SlideShare a Scribd company logo

Chapter 10, part 1

M
misecho

Technological safeguards, physical access restrictions, firewalls, encryption, virus monitoring and prevention, audit-control software, and secure data centers are commonly used methods to safeguard information systems. Organizations should also implement human safeguards like ethics, laws, computer forensics, and effective management. Developing a comprehensive information security plan that includes risk analysis, policies and procedures, disaster planning, and responding to security breaches is important for organizations to protect their information systems.

TechnologyBusiness
1 of 20
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
TECHNOLOGICAL SAFEGUARDS •There are six commonly used methods in which technology is employed to safeguard information systems
PHYSICAL ACCESS RESTRICTIONS • Organizations can prevent unauthorized access to information systems by keeping stored information safe and allowing access only to those employees who need it to do their jobs. • The most common form of authentication is the use of passwords, which are effective only if chosen carefully and changed frequently. • Access is usually limited by making it dependent on one of the following: – Something You Have: Keys, picture identification cards, smart cards – Something You Know: passwords, PINs, answers to secret questions – Something You Are: fingerprints, voice patterns, biometrics
PHYSICAL ACCESS RESTRICTIONS • Biometrics is a form of authentication used to govern access to systems, data, and/or facilities. With biometrics, employees may be identified by fingerprints, retinal patterns, or other bodily characteristics. • A virtual private network (VPN) is a network connection that is constructed dynamically within an existing network—often called a secure tunnel—in order to connect users or nodes. • The practice of creating an encrypted “tunnel” to send secure (private) data over the (public) Internet is known as tunneling.
FIREWALLS
ENCRYPTION • When you do not have access to a secure channel for sending information over a wired or wireless network, encryption is the best bet for keeping snoopers out. • Encryption is the process of encoding messages before they enter the network or airwaves, then decoding them at the receiving end of the transfer so that the intended recipients can read or hear them. The process works because if you scramble messages before you send them, eavesdroppers who might intercept them cannot decipher them without the decoding key. • Implementing encryption on a large scale, such as on a busy Web site, requires a third party,
VIRUS MONITORING AND PREVENTION • Purchase and install antivirus software, then update frequently to be sure you are protected against new viruses. • Do not use flash drives, disks, or shareware from unknown or suspect sources and be equally careful when downloading material from the Internet, making sure that the source is reputable. • Delete without opening any e-mail message received from an unknown source. Be especially wary of opening attachments. • Do not blindly open e-mail attachments, even if they come from a known source. Many viruses are spread without the sender’s knowledge, so it is better to check with the sender before opening a potentially unsafe attachment. • If your computer system contracts a virus, report the infection to your school or company’s IT department so that appropriate measures can be taken.
AUDIT-CONTROL SOFTWARE • Audit-control software is used to keep track of computer activity so that auditors can spot suspicious activity and take action. Any user leaves electronic footprints that auditors can trace. Audit- control software helps creating an audit trail, a record showing who has used a computer system and how it was used.
SECURE DATA CENTERS
SECURE DATA CENTERS: SECURING THE FACILITIES INFRASTRUCTURE • Backup Sites – duplication. A cold backup site is nothing more than an empty warehouse with all necessary connections for power and communication but nothing else. In the case of a disaster, a company has to first set up all necessary equipment, ranging from office furniture to Web servers. A hot backup site is a fully equipped backup facility, having everything from office chairs to a one-to-one replication of the most current data. Further, hot backup sites also have a redundant backup of the data so that the business processes are interrupted as little as possible. To achieve this redundancy, all data are mirrored on separate servers. • Redundant Data Centers – separation. Often, companies choose to replicate their data centers in multiple locations. Events such as a hurricane can damage systems that are located across town from each other. Thus, even if the primary infrastructure is located in-house, it pays to have a backup located in a different geographic area to minimize the risk of a disaster happening to both systems.
HUMAN SAFEGUARDS • In addition to the technological safeguards, there are various human safeguards that can help to safeguard information systems, specifically ethics, laws, and effective management. • Educating potential users at an early age as to what constitutes appropriate behavior can help, but unethical users will undoubtedly always remain a problem for those wanting to maintain IS security. • Additionally, there are numerous federal and state laws against unauthorized use of networks and computer systems. Unfortunately, individuals who want unauthorized access to networks and computer systems usually find a way to exploit them; often, after the fact, laws are enacted to prohibit that activity in the future.
COMPUTER FORENSICS • As computer crime has gone mainstream, law enforcement has had to become much more sophisticated in their computer crime investigations. Computer forensics is the use of formal investigative techniques to evaluate digital information for judicial review. • Organizations and governments are increasingly utilizing honeypots to proactively gather intelligence to improve their defenses or to catch cybercriminals. • A honeypot is a computer, data, or network site that is designed to be enticing to hackers so as to detect, deflect, or counteract illegal activity. • Additionally, beyond human and technological safeguards, the quality of information security in any organization depends on effective management. Managers must continuously check for security problems, recognize that holes in security exist, and take appropriate action.
