Part 4 MIS Security Development and Resources Need to understand IS security important to future managers N eed basic knowledge of development processes to be able to assess the quality ID: 706215
Download Presentation The PPT/PDF document "Information Systems Management" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Information Systems Management
Part 4Slide2
MIS Security, Development, and Resources
Need to understand
IS
security
important to
future managers.
N
eed
basic knowledge of development processes to
be able
to assess the quality
of
work
being done on development
projects. .
N
eed
knowledge
to be
active and
effective
participant in
projects.
N
eed
to know how IS
resources are
managed
to
better
relate to
your IS department.
N
eed know
your
user rights and responsibilities.Slide3
PRIDE
: "
But How Do You Implement That Security
?”
Pay close attention to user and management responsibilities in next three chapters.
Understand responsibilities and activities of IS professionals.
PRIDE
customers concerned about security
measures
.
Security of all of partners’ systems critical issue for inter-organizational
systems
.Slide4
PRIDE: "But How Do You Implement t
hat
Security
?” (cont’d)
Video conference with potential PRIDE promoter and advertiser.
PRIDE originally designed to store medical data.
SDS wants to know if PRIDE systems has acceptable level of security.
Doesn’t want to affiliate with company with major security problem.
Criminals focusing
attacks on inter-organizational systems
.Slide5
Chapter 10
Information Security Management
Jason C. H. Chen, Ph.D.
Professor of MIS
School of Business Administration
Gonzaga University
Spokane, WA 99258
chen@gonzaga.eduSlide6
“But How Do You Implement that Security?”
Video conference with SDS (potential PRIDE promoter and advertiser).
PRIDE originally designed to store medical data.
Does PRIDE systems have acceptable level of security?
Doesn’t want to affiliate with company with major security problem.
Criminals focusing on inter-organizational systems.Slide7
PRIDE Design for SecuritySlide8
Study Questions
Q1:
What is the goal of information systems security?
Q2: How
big is the computer security problem?
Q3:
How should you respond to security threats?
Q4:
How should organizations respond to security threats?
Q5:
How can technical safeguards protect against security threats?
Q6:
How can data safeguards protect against security threats?
Q7:
How can human safeguards protect against security threats?
Q8:
How should organizations respond to security incidents?
Q9: 2026?Slide9
Q1: What Is the Goal of Information Systems Security?
The IS Security Threat/Loss Scenario
_________
i
s a person or organization that seeks to obtain data or other asset illegal, without the owner’s permission and often without the owner’s knowledge
Vulnerability
is an opportunity for threats to gain access to individual or organizational assets
___________
is someone measure that individuals or organizations take to block the threat from obtaining the asset
Target
is the asset that is desired by the threat
Threat
SafeguardSlide10
Figure 10-1 Threat/Loss Scenario
[1]
[2]
[3]
[4]Slide11
Examples of Threat/Loss
Figure 10-2 Examples of Threat/LossSlide12
Which of the following is considered a threat caused by human error
?
A) an employee inadvertently installing an old database on top of the current one
B) an employee intentionally destroying data and system components
C) a virus and worm writer infecting computer systems
D) a hacker breaking into a system to steal for financial
gain
Answer
: _______
ASlide13
What Are the Sources of Threats?
Figure 10-3 Security Problems and Sources
[1]
[2]
[3]
[4]
[5]
See next slides for detailsSlide14
What Types of Security Loss Exists?
(1) Unauthorized Data Disclosure
(2) Incorrect Data Modification
(3) Faulty Service
(4) Denial of Service (DOS)
(5) Loss of InfrastructureSlide15
A ________ pretends to be a legitimate company and sends an email requesting confidential data, such as account numbers, Social Security numbers, account passwords, and so forth
.
A) hacker
B) phisher
C) safeguard
D)
Sniffer
Answer
: ______
BSlide16
________ is a technique for intercepting computer communications through a physical connection to a network or without a physical connection in the case of wireless networks
.
