Using MIS 2e Chapter 12 Information Security Management

dashingincestuousSécurité

22 févr. 2014 (il y a 3 années et 10 mois)

78 vue(s)

© Pearson Prentice Hall 2009

12
-
1

Using MIS 2e


Chapter 12




Information Security Management

David Kroenke


© Pearson Prentice Hall 2009

12
-
2

Study Questions


Q1


What are the threats to information security?



Q2


What is senior management’s security role?



Q3


What technical safeguards are available?



Q4


What data safeguards are available?



Q5


What human safeguards are available?



Q6


How should organizations respond to security incidents?



Q7


What is the extent of computer crime?

© Pearson Prentice Hall 2009

12
-
3


Q1


What are the threats to information
security?



Q2


What is senior management’s security role?



Q3


What technical safeguards are available?



Q4


What data safeguards are available?



Q5


What human safeguards are available?



Q6


How should organizations respond to security incidents?



Q7


What is the extent of computer crime?

© Pearson Prentice Hall 2009

12
-
4

Q1


What are the threats to information security?


In order to adequately protect information resources, managers
must be aware of the sources of threats to those resources, the
types of security problems the threats present, and how to
safeguard against both. The three most common sources of threats
are:


Human error and mistakes


Malicious human activity


Natural events and disasters.

© Pearson Prentice Hall 2009

12
-
5

Q1


What are the threats to information security?


Human error and mistakes stem from employees and
nonemployees.


They may misunderstand operating procedures and inadvertently cause
data to be deleted.


Poorly written application programs and poorly designed procedures
may allow employees to enter data incorrectly or misuse the system.


Employees may make physical mistakes like unplugging a piece of
hardware that causes the system to crash.


Malicious human activity results from employees, former employees,
and hackers who intentionally destroy data or system components.
These actions include:


Breaking into systems with the intent of stealing, altering or destroying
data.


Introducing viruses and worms into a system.


Acts of terrorism.

© Pearson Prentice Hall 2009

12
-
6

Q1


What are the threats to information security?


The last source of threats to information security are those caused
by natural events and disasters. These threats pose problems
stemming not just from the initial loss of capability and service but
also problems a company may experience as it recovers from the
initial problem. They include:


Fires


Floods


Hurricanes


Earthquakes


and


Other acts of nature.


© Pearson Prentice Hall 2009

12
-
7

Q1


What are the threats to information security?

Fig 12
-
1 Security Problems and Sources


This chart shows some of the security problems a company may
experience and the possible sources of the problems.

© Pearson Prentice Hall 2009

12
-
8

Q1


What are the threats to information security?


There are three components of a sound organizational security
program:


Senior management must establish a security policy and manage risks.


Safeguards of various kinds must be established for all five components
of an IS as the figure below demonstrates.


The organization must plan its incident response before any problems
occur.

Fig 12
-
2 Security Safeguards as They Relate to the Five Components

© Pearson Prentice Hall 2009

12
-
9


Q1


What are the threats to information security?



Q2


What is senior management’s security
role?



Q3


What technical safeguards are available?



Q4


What data safeguards are available?



Q5


What human safeguards are available?



Q6


How should organizations respond to security incidents?



Q7


What is the extent of computer crime?

© Pearson Prentice Hall 2009

12
-
10

Q2


What is senior management’s security role?

Fig 12
-
3 Elements of Computer Security


The NIST Handbook of Security Elements lists the necessary
elements of an effective security program as this figure shows.

© Pearson Prentice Hall 2009

12
-
11

Q2


What is senior management’s security role?


Senior managers should ensure their organization has an effective
security policy that includes these elements:


A general statement of the organization’s security program


Issue
-
specific policies like personal use of email and the Internet


System
-
specific policies that ensure the company is complying with laws
and regulations.



Senior managers must also manage risks associated with
information systems security.


Risk is the likelihood of an adverse occurrence.


You can reduce risk but always at a cost. The amount of money you
spend on security influences the amount of risk you must assume.


Uncertainty is defined as the things we do not know that we do not know.


© Pearson Prentice Hall 2009

12
-
12

Q2


What is senior management’s security role?

Fig 12
-
4 Risk Assessment Factors


When you’re assessing risks to an information system you must first
determine:



What the threats are.


How likely they are to occur.


The consequences if they occur.


The figure below lists the factors you should include in a risk assessment.


Once you’ve assessed the risks to your information system, you must make
decisions about how much security you want to pay for. Each decision
carries consequences.



Some risk is easy and inexpensive.