DEVELOPING AN IS SECURITY • Risk Analysis. PLAN – Determine the value of electronic information – Assess threats to confidentiality, integrity, and availability of information – Determine which computer operations are most vulnerable to security breaches – Assess current security policies – Recommend changes to existing practices and/or policies that will improve computer security –
DEVELOPING AN IS SECURITY PLAN • Policies and Procedures. Once risks are assessed, a plan should be formulated that details what action will be taken if security is breached. – Information Policy. Outlines how sensitive information will be handled, stored, trans- mitted, and destroyed. – Security Policy. Explains technical controls on all organizational computer systems, such as access limitations, audit-control software, and firewalls. – Use Policy. Outlines the organization’s policy regarding appropriate use of in-house computer systems. – Backup Policy. Explains requirements for backing up information. – Account Management Policy. Lists procedures for adding new users to systems and removing users who have left the organization. – Incident Handling Procedures. Lists procedures to follow when handling a security breach. – Disaster Recovery Plan. Lists all the steps an organization will take to restore computer operations in case of a natural or deliberate disaster.
DISASTER PLANNING
DESIGNING THE RECOVERY PLAN • When planning for disaster, two objectives should be considered by an organization: recovery time and recovery point objectives. – Recovery time objectives specify the maximum time allowed to recover from a catastrophic event. Having completely redundant systems minimizes the recovery time and are best suited for mission-critical applications, such as e-commerce transaction servers. For other applications, such as data mining, while important, the recovery time can be longer without disrupting primary business processes. – Recovery point objectives specify how current the backup data should be. Imagine that your computer’s hard drive crashes while you are working on a term paper. Luckily, you recently backed up your data. Would you prefer the last backup to be a few days old, or would you rather have the last backup include your most recent changes to the term paper? Having completely redundant systems that mirror the data helps to minimize (or even avoid) data loss in the event of a catastrophic failure.
RESPONDING TO A SECURITY BREACH • Organizations that have developed a comprehensive IS security plan have the ability to rapidly respond to any type of security breach to their IS resources or to a natural disaster. • In addition to restoring lost data using backups, common responses to a security breach include performing a new risk audit and implementing a combination of additional (more secure) safeguards. • Additionally, when intruders are discovered, organizations can contact local law enforcement agencies and the FBI for assistance in locating and prosecuting them. Several online organizations issue bulletins to alert organizations and individuals to possible software vulnerabilities or attacks based on reports from organizations when security breaches occur.
THE STATE OF SYSTEMS SECURITY MANAGEMENT • Financial fraud attacks result in the greatest financial losses for organizations; other significant costs were due to viruses, data theft, unauthorized access, and denial-of-service attacks. • Relatively few organizations (about 29 percent) report computer intrusions to law enforcement because of various fears, such as how negative publicity would hurt stock values or how competitors might gain an advantage over news of a security incident. • Most organizations do not outsource security activities. • Nearly all organizations conduct routine and ongoing security audits. • The majority of organizations believed security training of employees is important, but most respondents said their organization did not spend enough on security training.
INFORMATION SYSTEMS CONTROLS, AUDITING, AND THE SARBANES- OXLEY ACT • Preventive controls • Detective controls • Corrective controls
IS AUDITING • Analyzing the IS controls should be an ongoing process for organizations. However, often it can be beneficial for organizations to periodically have an external entity review the controls so as to uncover any potential problems. • An information systems audit, often performed by external auditors, can help organizations assess the state of their IS controls to determine necessary changes and to help ensure the information systems’ availability, confidentiality, and integrity. • The response to the strengths and weaknesses identified in the IS audit is often determined by the potential risks an organization faces. Testing all controls under all possible conditions is very inefficient and often infeasible. Thus, auditors frequently rely on computer-assisted auditing tools, or specific software that tests applications and data using test data or simulations. • In addition to using specific auditing tools, auditors use audit sampling procedures to assess the controls, enabling the audit to be conducted in the most cost-effective manner. Once the audit has been performed and sufficient evidence has been gathered, reports are issued to the organization.
THE SARBANES-OXLEY ACT • Another major factor that has contributed to a high demand for IS auditors is the need to comply with government regulations, most notably the Sarbanes-Oxley Act of 2002 (S-OX). • Formed as a reaction to large-scale accounting scandals that led to the downfall of corporations such as WorldCom and Enron, S-OX addresses primarily the accounting side of organizations. According to S-OX, companies have to demonstrate that there are controls in place to prevent misuse or fraud, controls to detect any potential problems, and effective measures to correct any problems. • The IS architecture plays a key role in S-OX compliance, given that many controls are IS based, providing capabilities to detect information exceptions and to provide a management trail for tracing exceptions. However, S-OX itself barely addresses IS controls specifically; rather, it addresses general processes and practices, leaving companies wondering how to comply with the guidelines put forth in the act. • Failure to present such documents in the case of litigious activity can lead to severe fines being imposed on companies and their executives, and courts usually will not accept the argument that a message could not be located.

