Mishkin_PPT_ch23

10Chapter Security and Control10.1©2013 by Qian AibingOBJECTIVES•Explain why information systems need specialManagement Information SystemsChapter 10 Chapter 10 Security and Control Security and ControlExplain why information systems need special protection from destruction, error, and abuse•Assess the business value of security and control •Evaluate elements of an organizational and10.2©2013 by Qian Aibingmanagerial framework for security and control•Evaluate the most important tools andOBJECTIVES (Continued)Management Information SystemsChapter 10 Chapter 10 Security and Control Security and Controltechnologies for safeguarding informationresources•Identify the challenges posed by informationsystems security and control and managementsolutions10.3©2013 by Qian Aibing•Challenge:provide network and infrastructure security to a financial services firm in a Web enabled Management Information SystemsChapter 10 Chapter 10 Security and Control Security and ControlWesfarmers Limited Casesecurity to a financial services firm in a Web-enabled high-threat environment •Solutions:outsource to a well-known security firm the task of providing 24 x 7 network and infrastructure monitoring and reporting•Real-time security monitoring 24 x 7, best practices, online security portal data mining of network10.4©2013 by Qian Aibingonline security portal, data mining of network transactions •Illustrates the role of system and network security in providing customers with service and managing corporate risk in online environmentsSYSTEM VULNERABILITY AND ABUSEWhy Systems Are VulnerableManagement Information SystemsChapter 10 Chapter 10 Security and Control Security and ControlC t S it Ch ll d V l biliti Contemporary Security Challenges and Vulnerabilities 10.5©2013 by Qian AibingFigure 10-1Management Information SystemsChapter 10 Chapter 10 Security and Control Security and ControlSYSTEM VULNERABILITY AND ABUSEWhy Systems Are Vulnerable (Continued)•Use of fixed Internet addresses through use ofcable modems or DSL•Lack of encryption with most Voice over IP (VoIP) Internet Vulnerabilities:10.6©2013 by Qian Aibing•Widespread use of e-mail and instant messaging (IM)Management Information SystemsChapter 10 Chapter 10 Security and Control Security and ControlSYSTEM VULNERABILITY AND ABUSEWireless Security Challenges:•Radio frequency bands are easy to scan•The service set identifiers (SSID)identifying the access points broadcast multiple times10.7©2013 by Qian AibingSYSTEM VULNERABILITY AND ABUSEWi-Fi Security ChallengesManagement Information SystemsChapter 10 Chapter 10 Security and Control Security and Control10.8©2013 by Qian AibingFigure 10-2Management Information SystemsChapter 10 Chapter 10 Security and Control Security and ControlSYSTEM VULNERABILITY AND ABUSEMalicious Software: Viruses, Worms, Trojan Horses, and Spyware Hackers and Cybervandalism•Computer viruses, worms, trojan horses•Spyware•Spoofing and Sniffers•Denial of Service (DoS) Attacks Hackers and Cybervandalism 10.9©2013 by Qian Aibing()•Identity theft•Cyberterrorism and Cyberwarfare•Vulnerabilities from internal threats (employees); software flaws SYSTEM VULNERABILITY AND ABUSEWorldwide Damage from Digital AttacksManagement Information SystemsChapter 10 Chapter 10 Security and Control Security and Control10.10©2013 by Qian AibingFigure 10-3•Inadequate security and control may create serious l l li bilitManagement Information SystemsChapter 10 Chapter 10 Security and Control Security and ControlBUSINESS VALUE OF SECURITY AND CONTROLlegal liability.•Businesses must protect not only their own information assets but also those of customers, employees, and business partners. Failure to do so can lead to costly litigation for data exposure or theft.10.11©2013 by Qian Aibing• A sound security and control framework that protects business information assets can thus produce a high return on investment.Security Incidents Continue to RiseManagement Information SystemsChapter 10 Chapter 10 Security and Control Security and ControlBUSINESS VALUE OF SECURITY AND CONTROL10.12©2013 by Qian AibingFigure 10-4Source:CERT CoordinationCenter, , accessedJuly 6, 2004.Management Information SystemsSecurity and ControlChapter 10 Security and ControlChapter 10BUSINESS VALUE OF SECURITY AND CONTROLLegal and Regulatory Requirements for ElectronicRecords ManagementRecords Management•Electronic Records Management (ERM):Policies, procedures and tools for managing the retention,destruction, and storage of electronic records10.13©2013 by Qian AibingManagement Information SystemsSecurity and ControlChapter 10 Security and ControlChapter 10BUSINESS VALUE