Managing Information Resources and Security

clashjudiciousElectronics - Devices

Nov 8, 2013 (3 years and 8 months ago)

56 views

Chapter 15

1

Chapter 15

Information Technology For Management 4
th

Edition

Turban, McLean, Wetherbe

Lecture Slides by A. Lekacos,

Stony Brook University

John Wiley & Sons, Inc.

Managing Information

Resources and Security

Chapter 15

2

Chapter Objectives


Recognize the difficulties in managing information resources.


Understand the role of the IS department and its relationships
with end users.


Discuss the role of the chief information officer.


Recognize information systems’ vulnerability, attack methods,
and the possible damage from malfunctions.


Describe the major methods of defending information systems.


Describe the security issues of the Web and electronic
commerce.


Describe business continuity and disaster recovery planning.


Understand the economics of security and risk management.

Chapter 15

3

The IS Department



The reporting relationship

of the ISD is important in
that it reflects the focus of the department. If the ISD
reports to the accounting or finance areas, there is
often a tendency to emphasize accounting or finance
applications at the expense of those in the marketing,
production, and logistics areas.


The
name

of the ISD is also important.


Data Processing (DP) Department.


Management Information Systems (MIS) Department


Information Systems Department (ISD)


Another important characteristic is the
status

of the ISD


IT resources are very diversified; they include personnel assets,
technology assets, and IT relationship assets. The management
of information resources is divided between the
information
services department (ISD)

and the end users. The division of
responsibility depends on many factors.

Chapter 15

4

The End
-
User Relationship


To improve collaboration, the ISD and end users may
employ three common arrangements:


the steering committee


service
-
level agreements


the information center.

Since the ISD is a
service organization
that manages the IT
infrastructure needed to carry on end
-
user IT applications. It is
extremely important to have a good relationship with the end
users. The development of
end
-
user computing

and
outsourcing

was motivated in part by the poor service that end users felt they
received. However, this is not an easy task since the ISD is
basically a technical organization that may not understand the
business and the users. While the users, may not understand
information technologies.

Chapter 15

5

ISDs Mission


To carry out its mission in the digital economy,
the ISD needs to adapt.


Chapter 15

6

The CIO
(Chief Information Officer)


The changing role of the ISD highlights the fact that the CIO
is becoming an important member of the firm's top
management team.


Realization of the need for IT
-
related disaster planning and the
importance of IT to the firm’s activities.


Aligning IT with the business strategy


Implementing state
-
of
-
the
-
art solutions


Providing information access


Being a business visionary

who drives business strategy


Coordinating resources

Managing the ISD is similar to managing any other organizational
unit. The unique aspect of the ISD is that it operates as a service
department in a rapidly changing environment, thus making the
department’s projections and planning difficult.

Chapter 15

7

IS Vulnerability


Information resources
(
physical resources, data, software, procedures,
and other information resources
)

are scattered throughout the firm.
Information is transmitted to and from the firm’s components.
Therefore vulnerabilities exist at many points and at any time.

Chapter 15

8

System Vulnerability



A
universal vulnerability

is a state in a computing system
which either: allows an attacker to execute commands as
another user; allows an attacker to access data that is
contrary to the access restrictions for that data; allows an
attacker to pose as another entity; or allows an attacker to
conduct a denial of service.


An
exposure

is a state in a computing system (or set of
systems) which is not a universal vulnerability, but either:
allows an attacker to conduct information gath
ering
activities; allows an attacker to hide activities; includes a
capability that behaves as expected, but can be easily
compromised; is a primary point of entry that an attacker
may attempt to use to gain access to the system or data;
and is considered a problem according to some reasonable
security policy.

Chapter 15

9

System Vulnerability

Continued


These threats can be classified as:


Unintentional


Human errors


Environmental hazards


Computer system failures


Intentional


Theft of data


Inappropriate use of data


Theft of mainframe com
puter time


Theft of equipment and/or programs

The vulnerability of information systems is increasing as we move
to a world of networked and especially wireless computing.
Theoretically, there are hundreds of points in a corporate
information system that can be subject to some threats.