More Related Content

KEY
Mis
misecho
 
PPTX
2.5 safety and security of data in ict systems 13 12-11
mrmwood
 
PPTX
MIS: Information Security Management
Jonathan Coleman
 
PPTX
SECURITY AND CONTROL
shinydey
 
PPTX
12 security policies
Saqib Raza
 
PDF
Security Awareness Training
Daniel P Wallace
 
PPTX
Insider threats - Lessons from Snowden (ISF UK Chapter)
Huntsman Security
 
PPT
Computer Security Policy D
guest34b014
 
Mis
misecho
 
2.5 safety and security of data in ict systems 13 12-11
mrmwood
 
MIS: Information Security Management
Jonathan Coleman
 
SECURITY AND CONTROL
shinydey
 
12 security policies
Saqib Raza
 
Security Awareness Training
Daniel P Wallace
 
Insider threats - Lessons from Snowden (ISF UK Chapter)
Huntsman Security
 
Computer Security Policy D
guest34b014
 

What's hot (20)

PPTX
17 info sec_ma_imt_27_2_2012
RECIPA
 
DOC
Computer Security Policy
everestsky66
 
PPTX
Incident response process
Bhupeshkumar Nanhe
 
PPT
Information security
razendar79
 
PPTX
How to Build a Successful Incident Response Program
Resilient Systems
 
PPTX
IT Security and Management - Semi Finals by Mark John Lado
Mark John Lado, MIT
 
DOCX
SEC440: Incident Response Plan
Thomas Christopher Ty
 
PPTX
Secuntialesse
Anne Starr
 
PPT
Lesson 2
MLG College of Learning, Inc
 
PPT
Information security.pptx
Veer Rengu korku Govt. College Khaknar
 
PPTX
Healthcare Cyber Security Webinar
HealthCareManagement
 
PPT
Security analysis
Yulisa Rosliana S.Kom
 
PPTX
GRRCON 2013: Imparting security awareness to all levels of users
Joel Cardella
 
