KHOA CÔNG NGHỆ THÔNG TIN

Course: INTRODUCTION TO
MANAGEMENT INFORMATION SYSTEMS

Lecture 6: Information Systems

Security

Department of Information System

2023 -2024
 Learning Objectives

Upon successful completion of this lecture, you will be able to:

• Identify the information security triad
• Identify and understand the high-level concepts surrounding
information security tools
• Secure yourself digitally

2
KHOA CÔNG NGHỆ THÔNG TIN
 Introduction

• Computers and digital devices

are becoming integral to
conducting business
• Which also makes them a target of
attack
• Devices needs to be secured
• Networks that computers and
devices use should also be
secured

3
KHOA CÔNG NGHỆ THÔNG TIN
 Information Security Triad - CIA Triad

Confidentiality – restrict access to

lity
authorized individuals
tia Integrity – data has not been altered in an

In t
unauthorized manner
n

e gr
de

Availability – information can be accessed

nf i

and modified by authorized individuals in

i ty
Co

an appropriate timeframe

Availability

4
KHOA CÔNG NGHỆ THÔNG TIN
 Tools for Information Security

• Authentication
• Access Control
• Encryption
• Passwords
• Backup
• Firewalls
• Virtual Private Networks (VPN)
• Physical Security
• Security Policies
5
KHOA CÔNG NGHỆ THÔNG TIN
 Authentication

• Persons accessing the information is who they say they are

• Factors of identification:
• Something you know – user ID and password
• User ID identifies you while the password authenticates you
• Easy to compromise if weak password
• Something you have – key or card
• Can be lost or stolen
• Something you are – physical characteristics (i.e., biometrics)
• Much harder to compromise
• A combination of at least 2 factors is recommended

6
KHOA CÔNG NGHỆ THÔNG TIN
 Access Control

• Once authenticated – only provide access to information

necessary to perform their job duties to read, modify, add,
and/or delete information by:
• Access control list (ACL) created for each resource (information)
• List of users that can read, write, delete or add information
• Difficult to maintain all the lists
• Role-based access control (RBAC)
• Rather than individual lists
• Users are assigned to roles
• Roles define what they can access
• Simplifies administration

7
KHOA CÔNG NGHỆ THÔNG TIN
 Encryption

• An algorithm (program) encodes or scrambles information during

transmission or storage
• Decoded/unscrambled by only authorized individuals to read it

• How is this done?

• Both parties agree on the encryption method (there are many) using keys
• Symmetric key – sender and receiver have the key which can be risky
• Public Key – use a public and private key where the public key is used to send an
encrypted message and a private key that the receiver uses to decode the message

8
KHOA CÔNG NGHỆ THÔNG TIN
 Passwords

• Single-factor authentication (user ID/password) is the easiest to

break
• Password policies ensure that this risk is minimized by requiring:
• A certain length to make it harder to guess
• Contain certain characters – such as upper and lower case, one number,
and a special character
• Changing passwords regularly and do not a password to be reused
• Employees do not share their password
• Notifying the security department if they feel their password has been
compromised.
• Yearly confirmation from employees that they understand their
responsibilities

9
KHOA CÔNG NGHỆ THÔNG TIN
 Backup

• Important information should be backed up and store in a

separate location
• Very useful if the primary computer systems become unavailable
• A good backup plan requires:
• Understanding of the organizational information resources
• Regular backups of all data
• Offsite storage of backups
• Test of the data restoration
• Complementary practices:
• UPS systems
• Backup processing sites
10
KHOA CÔNG NGHỆ THÔNG TIN
 Firewalls
• Can be a piece of hardware and/or software
• Inspects and stops packets of information that don’t apply to a strict
set of rules
• Inbound and outbound
• Hardware firewalls are connected to the network
• Software firewalls run on the operating system and intercepts
packets as they arrive to a computer
• Can implement multiple firewalls to allow segments of the network
to be partially secured to conduct business
• Intrusion Detection Systems (IDS) watch for specific types of
activities to alert security personnel of potential network attack
11
KHOA CÔNG NGHỆ THÔNG TIN
 Virtual Private Networks (VPN)
• Some systems can be made private using an internal network to limit access to them
• Can’t be accessed remotely and are more secure
• Requires specific connections such as being onsite
• VPN allows users to remotely access these systems over a public network like the
Internet
• Bypasses the firewall
• Encrypts the communication or the data exchanged

12
KHOA CÔNG NGHỆ THÔNG TIN
 Physical Security

• Protection of the actual equipment

• Hardware
• Networking components
• Organizations need to identify assets that need to be physically
secured:
• Locked doors
• Physical intrusion detection - e.g., using security cameras
• Secured equipment
• Environmental monitoring – temperature, humidity, and airflow for
computer equipment
• Employee training

13
KHOA CÔNG NGHỆ THÔNG TIN
 Security Policies
• Starting point in developing an overall security plan
• Formal, brief, and high-level statement issued by senior management
• Guidelines for employee use of the information resources
• Embraces general beliefs, goals, objectives, and acceptable procedures
• Includes company recourse if employees violate the policy
• Security policies focus on confidentiality, integrity, and availability
• Includes applicable government or industry regulations
• Bring Your Own Device (BYOD) policies for mobile devices
• Use when accessing/storing company information
• Intellectual property implications
• Difficult to balance the need for security and users’ needs

14
KHOA CÔNG NGHỆ THÔNG TIN
 Personal Information Security

• Simple steps that individuals can take to be more secure:

• Keep your software up to date
• Install antivirus software
• Use public networks carefully
• Backup your data
• Secure your accounts with two-factor authentication
• Make your passwords long, unique, and strong
• Be suspicious of strange links and attachments

15
KHOA CÔNG NGHỆ THÔNG TIN
 Summary

• Identified the information security triad

• Identified and understand the high-level concepts surrounding
information security tools
• Instructed to secure personal information in digital
environment.

16
KHOA CÔNG NGHỆ THÔNG TIN
 Question – Lecture 6

1. Briefly define each of the three members of the information

security triad.
2. What does the term authentication mean?
3. What is role-based access control?
4. What is the purpose of encryption?
5. What are the components of a good backup plan?
6. What is a firewall?
7. How to secure your information in daily Internet usage?

17
KHOA CÔNG NGHỆ THÔNG TIN