CHAPTER 1

INFORMATION SYSTEMS
 INFORMATION SYSTEMS
• An information system (IS) is a set of
interrelated components that collect, process,
store and distribute information to support
decision making and control in an organization.
• The components of Information system (IS)
include hardware, software, network, database
and human resource that interact to produce
information.
• A computer information system is a system that
is composed of people and computers that
processes or interprets information.
INFORMATION SYSTEMS
COMPONENTS
• People: required for the operation of all
information systems. These people resources
include end users and IS specialists.
– End users (also called users or clients) are people
who use an information system or the information it
produces. They can be accountants, salespersons,
engineers, clerks, customers, or managers. Most of us
are information system end users.
– IS Specialists are people who develop and operate
information systems. They include systems analysts,
programmers, computer operators, and other
managerial technical, and clerical IS personnel.
• Hardware: The concept of Hardware resources
includes all physical devices and materials used in
information processing. Example of hardware in
computer-based information systems are:
– Computer systems: consist of central processing units
containing microprocessors, and variety of
interconnected peripheral devices.
– Computer peripherals: devices such as a keyboard or
electronic mouse for input of data and commands, a
video screen or printer for output of information, and
magnetic or optical disks for storage of data resources.
• Software: includes all sets of information processing
instructions. This includes the sets of operating
instructions called programs, which direct and control
computer hardware as well as the sets of information
processing instructions needed by people, called
procedures. The following are the examples of
software resources:
– System Software such as an operating system program,
– Application Software which are programs that direct
processing for a particular use of computers by end users.
– Procedures which are operating instructions for the people
who will use an information system.
• Data: the raw material of information systems.
Data can be:
– Alphanumeric data: composed of numbers and
alphabetical and other characters.
– Text data: consisting of sentences and paragraphs
used in written communications.
– Image data: such as graphic shapes and figures.
– Audio data: the human voice and other sounds.
• Network: Telecommunications networks like the
Internet have become essential to the successful
operations of all types of organizations and their
computer-based information systems. Communications
networks are a fundamental resource component of all
information systems. It includes:
– Communication media: Examples include twisted pair
wire, coaxial cable, fiber-optic cable, microwave systems,
and communication satellite systems.
– Network Support: This includes people, hardware,
software, and data resources that directly support the
operation and use of a communications network. Examples
include communications control software such as network
operating systems and Internet packages.
 IMPORTANCE OF INFORMATION
SYSTEMS
• Communication – with help of information technologies the instant
messaging, emails, voice and video calls becomes quicker, cheaper
and much efficient.
• Globalization and cultural gap – by implementing information
systems we can easily share the information, knowledge,
communication and relationships between different countries,
languages and cultures.
• Availability – information systems has made it possible for
businesses to be open 24×7 all over the globe.
• Creation of new types of jobs – Most of the jobs nowadays are
information- intensive i.e. based on handling large amount of
information. Examples: training, teaching, accountants, lawyers etc.
• Cost effectiveness and productivity – the IS application promotes
more efficient operation of the company and also improves the
supply of information to decision-makers. IS has a positive impact
on productivity.
INTERDEPENDENCE BETWEEN
ORGANIZATIONS AND IS
 FUNCTIONS OF INFORMATION
SYSTEMS
• IS consists of data, hardware, software, procedures and
people.
• The major functions are: Input, storage, processing,
control, output.
• IS are developed to support specific business functions.
For example:
Finance- FMIS(Financial Management Information
System)
Manufacturing- ERP(Enterprise Resource Planning)
Human resource- HR information systems
Marketing and sales- CRM(Customer Relationship
Management)
FUNCTIONS OF INFORMATION
SYSTEMS
 Information Security
Information System Security (INFOSEC )refers to the process of
providing protection to the computers, networks and the associated
data. With the advent of technology, the more the information is stored
over wide networks, the more crucial it gets to protect it from the
unauthorized which might misuse the same. Every organization has the
data sets that contain confidential information about its activities.
Major reason of providing security to the information system into 3
steps
 Confidentiality:Only the authorized personnel should be allowed
the access to the data and system
 Integrity:Not altered by any unauthorized power.
 Availability: information can be accessed and modified by any