PPTX
Computing safety
titoferrus
 
PPT
The Datacenter Security Continuum
Martin Hingley
 
PDF
A Cybersecurity Planning Guide for CFOs
gppcpa
 
PPSX
Cyber Security Awareness Month 2017- Nugget2
Chinatu Uzuegbu
 
PPTX
Insider threat kill chain
Tarun Gupta,CRISC CISSP CISM CISA BCCE
 
PPTX
Security Awareness and Training
Priyank Hada
 
PPTX
Cyber Security and Healthcare
Jonathon Coulter
 
17 info sec_ma_imt_27_2_2012
RECIPA
 
Computer Security Policy
everestsky66
 
Incident response process
Bhupeshkumar Nanhe
 
Information security
razendar79
 
How to Build a Successful Incident Response Program
Resilient Systems
 
IT Security and Management - Semi Finals by Mark John Lado
Mark John Lado, MIT
 
SEC440: Incident Response Plan
Thomas Christopher Ty
 
Secuntialesse
Anne Starr
 
Lesson 2
MLG College of Learning, Inc
 
Information security.pptx
Veer Rengu korku Govt. College Khaknar
 
Healthcare Cyber Security Webinar
HealthCareManagement
 
Security analysis
Yulisa Rosliana S.Kom
 
GRRCON 2013: Imparting security awareness to all levels of users
Joel Cardella
 
Computing safety
titoferrus
 
The Datacenter Security Continuum
Martin Hingley
 
A Cybersecurity Planning Guide for CFOs
gppcpa
 
Cyber Security Awareness Month 2017- Nugget2
Chinatu Uzuegbu
 
Insider threat kill chain
Tarun Gupta,CRISC CISSP CISM CISA BCCE
 
Security Awareness and Training
Priyank Hada
 
Cyber Security and Healthcare
Jonathon Coulter
 
Ad

Viewers also liked (7)

KEY
Chapter 10, part 2
misecho
 
KEY
Chapter 10, part 3
misecho
 
KEY
Maeve mis presentation
misecho
 
KEY
Chapter 10, part 3
misecho
 
KEY
Echo p.410 422 ch 10, irina
misecho
 
KEY
Mis
misecho
 
PPTX
Mis 2101 Questions
brandonpostlethwait
 
Chapter 10, part 2
misecho
 
Chapter 10, part 3
misecho
 
Maeve mis presentation
misecho
 
Chapter 10, part 3
misecho
 
Echo p.410 422 ch 10, irina
misecho
 
Mis
misecho
 
Mis 2101 Questions
brandonpostlethwait
 
Ad

Similar to Chapter 10, part 1 (20)

PPTX
security and system mainatance
Kudzi Chikwatu
 
PPTX
Ch15 power point
bodo-con
 
PPTX
Chapter 13
bodo-con
 
PPTX
Presentation 10.pptx
mishogelashvili28
 
PPTX
sec.This includes policy settings that prevent unauthorized people
JuliusECatipon
 
PPTX
Management Information Systems ( Security and Control.pptx
NamugenyiBetty
 
PDF
Lecture 01 Information Security BS computer Science
maqib8373
 
PPTX
Computer security concepts
Prachi Gulihar
 
PDF
FBI Memo on How to Protect Yourself from Ransomware
David Sweigert
 
PDF
Unit v
bharatnaruka90
 
PPTX
LESSON_3_Maintain_Computer_Equipment_and_Systems.pptx
mahaliacaraan
 
PDF
In computer security, a vulnerability is a weakness which allows an .pdf
anandanand521251
 
PPT
Cyber security awareness training by cyber security infotech(csi)
Cyber Security Infotech
 
