SECURING INFORMATION SYSTEM

Jovita Angela
 Learning Objectives

01 02 03
Why are information
What is the business What are the components of
systems vulnerable to
value of security and an organizational framework
destruction, error, and
control? for security and control?
abuse?

04
What are the most important
tools and technologies for
safeguarding information
resources?
 SYSTEM VULNERABILITY AND ABUSE (1)
You need to make security and WHY SYSTEMS ARE VULNERABLE?
control a top priority to operate
When data are stored in electronic form, The potential for
a business . unauthorized access, abuse, or fraud is not limited to a
single location but can occur at any access point in the
Security network.
The policies, procedures, and
.
technical measures used to
prevent unauthorized access,
alteration, theft, or physical
damage to information
systems.
Controls
Methods, policies, and
organizational procedures
that ensure the safety of the
organization’s assets; the
accuracy and reliability of its
records; and operational
adherence to management
standards.
 SYSTEM VULNERABILITY AND ABUSE (2)
Internet Vulnerabilities Wireless security challenges

01 02 01 02
Network open to Attachments with Radio frequency bands Users often fail to
anyone. malicious software. easy to scan SSIDs (service implement WEP or stronger
set identifiers). systems.
03 04
Use of fixed Interception. 03 04
Internet addresses Uses shared
Identify access
with cable or DSL password for both
05 points.
modems creates users and access
Transmitting trade
fixed targets point.
secrets System 05
hackers.
Vulnerability and
Abuse. Broadcast multiple 06
06 times. War driving.
Size of Internet 07
means abuses Unencrypted
can have wide VOIP.
impact.
 MALICIOUS SOFTWARE: VIRUSES, WORMS, TROJAN
HORSES, AND SPYWARE
Malicious software: malware and a variety of threats.

Worms
Independent computer programs
A computer virus that copy themselves from one
A rogue software program that computer to other computers
Trojan horse
attaches itself to other software over a network. A software program that
programs or data files in order to appears to be benign but then
be executed, usually without user does something other than
knowledge or permission. expected. It is often a way for
viruses to be introduced into a
Spyware computer system.
Small programs install
themselves surreptitiously on
computers to monitor user Web
surfing activity and serve up
advertising.
 HACKERS AND COMPUTER CRIME
A hacker: An individual who intends to
gain unauthorized access to a computer
system.
Cybervandalism Spoofing
The intentional disruption, Redirecting a Web link to
defacement, or even an address different from
destruction of a Web site the intended one, with the
or corporate information site masquerading as the
system. intended destination.
A sniffer Denial-of-service (DoS) attack,
A eavesdropping Hackers flood a network server or
program that monitors web server with thousands of
information traveling false communications or
over a network. requests for services to crash the
network.
Computer crime: Any violations of criminal law that
involve a knowledge of computer technology for
their perpetration, investigation, or prosecution.
Identity theft Phishing
A crime in which an imposter Setting up fake Web sites or
sending e-mail or text messages
obtains key pieces of personal
that look like those of legitimate
information, such as social
businesses to ask users for
security identification numbers,
driver’s license numbers, or confidential personal data.
credit card numbers, to
impersonate someone else.
Evil twins Click fraud
Wireless networks that An individual or computer
program fraudulently clicks
pretend to offer trustworthy
on an online ad without any
Wi-Fi connections to the
intention of learning more
Internet, such as those in
about the advertiser or
airport lounges, hotels, or making a purchase.
coffee shops.
 INTERNAL CRIME AND SOFTWARE VULNERABILITY

Internal Crime Software Vulnerability

Employees have access to
privileged information, and in the
presence of sloppy internal security
procedures, they are often able to
roam throughout an organization’s
systems without leaving a trace.
Social Engineering
Software errors pose a constant threat to
information systems, causing untold
losses in productivity.
A major problem with
software is the presence of
hidden bugs or program
code defects.

Malicious intruders seeking

system access sometimes
trick employees into revealing
their passwords by pretending
to be legitimate members of
the company in need of
information.
To correct software flaws once they are
identified, the software vendor creates
small pieces of software called patches to
repair the flaws without disturbing the
proper operation of the software.
 BUSINESS VALUE OF SECURITY AND CONTROL

Legal And Regulatory Requirements For Electronic Records Management

Companies have confidential
information to protect: Firms face new legal obligations for the retention and
individuals’ taxes, financial storage of electronic records as well as for privacy
assets, medical records, job protection.
performance reviews, trade
secrets, new product
HIPAA Gramm-Leach-Bliley Act Sarbanes-Oxley Act
development plans, and
Medical security and Requires financial Imposes responsibility on
marketing strategies.
privacy rules and institutions to ensure the companies and their
procedures. security and management to safeguard the
confidentiality of accuracy and integrity of
customer data. financial information that is
Businesses must protect not used internally and released
only their own information externally Business Value of
assets but also those of Security and Control.
customers, employees, and Electronic Evidence And Computer Forensics
business partners. Failure to
do so may open the firm to Computer forensics
costly litigation for data Scientific collection, examination, authentication,
exposure or theft. preservation, and analysis of data from computer storage
media for use as evidence in court of law.
 Establishing A Framework for Security and Control (1)
You’ll need to know where your company is at risk and what controls you must
have in place to protect your information systems, also develop a security
policy and plans for keeping your business running if your information
systems aren’t operational.

