CONTENTS

TOPIC PRESENTED BY Need of Security and control of information systems 14

Business Value of System Security

21

Type of Security Threats

41

organizational and managerial framework for security and control Tools for Security and Control

35

34

INFORMATION SYSTEM

An information system is a set of interrelated technologies that are used to collect, process, store and distribute information to support management decision making

SECURING INFORMATION SYSTEM

With increasing dependence on information system, the organization are facing a challenge to ensure the security of data and information systems against the security threats for getting the maximum advantage

SECURING INFORMATION SYSTEM

The term system security threats refers to the acts or incidents that can and will affect the integrity of business systems, which in turn will affect the reliability and privacy of business data. Most organizations are dependent on computer systems to function, and thus must deal with systems security threats.

SECURING INFORMATION SYSTEM

According to a report , In mid-2012, coordinated attacks on 60 banks around the world netted an estimated $80 million for the hackers. research shows that the value of corporate and government information lost in 2008 alone topped $1 trillion.

SECURING INFORMATION SYSTEM

To secure the information system, organizations need to adopt the required security and control measures

SECURING INFORMATION SYSTEM Security refers to policies, procedures and technical measures to prevent unauthorized access, alteration. Theft or physical damage to information system Controls are methods, policies and organizational procedures that ensures the safety of organizations assets, records and operation of organization

Need of Security and control of information systems

PRESENTED BY:
ABDUL GHAYAS ROLL NO. 14

Internet Vulnerabilities and Security Issues

Internet and the public networks are more vulnerable to threats as they are virtually open to anyone Use of fixed Internet addresses through use of cable modems or DSL can easily be identified and useb by outsiders to demage the system and hack the information Lack of encryption with most Voice over IP (VoIP) means that the message or voice communication can be intercepted by any hacker

Internet Vulnerabilities and Security Issues

Widespread use of e-mail and instant messaging (IM) means huge traffic and a lot of unwanted messages on the network
The malwares and viruses can be spread easily through any internet in the form of e-mail attachments and downloaded files

10.10

2006 by Prentice Hall

Wireless Security Challenges:

Radio frequency bands are easy to scan that makes wireless networks easy to be attacked by outsiders The service set identifiers (SSID) identifying the access points broadcast multiple times and cab be picked easily by hackers and used for the purpose of stealing information

Business Value of System Security

PRESENTED BY:
IDREES ILYAS ROLL NO. 41

BUSINESS VALUE OF SECURITY AND CONTROL

Inadequate security and control of the information may create serious legal liability. Businesses must protect not only their own information assets but also those of customers, employees, and business partners. Failure to do so can lead to costly consequences for data exposure or theft. A business must evelopsound security and control framework that protects business information assets can thus produce a high return on investment.

BUSINESS VALUE OF SECURITY AND CONTROL

Legal and Regulatory Requirements for Electronic Records Management Electronic Records Management (ERM): Policies, procedures and tools for managing the retention, destruction, and storage of electronic records

BUSINESS VALUE OF SECURITY AND CONTROL

Data Security and Control Laws in united States The Health Insurance Portability and Accountability Act (HIPAA)

Gramm-Leach-Bliley Act
Sarbanes-Oxley Act of 2002

BUSINESS VALUE OF SECURITY AND CONTROL

It is needed for organizations to maintain and organizae the Electronic Evidence and Computer Forensics

Electronic Evidence: Computer data stored on disks and drives, e-mail, instant messages, and ecommerce transactions
Computer Forensics: Scientific collection, examination, authentication, preservation, and

analysis of computer data for use as evidence in a court of law

Type of Security Threats

PRESENTED BY:
SHAMAS HABIB QURESHI ROLL NO. 21

THREATS POSED TO INFORMATION SYSTEMS Malicious Software: Viruses, Worms, Trojan Horses, and Spyware Computer viruses- A software program that attaches itself to other software programs and spread from one computer or other through file sharing and email attachments and without the user knowledge and permission, It executes and damage the functioning Worms- Independent computer programs that copy themselves rom one computer to other an destroy data and program Trojan horses- a software that itself does not replicate but make ay or viruses or other malicious software to attack

THREATS POSED TO INFORMATION SYSTEMS

Spyware-software that install themselves on computers and monitor user web surfing activity and serve up advertising Spoofing-involves redirecting a web link to an address different from actual and direct users to fake websites which can be used to extract personal and confidential information Sniffers-program that monitor the flow of information over a network and allow hackers steal the information from anywhere on networks Denial of Service (DoS) Attacks-hackers load the network or web servers with thousand of false communications to slow down and crash the network
10.19
2006 by Prentice Hall

THREATS POSED TO INFORMATION SYSTEMS

Identity theft- a crime in which n imposter can gain important personal information such as personal identification number, drivers license number or credit card numbers to impersonate someone else

Phishing-involves setting up fake websites or sending e-mails look like the legitimate businesses to ask users of confidential information hat can be used for financial frauds The rise in cybercrimes and cyberwarfare is posing a serious threat to the information systems