PPTX
Data Security Management - Data Analytics
rashiesoft
 
PPT
Security & control in management information system
Online
 
PPT
Network security, change control, outsourcing
Nicholas Davis
 
PPTX
Lecture 3 security threats in data analysis.pptx
chesenybrian2022
 
PPT
cyber forensics - TYPES OF CYBER FORENSICS.ppt
mcjaya2024
 
PPTX
Computer security
Shashi Chandra
 
PPTX
security in is.pptx
selvapriyabiher
 
security and system mainatance
Kudzi Chikwatu
 
Ch15 power point
bodo-con
 
Chapter 13
bodo-con
 
Presentation 10.pptx
mishogelashvili28
 
sec.This includes policy settings that prevent unauthorized people
JuliusECatipon
 
Management Information Systems ( Security and Control.pptx
NamugenyiBetty
 
Lecture 01 Information Security BS computer Science
maqib8373
 
Computer security concepts
Prachi Gulihar
 
FBI Memo on How to Protect Yourself from Ransomware
David Sweigert
 
Unit v
bharatnaruka90
 
LESSON_3_Maintain_Computer_Equipment_and_Systems.pptx
mahaliacaraan
 
In computer security, a vulnerability is a weakness which allows an .pdf
anandanand521251
 
Cyber security awareness training by cyber security infotech(csi)
Cyber Security Infotech
 
Data Security Management - Data Analytics
rashiesoft
 
Security & control in management information system
Online
 
Network security, change control, outsourcing
Nicholas Davis
 
Lecture 3 security threats in data analysis.pptx
chesenybrian2022
 
cyber forensics - TYPES OF CYBER FORENSICS.ppt
mcjaya2024
 
Computer security
Shashi Chandra
 
security in is.pptx
selvapriyabiher
 

Recently uploaded (20)

PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
[발표본] 너의 과제는 클라우드에 있어_KTDS_김동현_20250524.pdf
ssuserf8b8bd1
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PDF
KodekX | Application Modernization Development
KodekX
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Cloud computing and distributed systems.
kkkkkhan
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
[발표본] 너의 과제는 클라우드에 있어_KTDS_김동현_20250524.pdf
ssuserf8b8bd1
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
KodekX | Application Modernization Development
KodekX
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 

