Managing Digital Firms:

Information Security

Unit 4
 Managing Digital Firms
• Management Issues -
• Information Security and Control,
• Quality Assurance,
• Ethical and Social Dimensions,
• IPR related to IT Services / IT Products
 Information security controls
• Information security controls are measures
taken to reduce information security risks
such as information systems breaches,
data theft, and unauthorized changes to
digital information or systems. These
security controls are intended to help
protect the availability, confidentiality, and
integrity of data and networks, and are
typically implemented after an information
security risk assessment.
Security of an Information System
• Information system security refers to the way the system is
defended against unauthorized access, use, disclosure, disruption,
modification, perusal, inspection, recording or destruction.

• There are two major aspects of information system security −

• Security of the information technology used − securing the system

from malicious cyber-attacks that tend to break into the system and
to access critical private information or gain control of the internal
systems.

• Security of data − ensuring the integrity of data when critical issues,

arise such as natural disasters, computer/server malfunction,
physical theft etc. Generally an off-site backup of data is kept for
such problems.
 Types of information security
controls
• Types of information security controls include security policies,
procedures, plans, devices and software intended to strengthen
cybersecurity. There are three categories of information security
controls:

• Preventive security controls, designed to prevent cyber security

incidents
• Detective security controls, aimed at detecting a cyber security
breach attempt (“event”) or successful breach (“incident”) while it is
in progress, and alerting cyber security personnel
• Corrective security controls, used after a cyber security incident to
help minimize data loss and damage to the system or network, and
restore critical business systems and processes as quickly as
possible (“resilience”)
 Guaranteeing effective information security
has the following key aspects −
• Preventing the unauthorized individuals or systems from accessing the information.

• Maintaining and assuring the accuracy and consistency of data over its entire life-cycle.

• Ensuring that the computing systems, the security controls used to protect it and the
communication channels used to access it, functioning correctly all the time, thus making
information available in all situations.

• Ensuring that the data, transactions, communications or documents are genuine.

• Ensuring the integrity of a transaction by validating that both parties involved are genuine, by
incorporating authentication features such as "digital signatures".

• Ensuring that once a transaction takes place, none of the parties can deny it, either having
received a transaction, or having sent a transaction. This is called 'non-repudiation'.

• Safeguarding data and communications stored and shared in network systems.

Information Security and Control
• Technology is not the key issue in information systems security and
control. The technology provides a foundation, but in the absence of
intelligent management policies, even the best technology can be
easily defeated. For instance, experts believe that over 90 percent
of successful cyberattacks could have been prevented by
technology available at the time. Inadequate human attention made
these attacks so prevalent.

• Protection of information resources requires a sound security

policy and set of controls. ISO 17799, an international set of
standards for security and control, provides helpful guidelines. It
specifies best practices in information systems security and control,
including security policy, business continuity planning, physical
security, access control, compliance, and creating a security
function within the organization.
Types of Information Systems Controls
Protection of information resources requires a well-designed
set of controls. Computer systems are controlled by a
combination of general controls and application controls.
General controls govern the design, security, and use of
computer programs and the security of data files in general
throughout the organization’s information technology
infrastructure. On the whole, general controls apply to all
computerized applications and consist of a combination of
hardware, software, and manual procedures that create an
overall control environment. Application controls are specific
controls unique to each computerized application, such as
payroll or order processing. They consist of controls applied
from the business functional area of a particular system and
from programmed procedures.
 Security controls come in the
form of:
• Access controls including restrictions on physical access
such as security guards at building entrances, locks, and
perimeter fences
• Procedural controls such as security awareness
education, security framework compliance training, and
incident response plans and procedures
• Technical controls such as multi-factor user
authentication at login (login) and logical access controls,
antivirus software, firewalls
• Compliance controls such as privacy laws and cyber
security frameworks and standards.
• https://www.websecgeeks.com/2015/07/
information-security-controls.html
• https://reciprocitylabs.com/resources/what-
are-information-security-controls/
• https://cyberrisk-countermeasures.info/
cyber-security-control-frameworks/
• https://paginas.fe.up.pt/~acbrito/laudon/
ch10/chpt10-3main.htm
 Quality Assurance,

• What is Quality?
• Quality is extremely hard to define, and it is simply
stated: "Fit for use or purpose." It is all about meeting the
needs and expectations of customers with respect to
functionality, design, reliability, durability, & price of the
product.
• What is Assurance?
• Assurance is nothing but a positive declaration on a
product or service, which gives confidence. It is certainty
of a product or a service, which it will work well. It
provides a guarantee that the product will work without
any problems as per the expectations or requirements.
 Quality Assurance in Software Testing

• Quality Assurance in Software Testing is defined

as a procedure to ensure the quality of software
products or services provided to the customers
by an organization. Quality assurance focuses
on improving the software development process
and making it efficient and effective as per the
quality standards defined for software products.
Quality Assurance is popularly known as QA
Testing.
 How to do Quality Assurance: Complete
Process

• Quality Assurance
methodology has a
defined cycle called
PDCA cycle or Deming
cycle. The phases of this
cycle are:

• Plan
• Do
• Check
• Act
• https://www.guru99.com/all-about-
quality-assurance.html
Difference between Quality Control and Quality Assurance?
 Role of Software Quality
Assurance
• Quality assurance managers play a crucial
role in business by ensuring that products
meet certain thresholds of acceptability.
They plan, direct or coordinate quality
assurance programs and formulate quality
control policies. They also work to improve
an organization's efficiency and profitability
by reducing waste.
 Quality Assurance Tools (Software Quality
Assurance Tool)
• Cause-and-effect diagram
• Check sheet.
• Control chart.
• Histogram.
• Pareto chart.
• Scatter diagram.
• Stratification (alternately, flow chart or run
chart)
Quality Assurance Management
System
• A quality management system (QMS) is a formalized system that
documents processes, procedures, and responsibilities for achieving quality
policies and objectives. A QMS helps coordinate and direct an organization’s
activities to meet customer and regulatory requirements and improve its
effectiveness and efficiency on a continuous basis.

• Quality management systems serve many purposes, including:

– Improving processes
– Reducing waste
– Lowering costs
– Facilitating and identifying training opportunities
– Engaging staff
– Setting organization-wide direction
 QMS
• Quality Assurance System is any systematic
process of determining whether a product or
service meets specified requirements.

• Quality assurance standards are a set of

standards that have been chosen and
implemented by businesses all around the world
to show commitment to delivering quality
products and services to customers. Specifically,
quality assurance (or QA) standards are about
meeting customer and other requirements.
Ethical & Social Dimentions
IPR related to IT Services / IT
Products