assets


Executive MBA PGSM

11


• Steps in Risk Management– Determine the organization’s information assets

and their values

– Example:• One organization determined that corporate

information found on employee laptops is an importantasset

• The organization estimates that a loss of theinformation on a single laptop may cost $50,000 onaverage

12


• Calculation of the expected losses due to avulnerability can be calculated by thefollowing formula:

AnnualizedExpected

Losses(AEL)

Single LossExpectancy

(SLE)

AnnualOccurrenceRate (AOR)


Executive MBA PGSM

13


• Quantitative example:– Losing the corporate data from a single laptop has

an estimated value of $50,000– The corporation identified three occurrences in

the last two years where a laptop had been lost• This is an Annual Occurrence Rate of 1.5

AnnualizedExpected

Losses(AEL)


(SLE)


14


• Quantitative example:– Therefore, the Annualized Expected Losses (AEL)

amount to $75,000

AnnualizedExpected

Losses(AEL)


(SLE)


$75,000 $50,000 1.5


Executive MBA PGSM

15


• After performing a quantitative risk analysis,the Annualized Expected Losses (AEL) are usedto perform security cost-benefit analysis

• A quantitative analysis IS managers may perform toexamine the potential business benefits and theintervention costs involved with mitigating security risks

Security Cost-Benefit Analysis

16


• Security Cost-Benefit Analysis– Managers must estimate the costs of the actions

performed to secure the information asset– The Return Benefit from the actions can be

estimated by the following formula:

ReturnBenefit

AnnualizedExpected

Losses(AEL)

AnnualizedCost ofActions


Executive MBA PGSM

17


• Security Cost-Benefit Analysis– From the laptop example, the company estimates

that adding strong encryption to the corporatedata on the laptops will cost $100 per year foreach of the 200 laptops in the company

– Overall, a $20,000 annualized cost for thisintervention would be realized

ReturnBenefit

AnnualizedExpected

Losses(AEL)


18

Information Risk Management• Security Cost-Benefit Analysis

– After performing a the analysis, we find that thisaction has an estimated return benefit of $55,000per year

ReturnBenefit

AnnualizedExpected

Losses(AEL)


$55,000 $75,000 $20,000


Executive MBA PGSM

19

Compliance with Current Security Laws

• Legal and Regulatory Environment– Impacts information security practices

Figure 16.7

20


• Sarbanes-Oxley Act of 2002 (SOX)– Created as a response to the scandals at Enron,

Tyco, WorldCom, and others– Applies to publically traded US companies


Executive MBA PGSM

21


• Sarbanes-Oxley Act of 2002 (SOX)

"Sarbanes is the most sweeping legislationto affect publicly traded companies sincethe reforms during the Great Depression"

- Gartner Analyst John Bace

22


• SOX affects IS leaders in two major ways:– Records retention

• The act states that companies must retain electroniccommunication such as email and instant messaging fora period of at least five years

– IT audit controls• Officers must certify that they are responsible for

establishing and maintaining internal controls


Executive MBA PGSM

23


• Section 404 of SOX states that companiesmust use an internal control framework suchas COSO

• COSO is an a framework for auditors to use whenassessing internal controls that was created by theCommittee of Sponsoring Organizations (COSO)

COSO

24


• Internal controls are assurance processes• COSO defines internal controls:

• COSO Definition of Internal Control: “a process,effected by an entity’s board of directors, managementand other personnel, designed to provide reasonableassurance regarding the achievement of objectives inthe following categories:• Effectiveness and efficiency of operations• Reliability of financial reporting• Compliance with applicable laws and regulations”

Internal Controls


Executive MBA PGSM

25


• The COSO framework contains fiveinterrelated categories:– Risk Assessment– Control Environment– Control Activities– Monitoring– Information and Communication

26


• Gramm-Leach-Bliley Act of 1999 (GBLA)– Mandates that all organizations maintain a high

level of confidentiality of all financial informationof their clients or customers

– The act gives federal agencies and states toenforce the following rules:

• Financial Privacy Rule• Safeguards Rule


Executive MBA PGSM

27


• Gramm-Leach-Bliley Act of 1999 (GBLA)– Financial Privacy Rule

• Requires financial institutions to provide customerswith privacy notices

• Organizations must clearly state their privacy policieswhen establishing relationships with customers

• Organizations cannot disclose nonpublic personalinformation to a third-party

– Safeguards Rule

28


• Gramm-Leach-Bliley Act of 1999 (GBLA)– Safeguards Rule

• Organizations must have a written security plan in placeto protect customer’s nonpublic confidentialinformation


