MIS NOTES

INFORMATION SYSTEM SECURITY

DEFINITION OF INFORMATION SYSTEM SECURITY

 Commonly referred to as data security, it refers to the policies, procedures and technical measures that
are used to prevent unauthorized access, alteration, theft or physical damage to information system
resources.
 Security may also be defined as protection of data from accidental or deliberate threats that might cause
unauthorized qualification disclosure or destruction of data as well as the protection of information
systems from degradation.

SECURITY GOALS
To retain a competitive advantage and to meet basic business requirements, organisations must endeavour to
achieve the following security goals
1. Confidentiality
Protect information value and preserve the confidentiality of sensitive data. Information should not be
disclosed without authorization. Information the release of which is permitted to a certain section of the
public should be identified and protected against unauthorised disclosure.
2. Integrity
Ensure the accuracy and reliability of the information stored on the computer systems. Information has
integrity if it reflects some real world situation or is consistent with real world situation. Information
should not be altered without authorisation. Hardware designed to perform some functions has lost
integrity if it does not perform those functions correctly. Software has lost integrity if it does not perform
according to its specifications. Communication channels should relay messages in a secure manner to
ensure that integrity. People should ensure the system functions according to the specifications.
3. Availability
Ensure the continued availability of the information system and all its assets to legitimate users at an
acceptable level of service or quality of service. Any event that degrades performance or quality of a
system affects availability
4. Ensure conformity to laws, regulations and standards.

SECURITY POLICY
Security failures can be costly to business. Losses may be suffered as a result of the failure itself or costs can
be incurred when recovering from the incident, followed by more costs to secure systems and prevent further
failure. A well-defined set of security policies and procedures can prevent losses and save money.
The information systems security policy is the responsibility of top management of an organisation who
delegate its implementation to the appropriate level of management with permanent control.
The policy contributes to the protection of information assets.
Its objective is to protect the information capital against all types of risks, accidental or intentional. An
existing and enforced security policy should ensure systems conformity with laws and regulations, integrity
of data, confidentiality and availability.

Key components of such a policy include the following

1. Management support and commitment – management should approve and support formal security
awareness and training.
2. Access philosophy – access to computerised information should be based on a documented ‘need-to-
know, need-to-do’ basis.
3. Compliance with relevant legislation and regulations
4. Access authorisation – the data owner or manager responsible for the accurate use and reporting of the
information should provide written authorisation for users to gain access to computerized information.
5. Reviews of access authorisation – like any other control, access controls should be evaluated regularly
to ensure they are still effective.
6. Security awareness – all employees, including management, need to be made aware on a regular basis
of the importance of security. A number of different mechanisms are available for raising security
awareness including:
a) Distribution of a written security policy.
b) Training on a regular basis of new employees, users and support staff.
c) Non-disclosure statements signed by employees.
d) Use of different media in promulgating security e.g. company newsletter, web page, videos, etc.
e) Visible enforcement of security rules.
f) Simulate security incidents for improving security procedures.
g) Reward employees who report suspicious events.

THREATS TO DATA SECURITY

When large amounts of data are stored in electronic form, they are vulnerable to many kinds of threats than
when they exist on manual form.
A vulnerability is a weakness within the system that can potentially lead to loss or harm. The threat of
natural disasters has instances that can make the system vulnerable. If a system has programmes that have
threats then the system is vulnerable.
A threat is a possible danger that might exploit a vulnerability to breach security and thus cause possible
harm. Threats may lead to complete data loss, data corruption or inability to access data. Threats can
originate from technical, organizational and environmental factors compounded by poor management
decisions.

Common threats include

Hardware failure
It may either be partial or complete. When computer hardware fails, data may be completely lost or
corrupted for example when the microprocessor or computer memory fails data will not be accessible
because the computer system will not boot. If the hard drive fails all the data will be lost
Software failure
When computer software (system or application software) fails, database users will not be able to access the
data stored in the database.
Electrical problems
The electrical problems such as spikes, surges, sags, brownouts and blackouts may result into excess power
or low power levels. Excess power may damage computer equipment and hence destroy the data that is
stored in the storage devices. Low power means that the computer system will not boot hence data will not
be accessible
Computer viruses
A computer program that is designed to replicate itself by copying itself into the other programs stored in a
computer.
Symptoms of viruses
1. “Swollen” files i.e the size of the file increases because the virus appends itself to the file
2. Programs take too long to load into memory
3. Files are marked as read only
4. An attempt by a computer user to print or save a file is not executed or permitted.
User errors
When computer users accidentally or intentionally delete files or alter contents of files, they are interfering
with the security of an organization’s data.
Natural disasters
Fire, electrical storms, floods etc are natural disasters that may destroy computer resources.