Chapter 10, part 1

  • 1. TECHNOLOGICAL SAFEGUARDS •There are six commonly used methods in which technology is employed to safeguard information systems
  • 2. PHYSICAL ACCESS RESTRICTIONS • Organizations can prevent unauthorized access to information systems by keeping stored information safe and allowing access only to those employees who need it to do their jobs. • The most common form of authentication is the use of passwords, which are effective only if chosen carefully and changed frequently. • Access is usually limited by making it dependent on one of the following: – Something You Have: Keys, picture identification cards, smart cards – Something You Know: passwords, PINs, answers to secret questions – Something You Are: fingerprints, voice patterns, biometrics
  • 3. PHYSICAL ACCESS RESTRICTIONS • Biometrics is a form of authentication used to govern access to systems, data, and/or facilities. With biometrics, employees may be identified by fingerprints, retinal patterns, or other bodily characteristics. • A virtual private network (VPN) is a network connection that is constructed dynamically within an existing network—often called a secure tunnel—in order to connect users or nodes. • The practice of creating an encrypted “tunnel” to send secure (private) data over the (public) Internet is known as tunneling.
  • 5. ENCRYPTION • When you do not have access to a secure channel for sending information over a wired or wireless network, encryption is the best bet for keeping snoopers out. • Encryption is the process of encoding messages before they enter the network or airwaves, then decoding them at the receiving end of the transfer so that the intended recipients can read or hear them. The process works because if you scramble messages before you send them, eavesdroppers who might intercept them cannot decipher them without the decoding key. • Implementing encryption on a large scale, such as on a busy Web site, requires a third party,
  • 6. VIRUS MONITORING AND PREVENTION • Purchase and install antivirus software, then update frequently to be sure you are protected against new viruses. • Do not use flash drives, disks, or shareware from unknown or suspect sources and be equally careful when downloading material from the Internet, making sure that the source is reputable. • Delete without opening any e-mail message received from an unknown source. Be especially wary of opening attachments. • Do not blindly open e-mail attachments, even if they come from a known source. Many viruses are spread without the sender’s knowledge, so it is better to check with the sender before opening a potentially unsafe attachment. • If your computer system contracts a virus, report the infection to your school or company’s IT department so that appropriate measures can be taken.
  • 7. AUDIT-CONTROL SOFTWARE • Audit-control software is used to keep track of computer activity so that auditors can spot suspicious activity and take action. Any user leaves electronic footprints that auditors can trace. Audit- control software helps creating an audit trail, a record showing who has used a computer system and how it was used.
  • 9. SECURE DATA CENTERS: SECURING THE FACILITIES INFRASTRUCTURE • Backup Sites – duplication. A cold backup site is nothing more than an empty warehouse with all necessary connections for power and communication but nothing else. In the case of a disaster, a company has to first set up all necessary equipment, ranging from office furniture to Web servers. A hot backup site is a fully equipped backup facility, having everything from office chairs to a one-to-one replication of the most current data. Further, hot backup sites also have a redundant backup of the data so that the business processes are interrupted as little as possible. To achieve this redundancy, all data are mirrored on separate servers. • Redundant Data Centers – separation. Often, companies choose to replicate their data centers in multiple locations. Events such as a hurricane can damage systems that are located across town from each other. Thus, even if the primary infrastructure is located in-house, it pays to have a backup located in a different geographic area to minimize the risk of a disaster happening to both systems.
  • 10. HUMAN SAFEGUARDS • In addition to the technological safeguards, there are various human safeguards that can help to safeguard information systems, specifically ethics, laws, and effective management. • Educating potential users at an early age as to what constitutes appropriate behavior can help, but unethical users will undoubtedly always remain a problem for those wanting to maintain IS security. • Additionally, there are numerous federal and state laws against unauthorized use of networks and computer systems. Unfortunately, individuals who want unauthorized access to networks and computer systems usually find a way to exploit them; often, after the fact, laws are enacted to prohibit that activity in the future.
  • 11. COMPUTER FORENSICS • As computer crime has gone mainstream, law enforcement has had to become much more sophisticated in their computer crime investigations. Computer forensics is the use of formal investigative techniques to evaluate digital information for judicial review. • Organizations and governments are increasingly utilizing honeypots to proactively gather intelligence to improve their defenses or to catch cybercriminals. • A honeypot is a computer, data, or network site that is designed to be enticing to hackers so as to detect, deflect, or counteract illegal activity. • Additionally, beyond human and technological safeguards, the quality of information security in any organization depends on effective management. Managers must continuously check for security problems, recognize that holes in security exist, and take appropriate action.
  • 12. DEVELOPING AN IS SECURITY • Risk Analysis. PLAN – Determine the value of electronic information – Assess threats to confidentiality, integrity, and availability of information – Determine which computer operations are most vulnerable to security breaches – Assess current security policies – Recommend changes to existing practices and/or policies that will improve computer security –