Some risk is expensive and difficult.


Managers have a fiduciary


responsibility to the organization


to adequately manage risk.



© Pearson Prentice Hall 2009

12
-
13


Q1


What are the threats to information security?



Q2


What is senior management’s security role?



Q3


What technical safeguards are available?



Q4


What data safeguards are available?



Q5


What human safeguards are available?



Q6


How should organizations respond to security incidents?



Q7


What is the extent of computer crime?

© Pearson Prentice Hall 2009

12
-
14

Q3


What technical safeguards are available?

Fig 12
-
5 Technical Safeguards


You can establish five technical safeguards for the hardware and
software components of an information system as this figure shows.


Identification and authentication includes passwords (what you know),
smart cards (what you have), and biometric authentication (what you
are).


Since users must access many different systems, it’s often more secure,
and easier, to establish a single sign
-
on for multiple systems.


Wireless systems pose
additional threats.


Wired Equivalent Privacy
(WEP)
-
first developed


Wi
-
Fi Protected Access
(WPA)
-
more secure


Wi
-
Fi Protected Access
(WPA2)
-
newest and
most secure

© Pearson Prentice Hall 2009

12
-
15

Q3


What technical safeguards are available?


Encryption is the second safeguard you can establish for an IS. The
chart below and on the next slide describe each of them.

Fig 12
-
6 Basic Encryption Techniques

© Pearson Prentice Hall 2009

12
-
16

Q3


What technical safeguards are available?

Fig 12
-
6 Basic Encryption Techniques (continued)

© Pearson Prentice Hall 2009

12
-
17

Q3


What technical safeguards are available?

Fig 12
-
7 Digital Signatures for
Message Authentication


This diagram describes how
digital signatures are used to
authenticate messages and
ensure they aren’t altered during
transmission.



Digital certificates are used in
conjunction with digital
signatures for added security.


Certificate authorities are
independent third
-
party
companies that supply public
keys used with the certificates.


© Pearson Prentice Hall 2009

12
-
18

Q3


What technical safeguards are available?


Firewalls, the third technical safeguard, should be installed and used
with every computer that’s connected to any network, especially the
Internet.


The diagram shows how perimeter and internal firewalls are special
devices that help protect a network.


Packet
-
filtering firewalls are programs on general
-
purpose computers or
on routers that examine each packet entering the network.


Access control lists
(ACLs) are used in
conjunction with
firewalls and
determine which
packets can enter a
network. The ACLs
also control which
Web sites users can
access.

Fig 12
-
8 Use of Multiple Firewalls

© Pearson Prentice Hall 2009

12
-
19

Q3


What technical safeguards are available?


Malware Protection is the fourth technical safeguard. We’ll
concentrate on spyware and adware here.


Spyware are programs that may be installed on your computer without
your knowledge or permission.


Adware is a benign program that’s also installed without your
permission. It resides in your computer’s background and observes your
behavior.


If your computer displays any of the symptoms in this figure, you may
have one of these types of malware on your computer.

Fig 12
-
9 Spyware & Adware Symptoms

© Pearson Prentice Hall 2009

12
-
20

Q3


What technical safeguards are available?


Here are a few ways you can safeguard your computer against
malware:


Install antivirus and antispyware programs.


Scan your computer frequently for malware.


Update malware definitions often or use an automatic update process.


Open email attachments only from known sources and even then be
wary.


Promptly install software updates from legitimate sources like Microsoft
for your operating system or McAfee for your spyware programs.


Browse only in reputable Internet neighborhoods. Malware is often
associated with rogue Web sites.

© Pearson Prentice Hall 2009

12
-
21

Q3


What technical safeguards are available?

Fig 12
-
10 Malware Survey Results


The survey results in this chart show how serious the malware problem is
and yet how unaware most people are about the effects. You should
understand the malware problem, realize how frequently it occurs, and
follow safeguards to protect your computer and system from it.


Designing secure
applications with as few
bugs as possible is the
last safeguard.

© Pearson Prentice Hall 2009

12
-
22


Q1


What are the threats to information security?



Q2


What is senior management’s security role?



Q3


What technical safeguards are available?



Q4


What data safeguards are available?



Q5


What human safeguards are available?



Q6


How should organizations respond to security incidents?



Q7


What is the extent of computer crime?

© Pearson Prentice Hall 2009

12
-
23

Q4


What data safeguards are available?

Fig 12
-
11 Data Safeguards


To protect databases and other data sources, an organization
should follow the safeguards listed in this figure.