DATA SECURITY CONTROLS

Controls are a combination of manual and automated measures that safeguard information systems and
ensure that they perform according to management standards.
They consist of all methods, polices and organizations procedures that ensure the safety of organizational
assets, accuracy and reliability of its accounting records and operational adherence to management standards.
Controls are countermeasures to the threats and are required to minimize errors, disasters, interruptions of
service, and computer crime.

Types of data security controls

They are classified into two groups namely general controls and application controls.

GENERAL CONTROLS
They apply to all computerized applications and consist of a combination of hardware, software and manual
procedures that creates an overall control environment.

Types of general controls

Administrative controls
These are formalized standards, rules, procedures and control disciplines which are aimed at ensuring that
the organizations resources are properly used. They ensure that job functions are designed to minimize risk
of errors or fraudulent manipulation of organizations data
They include
 Policies – a policy can be seen as a mechanism for controlling security
 Administrative procedures – may be put in place by an organization to ensure that users only do that
which they have been authorized to do
 Legal provisions – serve as security controls and discourage some form of physical threats
 Ensuring that performance standards are clearly defined and frequently revised
 Definition of procedures for recovering the systems in case of failure

Software controls
They are aimed at minimizing software failure. They are controls that monitor use of software to prevent
unauthorized access to system software, application software and data.
They include
 Definition of passwords and data access permissions
 Installation of antivirus programs

Hardware controls
They ensure that computer hardware is physically secure and check for equipment malfunctions.
They include
 Locking of system units in cabinets to prevent theft of computer parts
 Using surge protectors or uninterruptible power supply units (UPS) to protect the hardware from
electrical problems.

Implementation controls
These are controls that monitor the system development process at various stages to ensure that the process is
properly controlled and managed. They are commonly referred to as system development controls
They include:
 Ensuring that users are involved in the development and implementation of systems.
 Ensuring that systems are properly tested before they are delivered to the users.
 Training of users to minimize user errors
 Use of quality assurance techniques to ensure that the output is qualitative.

APPLICATION CONTROLS
IT application or program controls are fully automated (i.e., performed automatically by the systems)
designed to ensure the complete and accurate processing of data, from input through output. They are
controls over the input, processing, and output functions

Types of application controls

Input Controls
They are specific controls which relate to data input.
They verify the data for accuracy and completeness before it is entered into a computer system.
They include
 Ensuring that data capture devices are properly configured.
 Ensuring that the staff who key data are properly trained
 Designing input screens to facilitate easy data entry.

Processing Controls
They establish that the data to be processed is accurate, complete and has value before it can processed.
They include Data validation and data editing controls
Data validation identifies data errors, incomplete or missing data and inconsistencies among related data
items. Validation controls ensure that the data to be processed has value i.e will enable the organization to
achieve its objectives.
Types of validation checks are
Range or limit checks
These checks ensure that the data to be processed is within the pre-defined limits or range
File existence checks
Checks that a file with a specified name exists. This check is essential for programs that use file handling
Format checks
They ensure that the data to be processed is in the appropriate format which may be text, number, date/time,
currency etc.
Consistency checks
Checks fields to ensure data in these fields corresponds, e.g., If Title = "Mr.", then Gender = "M".
Sequence check
The control number follows sequentially and any control number outof sequence or duplicated are rejected or
noted on an exception report for follow-uppurposes. For example, invoices are numbered sequentially. The
day’s invoices beginwith 12001 and end with 15045. If any invoice larger than 15045 is encountered
duringprocessing, that invoice would be rejected as an invalid invoice number.
Duplicate check
New transactions are matched to those previously input to ensurethat they have not already been entered. For
example, a vendor invoice number agreeswith previously recorded invoices to ensure that the current order is
not a duplicate andtherefore, the vendor will not be paid twice.

Output controls
They ensure that the results of processing are accurate, complete and properly distributed.
They include:
1. There should be guidelines on how, where and when to destroy output
2. The output should be clearly labeled with descriptive headings and processing dates.
3. There should be a distribution list to ensure that only those specified will receive the output
4. Those who attempt to access softcopy output should be required key passwords.
COMPUTER CRIME AND ABUSE
Computer Crime
This is the commissioning of illegal acts through the use of a computer system. It may destroy or corrupt
data.
Crime may either be online or offline. Online or cyber-crime/fraud is supported by internet, intranet or
extranet while offline crime involves physical accessibility of data and other resources.
Types of computer crime
Hacking
It involves accessing an organization or individual’s data without permission. Hacking may be online or
offline.
Malicious Software
Cyber criminals use internet based software to transmit computer viruses which destroy or corrupt data.
Sniffing
It is a form of online fraud that involves configuring software to intercept data that is passing from a user to
the computer that is hosting a website.
Spoofing
Spoofers fraudulently misrepresent themselves as other organizations by setting up false websites from
where they can collect information about unsuspecting visitors to the website.