A) Spoofing
B) Phishing
C) Sniffing
D)
Pretexting
Answer
: _______
CSlide17
(1) Unauthorized Data Disclosure
Pretexting
Phishing
Spoofing
IP spoofing
Email
spoofing
Drive-by sniffers
Wardrivers
Hacking
Natural disasters Slide18
(2) Incorrect Data Modification
Procedures incorrectly designed or not
followed
Increasing a customer’s discount or incorrectly modifying employee’s
salary
Placing incorrect data on company Web
site
Improper internal controls on
systems
System
errors
Faulty recovery actions after a
disasterSlide19
(3/4)
Faulty/Denial of Service
Incorrect data modification
Systems working incorrectly
Procedural mistakes
Programming errors
IT installation errors
Usurpation
(4-a) Denial
of service (unintentional)
(4-b) Denial-of-service
attacks
(intentional)Slide20
________ occurs when computer criminals invade a computer system and replace legitimate programs with their own, unauthorized ones that shut down legitimate applications
.
A) Encryption
B) Spoofing
C) Phishing
D)
Usurpation
Answer
: _______
DSlide21
(5) Loss of Infrastructure
Human accidents
Theft and terrorist events
Disgruntled or terminated employee
Natural disasters
Advanced Persistent Threat
(APT)
Sophisticated
, possibly long-running computer
hack
perpetrated by large
,
well-funded
organizationsSlide22
Goal of Information Systems Security
F
ind appropriate trade-off between risk
of
_____ and cost
of
implementing __________
How?
Use
antivirus
software
Deleting
browser
cookies?
Get in front
of
security problem by making
appropriate trade-offs for
your life and your
business
loss
safeguardsSlide23
Removing and disabling ________ that may contain sensitive security data presents an excellent example of the trade-off between improved security and cost
.
A) bookmarks
B) pop-ups
C) cookies
D)
Toolbars
Answer
: _______
CSlide24
Q2: How Big Is the Computer Security Problem?
Computer Crime Costs
per Organizational Respondent
Figure 10-4 Computer Crime Costs per Organizational RespondentSlide25
Average Computer Crime
Cost and
Percent of Attacks by
Type (
5 Most Expensive Types)
Figure 10-5 Average Computer Crime Cost and Percent of Attacks by TypeSlide26
Figure 10-6 Computer Crime Costs
2010 to 2013
Average Computer Crime Cost Attacked by Type (5 Most Expensive Types: 2010-2013 )
2010 to 2013
2010: N/ASlide27
Ponemon Study Findings (2014)
Malicious
insiders
increasingly serious security threat
.
Business
disruption and data loss
primary
costs of
computer crime.
N
egligent
employees, connecting personal devices
to
corporate network
, use
of commercial cloud-based applications pose
significant
security
threats.Security safeguards work
.Ponemon Study 2014Slide28
Q3
: How Should You Respond to Security Threats?
Personal Security Safeguards
Figure 10-7 Personal Security SafeguardsSlide29
Q4: How Should Organizations Respond to Security Threats
? (Safeguards)
Fig
10-8
Security
Safeguards as They Relate to the Five Components
There are
three
components of a sound organizational security program:
Senior management
must establish a security
_______
and
manage risks.
Safeguards
of various kinds must be established for all
five
components of an IS as the figure below demonstrates.
The organization must
plan
its incident response before any problems
occur (
proactive
mode).
policySlide30
Security Policy Should Stipulate
What
sensitive data the organization will
store
How
it will process that
data
Whether
data will be shared with other
organizations
How
employees and others can obtain copies of data stored about
them
How
employees and others can request changes to inaccurate
data
What
employees can do with their own mobile devices at
work
As
a new hire, seek out your employer’s
security policySlide31
What Are the Elements of a Security Policy?
Elements of Security Policy
Managing Risks
Risk — threats & consequences we know about
Uncertainty — things we do not know that we do not know
General statement of organization’s security program
Issue-specific policy
System-specific policySlide32
What Are the Elements of a Security Policy?
Security policy has three elements:
A
general statement
of organization’s security program. This statement becomes the foundation for more specific security measures. Management specifies the goals of security program and assets to be protected. Statement designates a department for managing security program and documents. In general terms, it specifies how the organization will ensure enforcement of security programs and policies.
Issue-specific policy
.
Personal use of computers at work and email privacy.
System-specific policy.
What customer data from order-entry system will be sold or shared with other organizations? Or, what policies govern the design and operation of systems that process employee data? Addressing such policies are part of standard systems development process.Slide33
How Is Risk Managed?
