Week No. 9-Topic13-Chapter10 - Securing Information Systems-RefBook-Securing IS.pptx

Full Transcript

Chapter 10: Securing Information
Systems
Having thorough plans and approaches for
dealing with IS security attacks and natural
disasters is critical for effectively
managing IS resources within
organizations and your personal life

Copyright © 2016 Pearson Education, Ltd.

Chapter 10 Learning Objectives

Managing Information Systems Security
• Discuss the process of managing IS security and describe
various IS controls that can help in ensuring IS security.

Copyright © 2016 Pearson Education, Ltd.

What is Information System Security
• Information systems security refers to
precautions taken to keep all aspects of
information systems (e.g., all hardware,
software, network equipment, and data)
safe from destruction, manipulation, or
unauthorized access or use.

Copyright © 2016 Pearson Education, Ltd.

Information System Security
• Everyone who uses an information
system (IS) knows that disasters
can happen to stored data or to
entire systems.
• Some disasters are unintentional, such
as accidents caused by power outages,
inexperienced computer users, or
mistakes, while others are deliberate,
caused on purpose by malicious
crackers.
Copyright © 2016 Pearson Education, Ltd.

Threats to Information System
Security
• The primary threats to the security of information
systems include the following
– Natural Disasters: power outages, hurricanes, floods, and
so on
– Accidents: inexperienced or careless computer operators
(or cats walking across keyboards!)
– Employees and Consultants: people within an
organization who have access to electronic data
– Links to Outside Business Contacts: electronic data that
can be at risk when it travels between or among business
affiliates as part of doing business
– Outsiders: hackers and crackers who penetrate networks
and computer systems to snoop or to cause damage.
Copyright © 2016 Pearson Education, Ltd.

Threats to IS Security
Securing against these threats
must consider these primary
goals:
– Availability:
• Ensuring that real users can
access the system

– Integrity
• Preventing unauthorized
manipulations of data and
systems

– Confidentiality
• Protecting data from
unauthorized access
Copyright © 2016 Pearson Education, Ltd.

– Accountability

Information Security Process
• Information systems security involves
four main tasks:
1.
2.
3.
4.

Assessing risks.
Developing a security strategy.
Implementing controls and training.
Monitoring security.

• This is an ongoing process that requires
frequent review and update as threats
evolve.
• Organizations should continuously watch for
emerging
threats,
vulnerabilities, and
Copyright
© 2016 Pearson Education,
Ltd.

Information Security Process

Copyright © 2016 Pearson Education, Ltd.

(Cont.)

Information Security Process:
1- Assessing IS Risks
• Protecting an asset only makes economic sense if
the cost of protecting the asset is less than (or
equal to) the value of the asset. Thus,
organizations perform risk assessments for their
systems to ensure that IS security programs
make sense economically
• IS resources risks are handled by businesses
using four strategies, either individually or
together.

Copyright © 2016 Pearson Education, Ltd.

Information Security Process:
1- Assessing IS Risks (Cont.)

Copyright © 2016 Pearson Education, Ltd.

Information Security Process:
2- Developing a Security Strategy
• Once risks are assessed, a strategy should be
formulated that details what information
systems controls (in terms of technology,
people, and policies) should be implemented.
• Not all security measures are technical in
nature. Managerial activities are important

Copyright © 2016 Pearson Education, Ltd.

Information Security Process:
2- Developing a Security Strategy:
Policies and Procedures
• Policies and procedures that establish
responsibilities include:
– Confidential Information policy: outlines how sensitive
information will be handled, stored, transmitted, and
destroyed.
– Use policy: outlines the organization’s policy regarding
appropriate use of in-house computer systems; may mandate
no Internet surfing, use of company computer systems only for
employment-related purposes, restricted use of social
networking and e-mail, and so on.
– Account management policy: lists procedures for adding
new users to systems and removing users who have left the
Copyright
© 2016 Pearson Education, Ltd.
organization.