Computer Abuse
This is the commissioning of acts which are not illegal but are unethical using the computer system.
The two most common types of computer abuse are:
Spamming
This is the sending of unsolicited mass e-mail to people who have not requested for the messages.
Jamming
This is the use of software routines to tie up the computer that is hosting the website so that legitimate users
or visitors do not have access to the site.

Techniques to prevent online fraud/crime

Firewalls
They are used to protect sections of websites or the entire network from unauthorized accessibility. A
software firewall is configured to examine the user details before the users can be allowed to access the
network resources.
Intrusion detection systems
They are programs or software tools which are configured to protect the most vulnerable points of public
networks. They are aimed at detecting and deterring intruders.
They scan the entire system and report any hacking attempt by displaying working messages.
Data encryption
This is the encoding of messages before they are transmitted. The message is encrypted by applying a public
encryption key related to the intended receiver. When the receiver gets the message, he/she will decrypt the
message using a matching private key.
Authentication and authorization
Authentication is the process of determining whether the user details provided are correct or not. If the
details are correct, the server will grant the user permission or right to access the resources.
Digital signatures
They are electronic codes that are attached to documents being transmitted so that the receiver can determine
the origin of the documents and verify whether they have been tampered with or not.
RISK MANAGEMENT
 Risk refers to participating in an activity whose outcome is uncertain or is likely to interfere with data
security.
 Risk management is the technique for identifying, assessing and prioritizing the operational risk facing
an organization. It focuses on evaluating the impact of the risk and looking for ways of correcting it.

Principles of risk management

1. It should be systematic and structured
2. It should address all the uncertainties
3. It should be flexible or responsive to change
4. It should focus on creating value in the organization
5. It should be capable of continual improvement and enhancement
6. It should be tailored to meet specific objectives

RISK ASSESSMENT
 Risk assessment is the second process in the risk management methodology. Organizations use risk
assessment to determine the extent of the potential threat and the risk associated with an IT system
throughout its SDLC.
 The output of this process helps to identify appropriate controls for reducing or eliminating risk during
the risk mitigation process

RISK MITIGATION
 Risk mitigation, the third process of risk management, involves prioritizing, evaluating, and
implementing the appropriate risk-reducing controls recommended from the risk assessment process.

Risk mitigation options (strategies)

Risk mitigation is a systematic methodology used by senior management to reduce mission risk. Risk
mitigation can be achieved through any of the following risk mitigation options or strategies:
Risk Assumption.
To accept the potential risk and continue operating the IT system or to implement controls to lower the risk
to an acceptable level
Risk Avoidance.
To avoid the risk by eliminating the risk cause and/or consequence (e.g., forgo certain functions of the
system or shut down the system when risks are identified)
Risk Limitation.
To limit the risk by implementing controls that minimize the adverse impact of a threat’s exercising a
vulnerability (e.g., use of supporting, preventive, detective controls)
Risk Transference.
To transfer the risk by using other options to compensate for the loss such as purchasing insurance.

NETWORK SECURITY
Communication networks (Wide Area or Local Area Networks) generally include devicesconnected to the
network, and programmes and files supporting the network operations. Controlis accomplished through a
network control terminal and specialised communications software.
The following are controls over the communication network
1. Network control functions should be performed by technically qualified operators.
2. Network control functions should be separated and duties rotated on a regular basis where possible.
3. Network control software must restrict operator access from performing certain functions such as ability
to amend or delete operator activity logs.
4. Network control software should maintain an audit trail of all operator activities.
5. Audit trails should be reviewed periodically by operations management to detect any unauthorised
network operation activities.
6. Network operation standards and protocols should be documented and made available to the operators
and should be reviewed periodically to ensure compliance.
7. Network access by system engineers should be closely monitored and reviewed to direct unauthorised
access to the network.
8. Analysis should be performed to ensure workload balance, fast response time and system efficiency.
9. A terminal identification file should be maintained by the communication software to check the
authentication of a terminal when it tries to send or receive messages.
10. Data encryption should be used where appropriate to protect messages from disclosure during
transmission.

