Professional Documents
Culture Documents
21
41
organizational and managerial framework for security and control Tools for Security and Control
35
34
INFORMATION SYSTEM
An information system is a set of interrelated technologies that are used to collect, process, store and distribute information to support management decision making
With increasing dependence on information system, the organization are facing a challenge to ensure the security of data and information systems against the security threats for getting the maximum advantage
The term system security threats refers to the acts or incidents that can and will affect the integrity of business systems, which in turn will affect the reliability and privacy of business data. Most organizations are dependent on computer systems to function, and thus must deal with systems security threats.
According to a report , In mid-2012, coordinated attacks on 60 banks around the world netted an estimated $80 million for the hackers. research shows that the value of corporate and government information lost in 2008 alone topped $1 trillion.
To secure the information system, organizations need to adopt the required security and control measures
SECURING INFORMATION SYSTEM Security refers to policies, procedures and technical measures to prevent unauthorized access, alteration. Theft or physical damage to information system Controls are methods, policies and organizational procedures that ensures the safety of organizations assets, records and operation of organization
10.10
Inadequate security and control of the information may create serious legal liability. Businesses must protect not only their own information assets but also those of customers, employees, and business partners. Failure to do so can lead to costly consequences for data exposure or theft. A business must evelopsound security and control framework that protects business information assets can thus produce a high return on investment.
Legal and Regulatory Requirements for Electronic Records Management Electronic Records Management (ERM): Policies, procedures and tools for managing the retention, destruction, and storage of electronic records
Data Security and Control Laws in united States The Health Insurance Portability and Accountability Act (HIPAA)
Gramm-Leach-Bliley Act
Sarbanes-Oxley Act of 2002
It is needed for organizations to maintain and organizae the Electronic Evidence and Computer Forensics
Electronic Evidence: Computer data stored on disks and drives, e-mail, instant messages, and ecommerce transactions
Computer Forensics: Scientific collection, examination, authentication, preservation, and
THREATS POSED TO INFORMATION SYSTEMS Malicious Software: Viruses, Worms, Trojan Horses, and Spyware Computer viruses- A software program that attaches itself to other software programs and spread from one computer or other through file sharing and email attachments and without the user knowledge and permission, It executes and damage the functioning Worms- Independent computer programs that copy themselves rom one computer to other an destroy data and program Trojan horses- a software that itself does not replicate but make ay or viruses or other malicious software to attack
Identity theft- a crime in which n imposter can gain important personal information such as personal identification number, drivers license number or credit card numbers to impersonate someone else
Phishing-involves setting up fake websites or sending e-mails look like the legitimate businesses to ask users of confidential information hat can be used for financial frauds The rise in cybercrimes and cyberwarfare is posing a serious threat to the information systems
10.20
internal threats from employees Employees have access to confidential information so, negligence on their part will be serious threat User lack of knowledge and inability to protect their passwords means outsiders can breach the security
software flaws- the defects in the software programs can easily be exploited to get he valuable informations
10.21
Figure 10-3
Support and commitment from top management is required to show that security is indeed a corporate priority and vital to all aspects of the business.
Security and control should be the responsibility of everyone in the organization.
10.24
Controls are methods, policies and organizational procedures that ensures the safety of organizations assets, records and operation of organization Controls for securing information Systems
General Controls Application Controls
10.25
General Controls
The controls applied to all the computer applications Includes the design, security and use of computer system and tools to protect the information throughout the information technology infrastructure
10.26
General Controls
Software Controls
Monitor the use of computer software and avoid unauthorized access of software Ensure that the hardware and equipments are physically secure
Hardware Controls
Computer Operation Ensure that the computer and processing operations are done consistently and as planned Controls Data Security Controls Implementation Controls Administrative Controls
10.27
Ensure that the valuable business data are not subjected to unauthorized access or destruction Audit that the system process is properly controlled and managed
Formulate standards, rules and procedures to ensure general and application controls are properly executed and enforces
2006 by Prentice Hall
Application controls: specific controls unique to each computerized application and ensure the authorized data are processed by that application Input check data for accuracy and completeness when they are entered in system Processing-ensure that processing run smoothly and data are complete during updating Output ensure the results are complete, accurate and properly distributed
10.29
Define acceptable use of information resources and equipments and authorization level for employees Disaster recovery planning: Plans for restoration of computing and communications disrupted by an event such as an earthquake, flood, or terrorist attack Business continuity planning: Plans for handling mission-critical functions if systems go down
Impementati on of
policies
10.30
Use the technologies and tools to secure the information systems and achieve the security goals Control and management of the security tools 2006 by Prentice Hall
Auditing:
MIS audit: Identifies all of the controls that govern individual information systems and assesses their effectiveness
Security audits: Review technologies, procedures, documentation, training, and personnel
Access control: Consists of all the policies and procedures a company uses to prevent improper access to systems by unauthorized insiders and outsiders
Authentication: Passwords Tokens, smart cards Biometric authentication
systems and drives for the presence of computer viruses and can eliminate the virus from the infected area
Wi-Fi Protected Access specification
Public key encryption: Uses two different keys, one private and one public. The keys are mathematically related so that data encrypted with one key can be decrypted using only the other key
Message integrity: The ability to be certain that the
message being sent arrives at the proper destination without being copied or changed
TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROL Encryption and Public Key Infrastructure (Continued)
Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS): protocols for secure information transfer over the Internet; enable client and server computer encryption and decryption activities as they communicate during a secure Web session. Secure Hypertext Transfer Protocol (S-HTTP): used for encrypting data flowing over the Internet; limited to Web documents, whereas SSL and TLS encrypt all data being passed between client and server.