Risk
—
likelihood of an adverse occurrence
Management cannot manage threats directly, but can limit security consequences by creating a backup processing facility at a remote location.
Companies can reduce risks, but always at a cost. It is management’s responsibility to decide how much to spend, or stated differently, how much risk to assume.
Uncertainty
refers to lack of knowledge especially about chance of occurrence or risk of an outcome or event.
An earthquake could devastate a corporate data center built on a fault that no one knew about.
An employee finds a way to steal inventory using a hole in the corporate Web site that no expert knew existed.Slide34
Factors to Consider in Risk Assessment
Fig
10-Extra
Risk Assessment Factors
When you’re assessing risks to an information system you must first determine:
What the threats are.
How likely they are to occur.
The consequences if they occur.
The figure below lists the factors you should include in a risk assessment.
Once you’ve assessed the risks to your information system, you must make decisions about how much security you want to pay for. Each decision carries consequences.
Some risk is easy and inexpensive.
Some risk is expensive and difficult.
Managers have a fiduciary
responsibility to the organization
to adequately manage risk. Slide35
Factors to Consider in Risk Assessment:
Brief Summary
Safeguard
is any action, device, procedure, technique, or other measure that reduces a system’s vulnerability to a threat.
No safeguard is ironclad; there is always a residual risk that it will not protect the assets in all circumstances.
Vulnerability
is an opening or a weakness in security system. Some vulnerabilities exist because there are no safeguards or because existing safeguards are ineffective.
Consequences
are damages that occur when an asset is compromised. Consequences can be tangible or intangible
.
Tangible consequences,
those whose financial impact can be measured.
Intangible consequences,
such as the loss of customer goodwill due to an outage, cannot be measured. Slide36
Factors to Consider in Risk Assessment:
Brief
Summary
(
Final Two Factors in Risk Assessment)
Likelihood
is the probability that a given asset will be compromised by a given threat, despite the safeguards.
Probable loss
is the “bottom line” of risk assessment.
To obtain a measure of probable loss, companies multiply likelihood by cost of the consequences. Probable loss also includes a statement of intangible consequences.Slide37
Which of the following is a critical security function that should be addressed by the senior management of an organization
?
A) sharing the private key with all systems connected to the network
B) creating IS security software programs
C) establishing the security policy
D) avoiding the use of perimeter
firewalls
Answer
: ________
CSlide38
Q5: How Can Technical Safeguards Protect Against Security Threats?
Figure 10-9 Technical Safeguards
Five
technical safeguards
[1]
[2]
[3]
[4]
[5]Slide39
List of Primary Technical Safeguards
You can establish
five
technical safeguards for the hardware and software components of an information system as
the Figure 10-8 shows
.
1. Identification
and authentication
includes
(1) passwords
(what you know),
(2) smart
cards (what you have), and
(3) biometric
authentication (what you are).
(4)
Single sign-on for multiple
systems (
Kerberos)
Since users must access many different systems, it’s often more secure, and easier, to establish it
Authenticates users without sending passwords across network.
“Tickets” enable users to obtain services from multiple networks and servers.
Windows, Linux, Unix employ KerberosSlide40
Identification and
authentication (cont.)
(5) Wireless
systems pose additional threats.
VPNs and special security
servers
Wired
Equivalent Privacy (WEP)-first developed
Wi-Fi Protected Access (WPA)-more secure
Wi-Fi Protected Access (WPA2)-newest and most
secure
Note: 4 &5 are for
System Access Protocols
List of Primary Technical Safeguards
(cont.)Slide41
2. Encryption
Basic Encryption Techniques
Encryption is the
second safeguard
you can establish for an IS. The chart below and on the next slide describe each of them.Slide42
Essence of https (SSL or TLS)
Figure 10-10 The Essence of https (SSL or TLS)Slide43
Define encryption and explain symmetric and asymmetric encryption for computer systems
.
Answer:
Encryption
is the process of transforming clear text into coded, unintelligible text for secure storage or communication. To encrypt a message, a computer program uses the encryption method (say AES) combined with the key (say the word "key") to convert a plaintext message (in this case the word "secret") into an encrypted message.
The
resulting coded message ("
U2FsdGVkX1+y2Uz2XtYcw4E8m4
=") looks like gibberish.
Decoding
(
decrypting
) a message is similar; a key is applied to the coded message to recover the original text.