Chapter 15

10

System Vulnerability

Continued


Intentional
continued


Deliberate manipulation in handling


Entering data


Processing data


Transferring data


Programming data


Labor strikes


Riots


Sabotage


Malicious damage to computer resources


Destruction from viruses and similar attacks


Miscellaneous computer abuses


Internet fraud.


Terrorists’ attack

Chapter 15

11

Programming Attack


One method

Programming attack

is implemented through the modification of a
computer program.

Chapter 15

12

Viruses



One method

The most common attack method is the
virus

a program that

attaches itself to (“infect”) other computer programs, without the
owner of the program being aware of the infection. It spreads,
causing damage to that program and possibly to others. When a
virus is attached to a legitimate software program, the legitimate
software is acting as a
Trojan horse
, a program that contains a
hidden function.

Chapter 15

13

Protecting Information Resources



Aligned
. The program must be aligned with organizational goals.


Enterprisewide
. Everyone in the organization must be included.


Continuous
. The program must be operational all the time.


Proactive
. Use innovative, preventive, and protective measures.


Validated
. The program must be tested to ensure it works.


Formal
. It must include authority, responsibility & accountability.


Information security problems are increasing rapidly, causing
damage to many organizations. Protection is expensive and
complex. Therefore, companies must not only use controls to
prevent and detect security problems, they must do so in an
organized manner. An approach similar to TQM (total quality
management) would have the following characteristics:

Chapter 15

14

Corporate Security Plan
-

Protecting

Chapter 15

15

Difficulties
-

Protecting


Chapter 15

16

Defense Strategy

-

Protecting



The major objectives of a defense strategy are:

1.
Prevention and deterrence.

2.
Detection.

3.
Limitation of damage.

4.
Recovery.

5.
Correction

6.
Awareness and compliance

Knowing about potential threats to IS is necessary, but
understanding ways to
defend

against these threats is equally
critical. Because of its importance to the entire enterprise,
organizing an appropriate defense system is one of the major
activities of the CIO. It is accomplished by inserting
controls

(defense mechanisms) and developing
awareness
.

Chapter 15

17

Defense Strategy

-

Controls

Any defense strategy involves the use of several controls. These
controls are divided into two categories
general controls

that

protect the system regardless of the specific application and
application controls

that safeguard specific applications.

General

Application

Chapter 15

18

Defense Strategy



Internet Security

Over the Internet, messages are sent from one computer to
another. This makes the network difficult to protect, since there
are many points to tap into the network.

Web Attack Threats

Chapter 15

19

Defense Strategy



Internet Security

Security Layers

The major objective of
border security

is access control. Then
authentication

or proof of identity and finally
authorization

which determine the action or activities a user is allowed to
perform.

Chapter 15

20

Business Continuity


An important element in any security system is the
business
continuity plan
, also known as the
disaster recovery plan
.
Such a
plan outlines the process by which businesses should recover
from a major disaster.


The purpose of a business continuity plan is to keep the
business running after a disaster occurs.


Recovery planning is part of asset protection
.


Planning should focus on recovery from a total loss of all
capabilities.


Proof of capability usually involves some kind of what
-
if
analysis that shows that the recovery plan is current.


All critical applications must be identified and their recovery
procedures addressed.


The plan should be written so that it will be effective in case of
disaster.

Chapter 15

21

Business Continuity

continued


The plan should be kept in a safe place; copies should be
given to all key managers; or it should be available on the
Intranet and the plan should be audited periodically.

One of the most logical ways to deal with loss of data is to back it up. A business continuity
plan should include backup arrangements were all copies of important files are kept offsite.

Chapter 15

22

Auditing


Implementing controls in an organization can be very complicated
and difficult to enforce. Are controls installed as intended? Are
they effective? Did any breach of security occur? These and other
questions need to be answered by independent and unbiased
observers. Such observers perform an
auditing

task.