authorized personnel within a given time frame.
 Meaning
• Information systems security does not just deal with computer information, but also
protecting data and information in all of its forms, such as telephone conversations.
Risk assessments must be performed to determine what information poses the
biggest risk. For example, one system may have the most important information on
it and therefore will need more security measures to maintain security. Business
continuity planning and disaster recovery planning are other facets of an
information systems security professional. This professional will plan for what
could happen if a major business disruption occurs, but still allow business to
continue as usual.
The term is often used in the context of the U.S. Navy, who defines INFOSEC as:
COMPUSEC + COMSEC + TEMPEST = INFOSEC
Where COMPUSEC -> computer systems security,
• COMSEC -> communications security, TEMPEST -> compromising emanations.
 INFORMATION SYSTEMS SECURITY
AND THREATS
• Information systems plays a crucial role, so it is required to
keep them safe and secure.
• Data contained in IS should not be allowed to accessed by
unauthorized people.
• Threats:
-use of internet opens the door for external encroachment
-data stored on hard disk of computer without precautions
can be read, copied or modified when connected to internet
-misuse of information systems by employees may cause
loss of productivity, loss of revenue, legal liabilities etc.
INFORMATION SYSTEMS SECURITY
• Trademark, copyright, patent, trade secrets
• Software licensing issues
• Data privacy under legal framework
• InfoSec and Control frameworks such as Control
Objective for Information and related
Technology(COBIT)
• International Organization for Standardization (ISO)
• Evidence of digital forensic practices and ethics
• Computer frauds and abuse acts boundaries for illegal
access to computers
• Electronic surveillance and cyber crimes
BUILDING BLOCKS OF INFORMATION SECURITY
 INFORMATION SECURITY
• Information is an asset to all individuals and
businesses.
• Information Security refers to the protection of
these assets in order to achieve C - I - A as the
following diagram:
 BASIC PRINCIPLES OF INFORMATION
SECURITY
• CIA: 3 Pillars of Information security
• Confidentiality
– means that your information can be seen only
by you and those that you want to see the
information.
– For eg, Your bank protects the confidentiality
of your information by requiring you to enter a
PIN that only you know at the ATM to see your
balance.
• Integrity
– involves making sure that your information cannot
be changed or removed without your
authorization.
– the information is as you expect it to be, and you'll
know if something has changed.
– For eg, Many banks protect the integrity of your
information by letting you set up an alert when
money is withdrawn from your account, regardless
of who made the withdrawal. These alerts are sent
to your phone or e-mail immediately, so you'll
know right away if there's a problem.
• Availability
– Ensures that you can get to your information
when you need it.
– For eg, Banks make your information available
to you in many ways, such as online banking,
ATM balance inquiries, and your monthly
statement.
 IMPORTANT TERMS
• Electronic security
– refers to any electronic equipment that could perform
security operations like surveillance, access control, alarming
or an intrusion control. Example:
• CCTV Surveillance Security System
• Fire Detection/Alarming System
• Access Control/Attendance System
• Non-repudiation
– Method by which sender of data is provided with a proof of
delivery and recipient is assured of sender’s identity.
– Neither sender nor recipient can deny having processed the
data.
– Connected with the concept of electronic signature.
• Electronic signature
– Operates on a message to assure message source
authenticity and integrity and source non repudiation.
• Encryption
– Modification of data for security purpose prior to its
transmission so that it is not comprehensible without the
decoding method.
• Cipher
– The modified data obtained after encryption.
• Cryptanalysis
– Being able to break the cipher so that encrypted message
can be read.
• Cryptography
– Cryptography is associated with the process of converting
ordinary plain text into unintelligible text and vice-versa.
– It is a method of storing and transmitting data in a
particular form so that only those for whom it is intended
can read and process it.
• Denial of service(DoS) attack
• A Denial-of-Service (DoS) attack is an attack meant to shut down a
machine or network, making it inaccessible to its intended users. DoS
attacks accomplish this by flooding the target with traffic, or sending it
information that triggers a crash. In both instances, the DoS attack
deprives legitimate users (i.e. employees, members, or account holders)
of the service or resource they expected.
• Spoofing
– Spoofing is a type of scam where an intruder attempts to gain
unauthorized access to a user's system or information by pretending to be
the user. The main purpose is to trick the user into releasing sensitive
information in order to gain access to one's bank account, computer
system or to steal personal information, such as passwords.
Steganography
– The art of hiding existence of a message.
– Ensures confidentiality and integrity of data.