INFORMATION SYSTEMS RISK ASSESSMENT SECURITY POLICY

CONTROLS
General controls
Govern the design, security,
and use of computer
programs and the security of
data files in general
throughout the organization’s
information technology
infrastructure.
Application controls
Specific controls unique to
each computerized
application: (1) input controls,
(2) processing controls, and
(3) output controls.
Statements ranking information risks,
A risk assessment
identifying acceptable security goals, and
determines the level
identifying the mechanisms for achieving
of risk to the firm if a
these goals.
specific activity or
process is not
properly controlled. An Acceptable Use Identity Management
Policy (AUP) Business processes and
Acceptable uses of the software tools for identifying
Business managers
firm’s information the valid users of a system
should try to determine
resources and and controlling their access
the value of information
computing equipment, to system resources.
assets, points of
including desktop and
vulnerability, the likely
laptop computers,
frequency of a problem,
wireless devices,
and the potential for
telephones, and the
damage.
Internet.
 Establishing A Framework for Security and Control (2)

Disaster Recovery Planning and Business

The Role Of Auditing
Continuity Planning
Organizations must conduct comprehensive and
You need to plan for events, such as power outages,
systematic audits to know that information systems
floods, earthquakes, or terrorist attacks that will
security and controls are effective.
prevent your information systems and your business
from operating.
MIS audit
Examines the firm’s overall
security environment as well
Disaster Recovery Business continuity as controls governing
Planning devises plans planning individual information
for the restoration of How the company can systems.
computing and restore business
communications operations after a
services after they have disaster strikes.
been disrupted.
Security audits review The audit lists and ranks
technologies, procedures, all control weaknesses
documentation, training, and estimates the
and personnel. probability of their
occurrence.
 Technologies and Tools for Protecting Information Resources
Businesses have an array of technologies for protecting their
information resources. Include: tools for managing user identities,
preventing unauthorized access to systems and data, ensuring system
availability, and ensuring software quality.

Identity Management A Firewall Encryption

The process of keeping track
of all these users and their
system privileges, assigning
each user a unique digital
identity for accessing each
system.
Authentication
the ability to know that a
person is who he or she
claims to be. Using a
passwords, a token, a
smart card, and Biometric
authentication.
Combination of hardware and software
that controls the flow of incoming and
outgoing network traffic. Firewalls
prevent unauthorized users from
accessing private networks.
Intrusion Detection Systems
Feature full-time monitoring tools
placed at the most vulnerable points
or “hot spots” of corporate networks
to detect and deter intruders
continually.
Antivirus software
Designed to check computer systems
and drives for the presence of
computer viruses.
The process of transforming
plain text or data into cipher
text that cannot be read by
anyone other than the
sender and the intended
receiver.
Public Key Encryption
A series of public and private
keys that lock data when
they are transmitted and
unlock the data when they
are received.
 ENSURING SYSTEM AVAILABILITY
As companies increasingly rely on digital networks for revenue
and operations, they need to take additional steps to ensure that
their systems and applications are always available.

Fault-Tolerant Computer
Controlling Network Traffic
Systems Bandwith-consuming
Redundant hardware, software, applications such as file-
and power supply components sharing programs, Internet
that create an environment that phone service, and online video
provides continuous, are able to clog and slow down
uninterrupted service. corporate networks, degrading
Try to minimize
performance.
downtime
Downtime
Periods of time in which Deep Packet Inspection
a system is not (DPI)
operational. Examines data files and
sorts out low-priority online
material while assigning
higher priority to business-
critical files.
Security Outsourcing
Company can outsource
many security functions e
to provide a secure high-
availability computing
environment.
Managed Security
service providers
(MSSPs)
monitor network
activity and perform
vulnerability testing
and intrusion
detection.
 SECURITY ISSUES FOR CLOUD COMPUTING AND THE MOBILE
DIGITAL PLATFORM
Although cloud computing and the emerging mobile digital platform
have the potential to deliver powerful benefits, they pose new
challenges to system security and reliability.

Security in the Cloud Securing Mobile Platforms

01
Cloud users need to
confirm that regardless of
where their data are stored
or transferred, they are
protected at a level that
meets their corporate
requirements.
03
Cloud clients should find how
the cloud provider segregates
their corporate data from
those of other companies and
ask for proof that encryption
mechanisms are sound.
02
They should stipulate 01
that the cloud provider Companies should make sure
store and process data that their corporate security
in specific jurisdictions policy includes mobile devices,
according to the with additional details on how
privacy rules of those mobile devices should be
02
jurisdictions. supported, protected, and
used. Firms should develop
guidelines stipulating
approved mobile platforms
04
and software applications
Ask whether cloud as well as the required
providers will submit software and procedures
to external audits for remote access of
and security corporate systems.
certifications.