Remember, data and the information from it are one of the most
important resources an organization has.

© Pearson Prentice Hall 2009

12
-
24


Q1


What are the threats to information security?



Q2


What is senior management’s security role?



Q3


What technical safeguards are available?



Q4


What data safeguards are available?



Q5


What human safeguards are available?



Q6


How should organizations respond to security incidents?



Q7


What is the extent of computer crime?

© Pearson Prentice Hall 2009

12
-
25

Q5


What human safeguards are available?


Human safeguards for
employees are some of the
most important safeguards
an organization can deploy.


They should be coupled
with effective procedures to
help protect information
systems.


This figure shows the
safeguards for in
-
house
employees.

Fig 12
-
12 Security Policy for In
-
house Staff

© Pearson Prentice Hall 2009

12
-
26

Q5


What human safeguards are available?


An organization needs human safeguards for nonemployees
whether they are temporary employees, vendors, business partners,
or the public. Here are a few suggestions:


Ensure any contracts between the organization and other workers
include security policies. Third
-
party employees should be screened and
trained the same as direct employees.



Web sites used by third
-
party employees and the public should be
hardened against misuse or abuse.



Protect outside users from internal security problems. If your system
gets infected with a virus, you should not pass it on to others.

© Pearson Prentice Hall 2009

12
-
27

Q5


What human safeguards are available?


Account administration is the third type of human safeguard and has
three components

account management, password management,
and help
-
desk policies.


Account management focuses on


Establishing new accounts


Modifying existing accounts


Terminating unnecessary accounts.


Password management
requires that users


Immediately change
newly created
passwords


Change passwords
periodically


Sign an account
acknowledgment form
like the one in this
figure.

Fig 12
-
13 Sample Account Acknowledgement Form

© Pearson Prentice Hall 2009

12
-
28

Q5


What human safeguards are available?


Help
-
desks have been a source of problems for account administration
because of the inherent nature of their work.


It is difficult for the help
-
desk to determine exactly with whom they’re
speaking. Users call up for a new password without the help
-
desk having a
method of definitively identifying who is on the other end of the line.


There must be policies in place to provide ways of authenticating users like
asking questions only the user would know the answers to.


Users have a responsibility to help the help
-
desk by responsibly controlling
their passwords.

© Pearson Prentice Hall 2009

12
-
29

Q5


What human safeguards are available?


Effective system procedures can help increase security and reduce
the likelihood of computer crime. As this figure shows, procedures
should exist for both system users and operations personnel that
cover normal, backup, and recovery procedures.

Fig 12
-
14 Systems Procedures


Security monitoring is
the last human
safeguard. It includes:


Activity log analyses


Security testing


Investigating and
learning from security
incidents.

© Pearson Prentice Hall 2009

12
-
30


Q1


What are the threats to information security?



Q2


What is senior management’s security role?



Q3


What technical safeguards are available?



Q4


What data safeguards are available?



Q5


What human safeguards are available?



Q6


How should organizations respond to
security incidents?



Q7


What is the extent of computer crime?

© Pearson Prentice Hall 2009

12
-
31

Q6


How should organizations respond to security incidents?


No system is fail
-
proof. Every organization must have an effective
plan for dealing with a loss of computing systems. This figure
describes disaster preparedness tasks for every organization, large
and small. The last item that suggests an organization train and
rehearse its disaster preparedness plans is very important.

Fig 12
-
15 Disaster Preparedness Tasks

© Pearson Prentice Hall 2009

12
-
32

Q6


How should organizations respond to security incidents?


Along with disaster preparedness plans, every organization should
think about how it will respond to security incidences that may occur,
before they actually happen. The figure below lists the major factors
that should be included in any incident response.


Fig 12
-
16 Factors in Incident Response

© Pearson Prentice Hall 2009

12
-
33


Q1


What are the threats to information security?



Q2


What is senior management’s security role?



Q3


What technical safeguards are available?



Q4


What data safeguards are available?



Q5


What human safeguards are available?



Q6


How should organizations respond to security incidents?



Q7


What is the extent of computer crime?

© Pearson Prentice Hall 2009

12
-
34

Q7


What is the extent of computer crime?


The full extent of computer crime is unknown. There is no national
census because many organizations are reluctant to report losses
for fear of alienating customers, suppliers, and business partners. A
2006 survey estimated that the total loss due to computer crime is at
least $52.5 billion.


This chart shows the top four sources of computer crime and the
total dollar loss.

Fig 12
-
17 Computer Crime, 2006 FBI/CSI Survey