10.20

2006 by Prentice Hall

THREATS POSED TO INFORMATION SYSTEMS

internal threats from employees Employees have access to confidential information so, negligence on their part will be serious threat User lack of knowledge and inability to protect their passwords means outsiders can breach the security

software flaws- the defects in the software programs can easily be exploited to get he valuable informations

10.21

2006 by Prentice Hall

SYSTEM VULNERABILITY AND ABUSE

Worldwide Damage from Digital Attacks

Figure 10-3

Organizational and Managerial Framework for Security and Control

PRESENTED BY: SHAMAS HABIB QURESHI ROLL NO. 21

ESTABLISHING A MANAGEMENT FRAMEWORK FOR SECURITY AND CONTROL

It is required from the management perspective that

Security and control must become a more visible and explicit priority and area of information systems investment.

Support and commitment from top management is required to show that security is indeed a corporate priority and vital to all aspects of the business.
Security and control should be the responsibility of everyone in the organization.

10.24

2006 by Prentice Hall

ESTABLISHING A MANAGEMENT FRAMEWORK FOR SECURITY AND CONTROL

Controls are methods, policies and organizational procedures that ensures the safety of organizations assets, records and operation of organization Controls for securing information Systems
General Controls Application Controls

10.25

2006 by Prentice Hall

ESTABLISHING A MANAGEMENT FRAMEWORK FOR SECURITY AND CONTROL

General Controls
The controls applied to all the computer applications Includes the design, security and use of computer system and tools to protect the information throughout the information technology infrastructure

10.26

2006 by Prentice Hall

General Controls
Software Controls
Monitor the use of computer software and avoid unauthorized access of software Ensure that the hardware and equipments are physically secure

Hardware Controls

Computer Operation Ensure that the computer and processing operations are done consistently and as planned Controls Data Security Controls Implementation Controls Administrative Controls
10.27

Ensure that the valuable business data are not subjected to unauthorized access or destruction Audit that the system process is properly controlled and managed

Formulate standards, rules and procedures to ensure general and application controls are properly executed and enforces
2006 by Prentice Hall

ESTABLISHING A MANAGEMENT FRAMEWORK FOR SECURITY AND CONTROL

Application controls: specific controls unique to each computerized application and ensure the authorized data are processed by that application Input check data for accuracy and completeness when they are entered in system Processing-ensure that processing run smoothly and data are complete during updating Output ensure the results are complete, accurate and properly distributed

ESTABLISHING A MANAGEMENT FRAMEWORK FOR SECURITY AND CONTROL

Develop a security policy

A security policy consist of statements ranking information risks, identifying acceptable security goals and identifying a mechanism for acheving those security goals

10.29

2006 by Prentice Hall

Components of Security Policy

Determine the risky information assets Risk Determine the level of risks associated with the Assessme information assets
nt

Acceptable security goals

Define acceptable use of information resources and equipments and authorization level for employees Disaster recovery planning: Plans for restoration of computing and communications disrupted by an event such as an earthquake, flood, or terrorist attack Business continuity planning: Plans for handling mission-critical functions if systems go down

Impementati on of

policies
10.30

Use the technologies and tools to secure the information systems and achieve the security goals Control and management of the security tools 2006 by Prentice Hall

ESTABLISHING A MANAGEMENT FRAMEWORK FOR SECURITY AND CONTROL

Auditing:

MIS audit: Identifies all of the controls that govern individual information systems and assesses their effectiveness
Security audits: Review technologies, procedures, documentation, training, and personnel

TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROL Access Control

Access control: Consists of all the policies and procedures a company uses to prevent improper access to systems by unauthorized insiders and outsiders
Authentication: Passwords Tokens, smart cards Biometric authentication

TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROL

Firewalls, Intrusion Detection Systems, and Antivirus Software Firewalls: Hardware and software controlling flow of incoming and outgoing network traffic Intrusion detection systems: Full-time monitoring tools placed at the most vulnerable points of corporate networks to detect and deter intruders

TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROL

Antivirus software: Software that checks computer

systems and drives for the presence of computer viruses and can eliminate the virus from the infected area
Wi-Fi Protected Access specification

TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROL

Encryption and Public Key Infrastructure

Public key encryption: Uses two different keys, one private and one public. The keys are mathematically related so that data encrypted with one key can be decrypted using only the other key
Message integrity: The ability to be certain that the

message being sent arrives at the proper destination without being copied or changed

TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROL

Encryption and Public Key Infrastructure (Continued) Digital signature: A digital code attached to an electronically transmitted message that is used to verify the origin and contents of a message Digital certificates: Data files used to establish the identity of users and electronic assets for protection of online transactions Public Key Infrastructure (PKI): Use of public key cryptography working with a certificate authority

TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROL Encryption and Public Key Infrastructure (Continued)

Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS): protocols for secure information transfer over the Internet; enable client and server computer encryption and decryption activities as they communicate during a secure Web session. Secure Hypertext Transfer Protocol (S-HTTP): used for encrypting data flowing over the Internet; limited to Web documents, whereas SSL and TLS encrypt all data being passed between client and server.