Executive MBA PGSM

29


• Health Insurance Portability andAccountability Act (HIPAA)– HIPPA requires organizations to secure nonpublic

confidential medical information– Noncompliance can lead to serious penalties and

fines

30


• Uniting and Strengthening America byProviding Appropriate Tools Required toIntercept and Obstruct Terrorism Act of 2001(USA PATRIOT)– Commonly called the PATRIOT Act– Gives the US government greater ability to access

information– Victims of computer hacking can now request law

enforcement assistance


Executive MBA PGSM

31


• California Information Practices Act (SenateBill 1386)– In the past, companies have often been silent

when information theft occurred– This act requires organizations that store

nonpublic information on California residents toreport information theft within 96 hours

– Noncompliance may lead to civil or criminalconsequences

32

Developing and Information SecurityPolicy

• Information Security Policies– Required by many regulations (e.g., SOX)– Required to obtain insurance

• A written document describing what is, and is not,permissible use of information in the organizationand the consequences for violation of the policy

Information Security Policy


Executive MBA PGSM

33


• Who should develop the security policy?– Representatives of all affected user groups and

stakeholders– Must have support of managers who train and

enforce the policy– Committee who develops policy should meet

regularly to ensure that security policy meets theorganization’s needs and satisfies currentregulations

34


• What should be in the policy?– Common Topics

• Access control policies• External access policies• User a physical policies

– Example Policies• SANS Institute provides template of many policy types


Executive MBA PGSM

35


• Policy should be appropriate to the estimatedrisks of the organization

• They should be quickly modified when newsituations arise affecting security

• Organizations should make it easy foremployees to access the most recent policy

36

Planning for Business Continuity

• This is more than simple disaster recovery• When an organization cannot resume

operations in a reasonable time frame, it leadsto business failure

• Putting specific plans in place that ensure thatemployees and business processes can continuewhen faced with any major unanticipated disruption

Business Continuity Planning (PCP)


Executive MBA PGSM

37


• McNurlin & Sprague identified the followingcomponents of BCP that were oftenoverlooked before the 9/11 terrorist attacks:– Alternate workspaces for people with working

computers and phone lines– Backup IT sites that are not too close, but not too

far away– Up-to-date evacuation plans that everyone knows

and has practiced

38


• McNurlin & Sprague identified the followingcomponents of BCP that were oftenoverlooked before the 9/11 terrorist attacks:– Backed-up laptops and departmental servers,

because a lot of corporate information is housedon these machines rather than in the data center

– Helping people cope with a disaster by havingeasily accessible phone lists, e-mail lists, and eveninstant-messenger lists so that people cancommunicate with loved ones and colleagues


Executive MBA PGSM

39


• Creating a BCP begins with a business impactanalysis with the following steps:1. Define the critical business processes and

departments2. Identify interdependencies between them3. Examine all possible disruptions to these

systems4. Gather quantitative and qualitative information

on these threats5. Provide remedies for restoring systems

40

Planning for Business Continuity• Disruptions are usually ranked based on the

following categories:

Lower-priority• 30 days

Normal• 7 days

Important• 72 hours

Urgent• 24 hours

Critical• < 12 hours


Executive MBA PGSM

41


• Electronic Records Management (ERM)– Covers the retention of important digital

documents– Grew out of the need to satisfy regulation such as

SOX and HIPAA– May require a centralized approach– eDiscovery amendments to rules for civil

procedures make ERM even more important

42


• Electronic Records Management (ERM)– ERM managers are responsible for the following

• Defining what constitutes an electronic record• Analyzing the current business environment and

developing appropriate ERM policies• Classifying specific records based upon their

importance, regulatory requirements, and duration• Authenticating records by maintaining accurate logs

and procedures to prove that these are the actualrecords, and that they have not been altered

• Managing policy compliance


Executive MBA PGSM

43


• Electronic Records Management (ERM)– Managers must realize that businesses may be

digitally liable for actions their employees havetaken when communicating electronically

– Electronic corporate information may reside oncomputers external to the company (e.g. cachedemail)

44

The Chief Information Security Role

• With increasing pressure to comply with lawsand regulations, many companies have addeda chief information security officer (CISO) tothere is organization

• Responsible for monitoring informationsecurity risks and developing strategies tomitigate that risk


Executive MBA PGSM

45

The Chief Information Security Role

• As it is impossible to eliminate all risk, theCISO must balance the trade-offs betweenrisks and the costs of eliminating them

Cost ofPrevention

Risk