Information Technology in Management

Reporter: Dorothy Joy A. Tambis

Controls and Security Measures

Goals of Information Security

To reduce the risk of systems and organizations ceasing operations

To maintain information confidentiality
To ensure the integrity and reliability of data resources
To ensure the availability of data resources
To ensure compliance with national security laws and privacy policies and laws

To plan measures to support these goals organizations first must be aware of the possible risks to their information
resources including hardware, applications and data and networks.

In October 1990, a major earthquake hit the San Francisco area, the head quartered wanted to obtain information
concerning the status of their operations, they need information but their companys info was not computerized, there
was a paper file containing all the desired info but no one knew who had it or where it could be found, after 5 hours the
file was found.

Risks to Information Security

Risk to Hardware
- involve physical damage to computers, peripheral equipment and communications media;
Natural disasters easiest way to protect against loss of data is to automatically duplicate all data
periodically and store the duplicate copy in a site many miles away from the office; communication
media are among vulnerable parts- to protect is to use thick protective sheaths
Blackouts and Brownouts use UPS(uninterruptible power supply), generator
Vandalism destroying computer systems like bitter customers may damage ATM machine or dissatisfied
employees may destroy computer equipment; best measure against vandalism is to allow access only to
those who have a real need for the system
Risks to Applications and Data
- culprit in the destruction of hardware is natural disaster; culprit of software is almost always human;
Theft of information businesses kept secret information in a safe they physically tear the lock; Today,
code is being used; before computer age, large amount of data meant large amount of paper, awkward
to steal and hide; but today files can be stored on a small magnetic disk where information can be easily
steal; he copy the formulas for flavoring products of a successful food line and sent a copy to a former
manager who is a competitor, ask somebody to print because he didnt know how to, the service person
notice the name of the company is different appearing in the print out and notified the victim. Managers
have been wondering how the competitor kept introducing similar products so soon after their new
products came on the market.
Data alteration and Data destruction often an act of mischief, financial damage, computer pranks
where can put peoples lives at risk, the most significant type of crime, rank second is destruction or
alteration of software; since many companies started posting web pages on the internet many of them
experience unpleasant surprise-to prevent, organizations use special hardware and software
Computer Viruses a biological virus is a microorganism that attacks the living cells of a host, it
penetrate the cells, multiple and then cause the cells to burst, thereby destroying them; transmitted to
one living creature to another; a computer virus a few lines of programming code that is inserted in a
legitimate program that is later copied and activated by unwary (careless) user; computers are
connected, we share files then viruses can spread easily. Virus destroys applications and data files it may
 disrupts data communication; detracts from the efficiency of transmitting and receiving legitimate
messages and files; the worst viruses are those that attack OS then virus can damage in every file
Logic bomb programmed to cause damage at a specific future time; it is dormant until a certain
event takes place, or inner computer clock indicated the pre specified time or event that triggers
the virus to cause damagedo you open an email you do not know?
Melissa is a fast-spreading macro virus that is distributed as an e-mail attachment that, when
opened, disables a number of safeguards in Word 97 or Word 2000, and, if the user has the
Microsoft Outlook e-mail program, causes the virus to be resent to the first 50 people in each of
the user's address books. The purpose of the virus was not to destroy files but to slow down the
communications within organizational computer networks 100 000 computer in more than 300
companies within 3 days of its launch; in the person of David L. Smith- 4 cases; $480 000in fines
and 40 yrs in prison; one sample of type of virus; plenty of virus are there so to protect is to use
antivirus software; if a new virus is designed to operate in a way not yet known type of virus the
software cannot detect it. Melissa are often called Trojan horses
Unauthorized Remote Control Programs allows someone else to take control of your PC form a remote
point, optional password are forgotten to implement, it is not a virus and does not harm anything but it
makes a system vulnerable where it allow anybody to take fully control of your PC
Nonmalicious Mishaps (disasters) unintentional damage of software occurs becoz of poor training, lack
of adherence to backup, human error; poor training may result in inappropriate use of an application so
it ruins data.