There are two types of auditors:


An
internal auditor

is usually a corporate employee who is not
a member of the ISD.


An
external auditor

is a corporate outsider. This type of auditor
reviews the findings of the internal audit.


There are two types of audits.


The
operational audit

determines whether the ISD is working
properly.


The
compliance audit

determines whether controls have been
implemented properly and are adequate.

Chapter 15

23

Risk Management

It is usually not economical to prepare protection against every
possible threat. Therefore, an IT security program must provide a
process for
assessing threats

and deciding which ones to prepare
for and which ones to ignore.

Chapter 15

24

IT Security Trends


Increasing the reliability of systems


Self
-
healing computers


Intelligent systems for early intrusion detection


Intelligent systems in auditing and fraud detection


Artificial intelligence in biometrics


Expert systems for diagnosis, prognosis, and disaster
planning


Smart cards

Chapter 15

25

MANAGERIAL ISSUES


To whom should the IS department report?

This issue is related to the
degree of IS decentralization and to the role of the CIO. Having the IS department
reporting to a functional area may introduce biases in providing IT priorities to that
functional area, which may not be justifiable. Having the IS report to the CEO is
very desirable.


Who needs a CIO?
This is a critical question that is related to the role of the
CIO as a senior executive in the organization. Giving a title without authority can
damage the ISD and its operation. Asking the IS director to assume a CIO’s
responsibility, but not giving the authority and title, can be just as damaging. Any
organization that is heavily dependent on IT should have a CIO.


End users are friends, not enemies, of the IS department.

The
relationship between end users and the ISD can be very delicate. In the past,
many ISDs were known to be insensitive to end
-
user needs. This created a strong
desire for end
-
user independence, which can be both expensive and ineffective.
Successful companies develop a climate of cooperation and friendship between the
two parties.


Ethical issues.

The reporting relationship of the ISD can result in some un
-
ethical behavior. For example, if the ISD reports to the finance department, the
finance department will have access to information about individuals or other
departments that could be misused.

Chapter 15

26

MANAGERIAL ISSUES
Continued


Responsibilities for security should be assigned in all areas.

The
more organizations use the Internet, extranets, and intranets, the greater are the
security issues. It is important to make sure that employees know who is
responsible and accountable for what information and that they understand the
need for security control. The vast majority of information resources is in the hands
of end users. Therefore, functional managers must understand and practice IT
security management and other proper asset management tasks.


Security awareness programs are important for any organization,
especially if it is heavily dependent on IT.

Such programs should be
corporate wide and supported by senior executives. In addition, monitoring
security measures and ensuring compliance with administrative controls are
essential to the success of any security plan. For many people, following
administrative controls means additional work, which they prefer not to do.


Auditing information systems should be institutionalized into the
organizational culture.

Organizations should audit IS because it can save
considerable amounts of money. Conversely, over
-
auditing is not cost
-
effective.

Chapter 15

27

MANAGERIAL ISSUES
Continued


Multinational corporations.

Organizing the ISD in a multinational
corporation is a complex issue. Some organizations prefer a complete
decentralization, having an ISD in each country or even several ISDs in one
country. Others keep a minimum of centralized staff. Some companies prefer a
highly centralized structure. Legal issues, government constraints, and the size of
the IS staff are some factors that determine the degree of decentralization.

Chapter 15

28

Chapter 15

Copyright © 2003 John Wiley & Sons, Inc.


All rights
reserved. Reproduction or translation of this work
beyond that permitted in Section 117 of the 1976
United States Copyright Act without the express
written permission of the copyright owner is
unlawful.


Request for further information should be
addressed to the Permissions Department, John
Wiley & Sons, Inc.


The purchaser may make back
-
up copies for his/her own use only and not for
distribution or resale.


The Publisher assumes no
responsibility for errors, omissions, or damages,
caused by the use of these programs or from the
use of the information contained herein.