Information Security Process:
3- Implementing controls and

training
• Once a comprehensive strategy
has been formulated,
organizations can decide
– Which controls to implement
– And train personnel regarding security
policies and measures.

• There are two broad safeguards for
reducing risk:
– Technological Safeguard
– © 2016 Pearson Education, Ltd. Safeguard
CopyrightHuman-based

3- Implementing Controls and
Training:
Technological Safeguard: Physical
Access Restrictions
• organizations can
protect computers
and data resources
by requiring some
form of identification
and authentication
to authorize the
access of resources
by a user.

Copyright © 2016 Pearson Education, Ltd.

3- Implementing Controls and
Training:
Technological Safeguard : Physical
Access Restrictions (Cont.)

• Identification is a user’s claim or declaration of
being someone. A user’s identity is normally
established using public information(e.g.
username)
• Authentication is the process of confirming the
identity of a user who is attempting to access a
restricted system or web site. It is private (e.g.
password)
• Based on the combination of identification and
authentication, authorization is provided by the
system and grants access to particular resources.

Copyright © 2016 Pearson Education, Ltd.

3- Implementing Controls and
Training:
Technological Safeguard : Physical
Access Restrictions (Cont.)
• Authorization can be granted
dependent on one or more of the
following:
• Something you have
• Keys
• Smart cards

•

Something you know
• Password
• PIN code

• Something you are
• Biometrics
Copyright © 2016 Pearson Education, Ltd.

3- Implementing Controls and Training:
Technological Safeguard: Physical
Access Restrictions (Cont.)
• Methods for implementing physical
access control
– Biometrics
Identification via fingerprints, retinal patterns in the eye,
facial features, or other bodily characteristics

– Access Control Software
• Allowing computer users access only to those files
related to their work
• Depending on the access level, the user can be
restricted to (read, write, delete, etc.)

Copyright © 2016 Pearson Education, Ltd.

3- Implementing Controls and
Training:
Technological Safeguard: Firewalls
• Firewall: is a part of a
computer system designed
to detect intrusion and
prevent unauthorized access
to or from a private network.
• Firewalls can be
implemented in hardware, in
software, or in a combination
of both.
• All data packets entering or
leaving the intranet pass
through the firewall, which
examines each message and
blocks those that do not
meet the specified security
Copyright © 2016 Pearson Education, Ltd.
criteria.

3- Implementing Controls and
Training:
Technological Safeguard: Encryption
Encryption:
• Encryption can be used to protect data that are
transmitted over the Internet.
• Converting an original message into a form that can only
be understood by the intended receiver.

Encryption key:
Variable value that is applied (using an algorithm) to a set of
unencrypted text to produce encrypted text or to decrypt
encrypted text

Copyright © 2016 Pearson Education, Ltd.

3- Implementing Controls and
Training:
Human Safeguards: Human Controls
• In addition to the
technological
controls, various
human safeguards
can help to protect
information
systems,
specifically ethics,
laws, and
effective
management

Copyright © 2016 Pearson Education, Ltd.

3- Implementing Controls and
Training:
Human Safeguards: Human Controls
• IS ethics relate to standards of
appropriate conduct by users. Educating
potential users as to what constitutes
appropriate behavior can help secure IS.
• There are numerous federal and state
laws against unauthorized use of
networks and computer systems.
• Effective management that defines
appropriate oversight and control over
what information and activities can
provide
strong
and robust information
Copyright
© 2016 Pearson
Education, Ltd.

Information Security Process:
4- Monitoring security
• For the software to effectively protect
security auditors within the organization
must monitor and interpret the results.
• The most monitoring efforts should be
focused on high-risk systems.
• Organizations should In monitor internal
events and external events in order to
obtain a full view of threats and
vulnerabilities.
Copyright © 2016 Pearson Education, Ltd.

END OF CHAPTER CONTENT

Copyright © 2016 Pearson Education, Ltd.