– Example: In a digital image, the least significant bit of each word can be
used to comprise a message without causing any significant change in the
image.
• Identification
– Means by which users claim their identity to a
system
– Used for access control
– Necessary for authentication and authorization
• Authentication
– the process or action of verifying the identity of
a user or process
• Accountability
– A system’s ability to determine the actions and
behavior of a single individual within a system
and to identify that particular individual
• Authorization
– Access rights granted to a user, program or
process
• Privacy
– The level of confidentiality and privacy
protection that a user is given in a system
 WHY WE NEED INFORMATION
CLASSIFICATION?
• Not all information have same level of
importance or same level of criticality.
• Prevent unauthorized disclosure and resultant
failure of confidentiality.
• Helps organization to apply security policies
and security procedures.
 INFORMATION CLASSIFICATION
• Unclassified
• Sensitive but unclassified
• Confidential: Some
damage to the country’s
national security
• Secret: serious damage to
the countries national
security.
• Top secret
 CRITERIA FOR INFORMATION
CLASSIFICATION
• Value
• Age
• Useful life
• Personal association
 Risk
A measure of the extent to which an entity is
threatened by a potential circumstance or
event, and typically a function of
• The adverse impacts that would arise if the
circumstance or event occurs
• The likelihood of occurrence.
It arises from the loss of confidentiality,
integrity, or availability of information or
information systems.
 Risk Management
Risk management is a process to identify and then
manage threats which could severely impact or bring
down the organization.
• It is the process of identifying vulnerabilities and
threats to the information resources used by an
organization in achieving business objectives, and
deciding what countermeasures, if any, to take in
reducing risk to an acceptable level, based on the value
of the information resource to the organization.(CISA-
cybersecurity and infrastructure security agency-2006)
• Successful risk management needs the involvement of
all levels of employers of an organization.
vulnerability vs threat vs risk
Vulnerability vs Threat vs Risk
 Risk Management
There are two main areas of focus for risk management,
each with its own set of objectives.
 Internal Factors
• To reassure management that the business is aware of,
and in control of, current and future business risks.
• To help improve the business’s operating performance
and shareholder value.
• To improve efficiency by reducing risk exposure
inherent in the business processes.
• To support the achievement of strategic goals.
• To safeguard business assets and reputation
 Risk Management
External Factors
• To ensure compliance with regulatory
requirements.
• To deliver competitive advantage.
• To reassure stakeholders and interest groups
that the business is actively managing risk.
Steps involve in Risk Management
Risk management involves the following steps:
• Reviewing operations of the organization.
• Identifying potential threats to the
organization.
• The likelihood of their occurrence.
• Adopting appropriate actions to address the
most likely threats.
 Risk Management
• Nowadays the impression of risk management has changed
dramatically. With the recent increase in rules and
regulations, employee-related lawsuits and reliance on key
resources, risk management is becoming a management
practice that is every bit as important as financial or
facilities management.
• Information security, availability and confidentiality only
address some of the components of an organization’s
information security. Therefore, we are moving beyond the
concept of just information security.
• Note: To successfully manage their risk in the future,
organizations need to develop an enterprise-wide risk
management framework.
• . ....................... is a process to identify and then
manage threats which could severely impact or bring
down the organization.
• Successful risk management needs the involvement of
all levels of ....................... of an organization.
• To successfully manage their risk in the future,
organizations need to develop an ....................... risk
management framework.
• The two main areas of focus for risk management, each
with its own set of objectives are Notes internal and
....................... .
 Risk Analysis
• Organizations should regularly undertake
comprehensive, focused assessment of
potential risks to the organization.
• The way of risk assessment process may vary
from one organization to other but the outline
of the assessment work flow is as below:
 Some important terms
Safeguard : a safeguard is the “control” or
“countermeasure” put in place to reduce the
risk associated with a specific threat or a group
of threats.
Asset: it is anything that the organization
consider as a key component of their business
process. ex- h/w, s/w, data, doc, etc.
Risk=threat
 Risk assessment work flow
• The risk assessment team will be responsible for the collection, analysis,
Establish the Risk and reporting of the assessment results to management.
• It is important that all aspects of the activity work flow be represented on
Assessment Team the team, including human resources, administrative processes,
automated systems, and physical security.