BUSINESS CONTINUITY PLANNING (BCP)

 BCP may be a part of an organizational learning effort that helps reduce operational risk. Backup plan to
run any business event uninterrupted is a part of business continuity plan. BCP is aimed at improving the
business processes of an organization in order to achieve its mission and ensure continuity
 As companies increasingly rely on digital networks for their revenue and operations, they need to take
additional steps to ensure that their systems and applications are always available. Many factors can
disrupt the performance of a Web site, including denial of service attacks, network failure, heavy Internet
traffic, and exhausted server resources.
 Computer failures, interruptions, and downtime translate into disgruntled customers, millions of dollars
in lost sales, and the inability to perform critical internal transactions. Downtime refers to periods of time
in which a system is not operational.
 Fault-tolerant computer systems contain redundant hardware, software, and power supply components
that create an environment that provides continuous, uninterrupted service. Fault-tolerant computers
contain extra memory chips, processors, and disk storage devices to back up a system and keep it running
to prevent failure. They use special software routines or self-checking logic built into their circuitry to
detect hardware failures and automatically switch to a backup device. Parts from these computers can be
removed and repaired without disruption to the computer system.
 Fault tolerance should be distinguished from high-availability computing. Both fault tolerance and
high-availability computing are designed to maximize application and system availability. Both use
backup hardware resources. However, high-availability computing helps firms recover quickly from a
crash, whereas fault tolerance promises continuous availability and the elimination of recovery time
altogether. High-availability computing environments are a minimum requirement for firms with heavy
electronic commerce processing or for firms that depend on digital networks for their internal operations.
 High-availability computing requires an assortment of tools and technologies to ensure maximum
performance of computer systems and networks, including redundant servers, mirroring, load balancing,
clustering, high-capacity storage, and good disaster recovery and business continuity plans. The firm’s
computing platform must be extremely robust with scalable processing power, storage, and bandwidth.
Load balancing distributes large numbers of access requests across multiple servers. The requests are
directed to the most available server so that no single device is overwhelmed. If one server starts to get
swamped, requests are forwarded to another server with more capacity.
Mirroring uses a backup server that duplicates all the processes and transactions of the primary server. If
the primary server fails, the backup server can immediately take its place without any interruption in
 service. However, server mirroring is very expensive because each server must be mirrored by an
identical server whose only purpose is to be available in the event of a failure.

BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING

Disaster recovery planning devises plans for the restoration of computing and communications services
after they have been disrupted by an event such as an earthquake, flood, or terrorist attack. Disaster recovery
plans focus primarily on the technical issues involved in keeping systems up and running, such as which files
to back up and the maintenance of backup computer systems or disaster recovery services.
Business continuity planning focuses on how the company can restore business operations after a disaster
strikes. The business continuity plan identifies critical business processes and determines action plans for
handling mission-critical functions if systems go down.
Business managers and information technology specialists need to work together on both types of plans to
determine which systems and business processes are most critical to the company. They must conduct a
business impact analysis to identify the firm’s most critical systems and the impact a systems outage would
have on the business.
Management must determine the maximum amount of time the business can survive with its systems down
and which parts of the business must be restored first.

INTERNET THREATS
The very nature of the Internet makes it vulnerable to attack. It was originally designed to allow for the freest
possible exchange of information, data and files. However, today the freedom carries a price. Hackers and
virus-writers try to attack the Internet and computers connected to the Internet and those who want to invade
other’s privacy attempt to crack into databases of sensitive information or snoop on information as it travels
across Internet routes.
It is, therefore, important in this situation to understand the risks and security factors that are needed to
ensure proper controls are in place when a company connects to the Internet.

Internet threats include

1. Disclosure
It is relatively simple for someone to eavesdrop on a ‘conversation’ taking place over the Internet.
Messages and data traversing the Internet can be seen by other machines including e-mail files,
passwords and in some cases key-strokes as they are being entered in real time.
2. Masquerade
A common attack is a user pretending to be someone else to gain additional privileges or access to
otherwise forbidden data or systems. This can involve a machine being reprogrammed to masquerade as
another machine (such as changing its Internet Protocol – IP address). This is referred to as spoofing.
3. Unauthorised access
Many Internet software packages contain vulnerabilities that render systems subject to attack.
Additionally, many of these systems are large and difficult to configure, resulting in a large percentage of
unauthorized access incidents.
4. Loss of integrity
Just as it is relatively simple to eavesdrop a conversation, so it is also relatively easy to intercept the
conversation and change some of the contents or to repeat a message. This could have disastrous effects
if, for example, the message was an instruction to a bank to pay money.
5. Denial of service
Denial of service attacks occur when a computer connected to the Internet is inundated (flooded) with
data and/or requests that must be serviced. The machine becomes so tied up with dealing with these
messages that it becomes useless for any other purpose.
KASNEB PAST PAPER QUESTIONS
May 2018 Q2a(ii), Q4a&b, Q5c&d, Q6d, Q7e
Dec 2017 Q1d, Q3a, Q5b, Q6d(iii), Q7a
May 2017 Q3b, Q6d, Q7c
Nov 2016 Q1b, Q3b, Q6c, Q7a
May 2016 Q1b, Q3b, Q6b
Nov 2015 Q4a, Q6b
Sep 2015 Q3c, Q4c, Q6a
May 2015 Q1b
Dec 2014 Q3c, Q5b
May 2014 Q3a