  • 13. DEVELOPING AN IS SECURITY PLAN • Policies and Procedures. Once risks are assessed, a plan should be formulated that details what action will be taken if security is breached. – Information Policy. Outlines how sensitive information will be handled, stored, trans- mitted, and destroyed. – Security Policy. Explains technical controls on all organizational computer systems, such as access limitations, audit-control software, and firewalls. – Use Policy. Outlines the organization’s policy regarding appropriate use of in-house computer systems. – Backup Policy. Explains requirements for backing up information. – Account Management Policy. Lists procedures for adding new users to systems and removing users who have left the organization. – Incident Handling Procedures. Lists procedures to follow when handling a security breach. – Disaster Recovery Plan. Lists all the steps an organization will take to restore computer operations in case of a natural or deliberate disaster.
  • 15. DESIGNING THE RECOVERY PLAN • When planning for disaster, two objectives should be considered by an organization: recovery time and recovery point objectives. – Recovery time objectives specify the maximum time allowed to recover from a catastrophic event. Having completely redundant systems minimizes the recovery time and are best suited for mission-critical applications, such as e-commerce transaction servers. For other applications, such as data mining, while important, the recovery time can be longer without disrupting primary business processes. – Recovery point objectives specify how current the backup data should be. Imagine that your computer’s hard drive crashes while you are working on a term paper. Luckily, you recently backed up your data. Would you prefer the last backup to be a few days old, or would you rather have the last backup include your most recent changes to the term paper? Having completely redundant systems that mirror the data helps to minimize (or even avoid) data loss in the event of a catastrophic failure.
  • 16. RESPONDING TO A SECURITY BREACH • Organizations that have developed a comprehensive IS security plan have the ability to rapidly respond to any type of security breach to their IS resources or to a natural disaster. • In addition to restoring lost data using backups, common responses to a security breach include performing a new risk audit and implementing a combination of additional (more secure) safeguards. • Additionally, when intruders are discovered, organizations can contact local law enforcement agencies and the FBI for assistance in locating and prosecuting them. Several online organizations issue bulletins to alert organizations and individuals to possible software vulnerabilities or attacks based on reports from organizations when security breaches occur.
  • 17. THE STATE OF SYSTEMS SECURITY MANAGEMENT • Financial fraud attacks result in the greatest financial losses for organizations; other significant costs were due to viruses, data theft, unauthorized access, and denial-of-service attacks. • Relatively few organizations (about 29 percent) report computer intrusions to law enforcement because of various fears, such as how negative publicity would hurt stock values or how competitors might gain an advantage over news of a security incident. • Most organizations do not outsource security activities. • Nearly all organizations conduct routine and ongoing security audits. • The majority of organizations believed security training of employees is important, but most respondents said their organization did not spend enough on security training.
  • 18. INFORMATION SYSTEMS CONTROLS, AUDITING, AND THE SARBANES- OXLEY ACT • Preventive controls • Detective controls • Corrective controls
  • 19. IS AUDITING • Analyzing the IS controls should be an ongoing process for organizations. However, often it can be beneficial for organizations to periodically have an external entity review the controls so as to uncover any potential problems. • An information systems audit, often performed by external auditors, can help organizations assess the state of their IS controls to determine necessary changes and to help ensure the information systems’ availability, confidentiality, and integrity. • The response to the strengths and weaknesses identified in the IS audit is often determined by the potential risks an organization faces. Testing all controls under all possible conditions is very inefficient and often infeasible. Thus, auditors frequently rely on computer-assisted auditing tools, or specific software that tests applications and data using test data or simulations. • In addition to using specific auditing tools, auditors use audit sampling procedures to assess the controls, enabling the audit to be conducted in the most cost-effective manner. Once the audit has been performed and sufficient evidence has been gathered, reports are issued to the organization.
  • 20. THE SARBANES-OXLEY ACT • Another major factor that has contributed to a high demand for IS auditors is the need to comply with government regulations, most notably the Sarbanes-Oxley Act of 2002 (S-OX). • Formed as a reaction to large-scale accounting scandals that led to the downfall of corporations such as WorldCom and Enron, S-OX addresses primarily the accounting side of organizations. According to S-OX, companies have to demonstrate that there are controls in place to prevent misuse or fraud, controls to detect any potential problems, and effective measures to correct any problems. • The IS architecture plays a key role in S-OX compliance, given that many controls are IS based, providing capabilities to detect information exceptions and to provide a management trail for tracing exceptions. However, S-OX itself barely addresses IS controls specifically; rather, it addresses general processes and practices, leaving companies wondering how to comply with the guidelines put forth in the act. • Failure to present such documents in the case of litigious activity can lead to severe fines being imposed on companies and their executives, and courts usually will not accept the argument that a message could not be located.

Editor's Notes