• The assessment team should identify at the outset the objective of the
Set the Scope of assessment project, department, or functional area to be assessed, the
responsibilities of the members of the team, the personnel to be
the Project interviewed, the standards to be used, documentation to be reviewed and
operations to be observed.

Identify Assets • Assets may include, but are not limited to, personnel, hardware, software,
data (including classification of sensitivity and criticality), facilities and
covered by the current controls that safeguard those assets.
• It is the key to identify all assets associated with the assessment project
Assessment determined in the scope.
 Risk assessment work flow

Categorize • Identify the losses that could result from any type of damage to an asset.
• Losses may result from physical damage, denial of service, modification,

Potential Losses unauthorized access or disclosure.

• Losses may be intangible, such as the loss of the organizations’ credibility.

•A threat is an event, process, activity, or action that exploits a vulnerability to attack an asset.

Identify Threats •. These could include power failure, biological contamination or hazardous chemical spills, acts
of nature, or hardware/software failure, data destruction or loss of integrity, sabotage, or theft
or vandalism.
and •Vulnerability is a weakness which a threat will exploit to attack the assets.

Vulnerabilities •Vulnerabilities can be identified by addressing the following in your data collection process:
physical security, environment, system security, communications security, personnel security,
plans, policies, procedures, management, support, etc.

Identify existing • Controls are safeguards that reduce the probability that a threat will
exploit a vulnerability to successfully attack an asset.

Controls • Identify those safeguards that are currently implemented, and determine
their effectiveness in the context of the current analysis.
 Risk assessment work flow
•In this phase, all the collected information will be used to determine the actual risks to
the assets under consideration.

Analyse the Data •A technique to analyze data includes preparing a list of assets and showing
corresponding threats, type of loss and vulnerability.
•Analysis of this data should include an assessment of the possible frequency of the
potential loss.

Determine Cost- •Include in this assessment the implementation cost of the safeguard, the annual cost to

effective operate the safeguard, and the life cycle of the safeguard.
•Typically, a simple report that is easy to read, and supported by detailed analysis, is
more easily understood by individuals who may not be familiar with your organization.
Safeguards

Determine Cost- •The type of report to make depends on the audience to whom it is submitted.
•Typically, a simple report that is easy to read, and supported by detailed analysis, is
effective more easily understood by individuals who may not be familiar with your organization.
•The report should include findings a list of assets, threats, and vulnerabilities; a risk
Safeguards determination, recommended safeguards, and a cost benefit analysis.
Approaches and Considerations of risk
analysis
Qualitative risk analysis
Quantitative risk analysis
• qualitative risk analysis is based on a person's perception or
judgment while quantitative risk analysis is based on verified and
specific data.
 Some important keywords
Control: Any kind of counter measure that becomes fairly automated and meets the
expectations of upper management is called a control.
Risk: Any kind of analysis that ties-in specific threats to specific assets with an eye
toward determining the costs and/or benefits of protecting that asset is called risk, or
risk assessment.
Risk Acceptance: It is simply accepting the identified risk without taking any
measures to prevent loss or the probability of the risk happening.
Risk Avoidance: It is a business strategy in which certain classes of activities or
business processes are not undertaken because the risks are too high to justify the return
on investment.
Risk Control: It is the entire process of policies, procedures and systems an institution
needs to manage prudently all the risks.
Risk Management: It is a process to identify and then manage threats which could
severely impact or bring down the organization.
Risk Reduction: It reduces the potential loss associated with that risk. Risk Transfer: It
involves transferring the weight or the consequence of a risk on to some other party.
Vulnerability: Any kind of asset that is not working optimally and is mission-critical
or essential to the organization, such as data that are not backed-up, is called a
vulnerability.
 Summary
• Risk is virtually anything that threatens or limits the ability of an organization to achieve its
mission.
• Risk management is a process to identify and then manage threats which could severely
impact or bring down the organization.
• Successful risk management needs the involvement of all levels of employers of an
organization.
• To successfully manage their risk in the future, organizations need to develop an
enterprisewide risk management framework.
• Organizations should regularly undertake comprehensive, focused assessment of potential
risks to the organization. This focused assessment should occur at least twice a year by a
team of staff members representing all the major functions of the organization.
• The purpose of a risk assessment is to help management create appropriate strategies and
controls for stewardship of information assets.
• Risk acceptance is also known by the name of risk retention. It is simply accepting the
identified risk without taking any measures to prevent loss or the probability of the risk
happening.
• Risk avoidance is a business strategy in which certain classes of activities or business
processes are not undertaken because the risks are too high to justify the return on
investment.
• Risk reduction reduces the potential loss associated with that risk.