OF SECURITY AND CONTROLData Security and Control Laws:•The Health Insurance Portability and Accountability Act (HIPAA)•Gramm-Leach-Bliley Act•Sarbanes-Oxley Act of 200210.14©2013 by Qian AibingManagement Information SystemsChapter 10 Chapter 10 Security and Control Security and ControlBUSINESS VALUE OF SECURITY AND CONTROLElectronic Evidence and Computer Forensics•Electronic Evidence:Computer data stored on disks and drives, e-mail, instant messages, and e-commerce transactionsComputer Forensics:Scientific collection10.15©2013 by Qian Aibing•Computer Forensics:Scientific collection, examination, authentication, preservation, andanalysis of computer data for use as evidence in a court of lawG l t lManagement Information SystemsChapter 10 Chapter 10 Security and Control Security and ControlESTABLISHING A MANAGEMENT FRAMEWORK FORSECURITY AND CONTROLTypes of Information Systems ControlsGeneral controls:•Software and hardware•Computer operations10.16©2013 by Qian Aibing•Data security•Systems implementation processManagement Information SystemsSecurity and ControlChapter 10 Security and ControlChapter 10ESTABLISHING A MANAGEMENT FRAMEWORK FORSECURITY AND CONTROLppApplication controls:•Input•Processing•Output10.17©2013 by Qian AibingManagement Information SystemsSecurity and ControlChapter 10Chapter 10 Security and ControlESTABLISHING A MANAGEMENT FRAMEWORK FORSECURITY AND CONTROLRisk Assessment:•Determines the level of risk to the firm if a specific activity or process is not properly controlled10.18©2013 by Qian AibingManagement Information SystemsChapter 10 Chapter 10 Security and Control Security and ControlESTABLISHING A MANAGEMENT FRAMEWORK FORSECURITY AND CONTROLSecurity Policy:•Acceptable Use Policy (AUP)Policy ranking information risks, identifying acceptable security goals, and identifying the mechanisms for achieving these goals10.19©2013 by Qian Aibing•Authorization policiesManagement Information SystemsChapter 10 Chapter 10 Security and Control Security and ControlESTABLISHING A MANAGEMENT FRAMEWORK FORSECURITY AND CONTROLSecurity Profiles for a Personnel System10.20©2013 by Qian AibingFigure 10-5Management Information SystemsChapter 10 Chapter 10 Security and Control Security and ControlESTABLISHING A MANAGEMENT FRAMEWORK FORSECURITY AND CONTROLEnsuring Business Continuity•Downtime: Period of time in which a system is not operational•Fault-tolerant computer systems:Redundanthardware, software, and power supply components to pro ide contin o s ninterr pted ser ice10.21©2013 by Qian Aibingprovide continuous, uninterrupted service •High-availability computing:Designing to maximize application and system availabilityManagement Information SystemsChapter 10 Chapter 10 Security and Control Security and ControlESTABLISHING A MANAGEMENT FRAMEWORK FORSECURITY AND CONTROLEnsuring Business Continuity (Continued)•Load balancing:Distributes access requests across multiple servers•Mirroring:Backup server that duplicates processes on primary server10.22©2013 by Qian Aibing•Recovery-oriented computing:Designing computing systems to recover more rapidly from mishapsManagement Information SystemsChapter 10 Chapter 10 Security and Control Security and ControlESTABLISHING A MANAGEMENT FRAMEWORK FORSECURITY AND CONTROLEnsuring Business Continuity (Continued)•Disaster recovery planning:Plans for restoration of computing and communications disrupted by an event such as an earthquake, flood, or terroristattack10.23©2013 by Qian Aibing•Business continuity planning:Plans for handling mission-critical functions if systems go downManagement Information SystemsChapter 10 Chapter 10 Security and Control Security and ControlESTABLISHING A MANAGEMENT FRAMEWORK FORSECURITY AND CONTROLAuditing:•MIS audit:Identifies all of the controls that govern individual information systems and assesses their effectiveness•Security audits:Review technologies,procedures,10.24©2013 by Qian AibingSecurity audits:Review technologies, procedures, documentation, training, and personnelManagement Information SystemsChapter 10 Chapter 10 Security and Control Security and ControlESTABLISHING A MANAGEMENT FRAMEWORK FORSECURITY AND CONTROLSample Auditor’s List of Control Weaknesses10.25©2013 by Qian AibingFigure 10-6Management Information SystemsChapter 10 Chapter 10 Security and Control Security and ControlTECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROLAccess ControlAuthentication:Access control:Consists of all the policies andprocedures a company uses to prevent improper access to systems by unauthorized insiders and outsiders10.26©2013 by Qian Aibing•Passwords•Tokens, smart cards•Biometric authenticationManagement