Controls
- Constraints and other measures imposed on a user or a system and can be used to secure systems against the
risks

Common controls

Program robustness and data entry controls robust;can perform what is intended to do and can resist
inappropriate usage,i.e., incorrect data entry; a highly robust program includes code that promptly
produces a clear message if a user either errs(make a mistake) or tries to circumvent a process; i.e., tel #,
e-add(proper format)
Controls also means of translating business policies into system features, an error appear if the debtor
has an existing rent
Effective way to control system use when dealing a transaction-processing system where it limits on the
numerical values that can be either entered into quantitative fields or output through processing; set
upper limit
Backup automatic duplicate of data is the easiest way to protect against loss of data caused by natural
disasters, computer viruses and human errors; use redundant arrays of inexpensive disks(RAIDS);however
due to great developments in telecommunications corporations prefer to back up data at remote site
through communications lines
Access controls one of the most serious threats to security
- measures taken to ensure that only those who are authorized have access to a
computer or network or to certain applications or data
Most common way to control access is using an access code and pword(change frequently, force to
change, using pword in the past); physical access controls like biometrics like finger prints, retinal pictures, voiceprints
Atomic transactions ensures that only full entry occurs in all the appropriate files; sale
transaction(invoice, shipping, accounts receivable, commission); not only control for malfunction but also
against fraud
Audit trail a series of documented facts that help detect who recorded which transactions, at what
time, and under whose approval; where there is a transaction an employees info is needed;helps
uncover undesirable acts; important tool of electronic data processing(EDP) auditor whose job is to find
erroneous cases and investigate them
Integrating Security into Development
Experience shows that it is much less expensive to incorporate measures into a system during development than to
impose them onto existing system

Security Standards
Systems developers use established standards when evaluating a systems degree of security
Orange Book originally written for military ISs now used by the IT industry as a guide
4 security levels:
1. Decision A: Verify Protection
2. Decision B: Mandatory Protection
3. Decision C: Discretionary Protection
4. Decision D: Minimal Protection or No Protection
Subclasses are numbered with 1 indicating the lowest; orange book does not address networking
issues(ISO/IEC standard)

ISO Standard provide a common set of requirements for the security functions of IT products and
systems and for assurance measures applied to them during a security evaluation ; the evaluation
results may help consumers determine the product is secure enough for the intended application;
experience shows that once a set of standards is established it becomes a reference for many in the
industry and they start to incorporate the standards in their products
Separation of Duties
most important measures to prevent abuse of ISs and criminal inside jobs is the separation of duties, it allows
checks and balances and minimize the possibility of criminal behavior
Separation of Duties in Systems development
Trapdoors are built into software by the original programmers to allow the programmers or their
collaborators access to particular applications or database. Test and fixes the weak points before the
system is introduced for use
Security Responsibilities

SYSTEM BUILDER SYSTEM OWNER

Create menu system that can be used to control Establish access codes.
access by providing different menus depending
upon authorization.
Include program modules that allow users to create Establish passwords.
access codes and passwords.
Establish access procedures.

Separation of Duties while using the Systems is desirable when it involves financial and accounting
activities that may be subject to fraud or theft, financial institutions the electronic transfer of funds
cannot be executed unless 2 employees join their passwords to trigger the transaction; extremely
powerful control on a systems security
Network Controls
-use of networked systems increases and because of this fewer computers are standalone machines; networked
systems have their own security needs; once a user enters a network security measures using access code and
pwords are similar to any computer system; however, some additional precautions against unauthorized use on
networks can be implemented like the ff:
Callback some orgs open their systems for employees to work from home and it is more prone to
security breaches; a popular measure against unauthorized remote access is called callback
 When a modem dials into a system, a special application asks for the telephone number from which the
call has been made; if the number authorized, the system disconnects and dials that number. If the
number does not match a number on its list of authorized numbers, the system does not allow access.
Encryption when communicating sensitive information via a public, parties must authenticate each
other and keep the message secret.
- coding a message into a form unreadable to an interceptor
Authentication the process of ensuring that the person, who sends a message to or receives a
message from you, is indeed that person.
Encryption programs are used to scramble information transmitted over the networks so that an
interceptor will receive unintelligible data. The original message is called plaintext; the coded message is
called ciphertext. Encryption is done by using a mathematical algorithm, which is the formula and a key.
The key is the combination of bits that must be used to figure out the formula.
Symmetric when both the sender and recipient use the same key
The recipient must have the key before the encrypted message text is recieved
Asymmetric comprising two keys: one is public and the other is private; also called
public-key encryption
the public key is distributed widely and may be known to everyone; a private key is
secret and known only to the recipient of the message; when the sender wants to send a
message to the recipient he uses the recipients public key to encrypt the message then
uses his own private key to decrypt
Encryption Strength referring to how much time it would take to figure out the key and decrypt
a ciphertext ; the strength greatly depends on the number of bits making up the key