Information SystemsChapter 10 Chapter 10 Security and Control Security and ControlTECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROLFirewalls, Intrusion Detection Systems, andAntivirus Software•Firewalls:Hardware and software controlling flow of incoming and outgoing network traffic•Intrusion detection systems:Full-time monitoring Antivirus Software 10.27©2013 by Qian Aibingtools placed at the most vulnerable points ofcorporate networks to detect and deter intrudersManagement Information SystemsChapter 10 Chapter 10 Security and Control Security and ControlTECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROLFirewalls, Intrusion Detection Systems, andAntivirus Software (Continued)•Antivirus software:Software that checks computer systems and drives for the presence of computer viruses and can eliminate the virus from the infected areaAntivirus Software (Continued)10.28©2013 by Qian Aibing•Wi-Fi Protected Access specificationManagement Information SystemsChapter 10 Chapter 10 Security and Control Security and ControlTECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROLA Corporate Firewall10.29©2013 by Qian AibingFigure 10-7Management Information SystemsChapter 10 Chapter 10 Security and Control Security and ControlTECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROLEncryption and Public Key Infrastructure•Public key encryption:Uses two different keys, one private and one public. The keys are mathematically related so that data encrypted with one key can be decrypted using only the other key10.30©2013 by Qian Aibing•Message integrity:The ability to be certain that the message being sent arrives at the proper destination without being copied or changedManagement Information SystemsChapter 10 Chapter 10 Security and Control Security and ControlTECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROLEncryption and Public Key Infrastructure(Continued)•Digital signature:A digital code attached to anelectronically transmitted message that is used to verify the origin and contents of a message•Digital certificates:Data files used to establish the identity of users and electronic assets for protection ()10.31©2013 by Qian Aibingidentity of users and electronic assets for protection of online transactions•Public Key Infrastructure (PKI):Use of public key cryptography working with a certificate authority Management Information SystemsChapter 10 Chapter 10 Security and Control Security and ControlTECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROLEncryption and Public Key Infrastructure(Continued)•Secure Sockets Layer (SSL)and its successorTransport Layer Security (TLS):protocols for secure information transfer over the Internet; enable client and server computer encryption and decryptionactivities as they communicate during a secure Web session.10.32©2013 by Qian Aibing•Secure Hypertext Transfer Protocol (S-HTTP):used for encrypting data flowing over the Internet; limited to Web documents, whereas SSL and TLS encrypt all data being passed between client and server.Management Information SystemsSecurity and ControlChapter 10 Security and ControlChapter 10TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROLPublic Key EncryptionFigure 10-810.33©2013 by Qian AibingManagement Information SystemsChapter 10 Security and ControlSecurity and ControlChapter 10TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROLDigital CertificatesFigure 10-910.34©2013 by Qian AibingManagement Information SystemsSecurity and ControlChapter 10Chapter 10 Security and ControlMANAGEMENT OPPORTUNITIES, CHALLENGES AND SOLUTIONS Management Opportunities:Creation of secure, reliable Web sites andsystems that can support e-commerce ande-business strategies10.35©2013 by Qian AibingManagement Information SystemsChapter 10Security and ControlChapter 10 Security and ControlMANAGEMENT OPPORTUNITIES, CHALLENGES AND SOLUTIONS Management Challenges:Management Challenges:•Designing systems that are neither overcontrolled nor undercontrolled•Implementing an effective security policy10.36©2013 by Qian AibingManagement Information SystemsChapter 10 Chapter 10 Security and Control Security and ControlMANAGEMENT OPPORTUNITIES, CHALLENGES AND SOLUTIONSSolution Guidelines:•Security and control must become a more visibleand explicit priority and area of information systems investment.•Support and commitment from top management isrequired to show that security is indeed a corporate 10.37©2013 by Qian Aibingrequired to show that security is indeed a corporate priority and vital to all aspects of the business.•Security and control should be the responsibility ofeveryone in the organization.。