Length of Key Time to break the Key

40 bits 2 seconds
56 bits 35 hours
64 bits 1 year
80 bits 70 000 years
112 bits 1014 (one thousand trillion)years
112 bits 1019 (ten thousand quadrillion)years

Distribution Restriction U.S. Department of Commerce defines strong encryption technology as

munitions and as such limits its distribution to U.S. citizens and residents

Because of the restrictions, some companies have moved their development and sales
departments to other countries

SSL and other public-key encryption standards let companies and individuals use digital
certificates

Digital Certificate the equivalent of a physical ID card; it contains a public key and a digital signature;
certificate authorities have arrangements with financial corporations
Digital signature a digital code that uniquely identifies the sender of a message
The recipient of an encrypted message uses the certificate authoritys public key to decode the digital
certificate attached to the message, verifies it as issued by the certificate authority and then obtains the
senders public key and identification information held within the certificated. With this information, the
recipient can send an encrypted reply.
Using the web, encryption and authentication take place automatically and are transparent to users.
There is an indication in the browsers window if the communication is secure; Closed Padlock by double
clicking you can see certificates issuers name, date it was issued and expiry date
 Firewalls - the best defense against unauthorized access to systems over the Internet; which is software
whose purpose is to block access to computing resources; a safer way to prevent unauthorized access to
an IS via a web site is to use a completely separate server for the resources meant to be accessible to net
surfers but this approach is inconvenient when dealing with dynamic, time-dependent information;
firewalls are also used to keep unauthorized software away computer virus and other rogue software

The Downside of Security

Security controls slow down data communication and they require discipline that is not always easy to maintain.
SSO solution to avoid using different password for every system is to use single sign on; installation of software
is needed that interacts with all the organization and the systems must be linked tru a network
Encryption slows down communication because the software must be encrypt and decrypt every message.
Firewalls have same slowing effect; screening of every download takes time, which affects anyone trying to
access information.

Recovery Measures
Security measures may reduce undesirable mishaps, but nobody can control all disasters. To be prepared for disasters
when they occur, orgs must have recovery measures. Orgs that depend on ISs for their daily business often use
redundancy, running two computers parallel, to protect against loss of data and business.

Fault tolerant - one computer is down, the work will continue on the other computer

to prepare for mishaps a program called disaster recovery plan which details what should be done and by whom

Business recovery plan or business resumption plan - considers factors beyond just computers and ISs

The Business Recovery Plan

1. Obtain management's commitment to the plan - once magmt is committed, it should appoint a business recovery
coordinator who will develop the plan and execute it if disasters occurs
2. establish a planning committee - comprise a representative from all business units
3. perform risk assessment and impact analysis - assesses which operations would be hurt by disasters and how
long the org could continue to operate the damage resources
4. prioritize recovery needs - the disaster recovery coordinator ranks each IS application according to its effect on
an organization's ability to achieve its mission
a. critical: applications that cannot be replaced with manual systems under any circumstances
b. Vital: applications that can be replaced with manual systems for brief period
c. sensitive: applications that can be replaced with acceptable manual systems for an extended period of
time, though at great cost
d. noncritical: applications that can be interrupted for an extended period of time at little or no cost to the
organization
5. select a recovery plan - alternatives are evaluated considering the advantages and disadvantages in terms of risk
reduction, cost,and the speed at which the employee can adjust the alternative
6. select vendors - if it is determined that an external vendor can better respond to the disaster than in-house staff
and provide better alternate system then he will be the most cost-effective is selected while considering the
factors like telecommunications, experience and capacity to support current applications
7. develop and implement the plan - includes organizational and vendor responsibilities and the sequence of events
take place
8. test the plan - includes a walk-through with each business unit, simulations as if real disaster had occurred, if no
damage it is being deliberate and implement the plan
9. continually test and evaluate must be tested periodically
 the plan should include the key personnel and their responsibilities; must be examined periodically and update if
necessary; the plan must be changed to reflect the new environment and the changes must be thoroughly tested;
a copy of the plan should be kept off-site, because if a disaster occurs

The Economic Aspect of Security Measures

-less than 1% of their budgets on computer security, largest portion of IT security budgets are spent on firewall

The cost of damage is the aggregate of all the potential damages multiplied by their respective probabilities, as follows:
n
Cost of potential Damage = Cost-of-disruption x probability-of-disruption
i=1