In
symmetric
encryption, the
same
key is used to encode and to decode the message. With
asymmetric
encryption,
two keys
are used; one key encodes the message, and the other key decodes the message.Slide44
Which of the following statements is true about the Secure Sockets Layer (SSL
)?
A) It uses asymmetric encryption exclusively.
B) It is used to send sensitive data such as credit card numbers.
C) It uses one set of encryption keys for multiple sessions.
D) It is a stronger version of https
.
Answer
: _______
BSlide45
3. Use of Multiple
Firewalls
Firewalls,
the third technical safeguard
, are
computing devices
that
prevent
unauthorized network access.
They
should be installed and used with every computer that’s connected to any network, especially the Internet.
The diagram shows how perimeter and internal firewalls are special devices that help protect a network.
Packet-filtering firewalls are programs on general-purpose computers or on routers that examine each packet entering the network.
Fig10-11
Use of Multiple FirewallsSlide46
4
. Malware
Protection –
Symptoms of Adware and Spyware
Fig
10-11
Spyware & Adware Symptoms
Malware Protection is the
fourth technical safeguard
. We’ll concentrate on spyware and adware here.
_________ are
programs that may be installed on your computer without your knowledge or permission
.
________ is
a benign program that’s also installed without your permission. It resides in your computer’s background and observes your behavior
.
Spyware
Adware
If your computer displays any of the symptoms in this figure, you may have one of these types of malware on your computer.Slide47
4. Malware Protection
Malware Protection (
fourth technical
safeguard)
:
Spyware
-
resides in background, unknown to user; observes user’s actions and keystrokes, monitors computer activity, and reports user’s activities to sponsoring organizations. Some captures keystrokes to obtain user names, passwords, account numbers, and other sensitive information. Some support marketing analyses, observing what users do, Web sites visited, products examined and purchased, and so forth.
Adware
- does not perform malicious acts or steal data. It watches user activity and produces pop-up ads. Adware can change user’s default window or modify search results and switch user’s search engine.
Beacons
– tiny files that gather demographic information (e.g., gender, age income). The information is refreshed in real time and sold to other company.Slide48
4. Malware Types and
Spyware and Adware Symptoms
(cont.)
Viruses
Payload
Trojan horses
Worms
Beacons
If your computer displays any of the symptoms in this figure, you may have one of these types of malware on your computer.
Fig
10-11
Spyware & Adware
SymptomsSlide49
Malware Protection
A
ntivirus
and antispyware
programs
Scan frequently
Update malware
definitions
Open email attachments only from known
sources
Install
software
updates
Browse
only
reputable Internet
neighborhoodsSlide50
________ is a broad category of software that includes viruses, spyware, and adware
.
A) Malware
B) Cookie
C) FirewallD)
Spam
Answer
: ______
ASlide51
________ is similar to spyware in that it is installed without the user's permission and that it resides in the background and observes user behavior
.
A) A cookie
B) Adware
C) A payload
D)
Shareware
Answer
: ______
BSlide52
5. Design for Secure Applications
You should ensure that any information system developed for you and your department includes security as one of the application requirements
.
SQL
injection
attack
U
ser
enters
SQL
statement into a form
instead of a name or
other
data
Accepted
code
becomes
part
of
database
commands issued
Improper
data
disclosure,
data
damage and
loss
possible
Well
designed
applications make injections ineffectiveSlide53
Which of the following statements is true about biometric identification
?
A) It involves the use of a personal identification number (PIN) for authentication.
B) It provides weak authentication.
C) It is a relatively inexpensive mode of authentication.
D) It often faces resistance from users for its invasive nature
.
Answer
: _______
DSlide54
Q6: How Can Data Safeguards Protect Against Security Threats?
Data safeguards
Data administration
Key escrow
Figure 10-12 Data SafeguardsSlide55
Q7
:
How Can
Human
Safeguards Protect
Against Security Threats?
Figure 10-13 Security Policy for In-House StaffSlide56
Q7
:
How Can
Human
Safeguards Protect
Against Security Threats
? (cont' d)
Figure 10-13 Security Policy for In-House StaffSlide57
Q7
:
How Can
Human
Safeguards Protect
Against Security Threats
? (cont' d)
Figure 10-13 Security Policy for In-House StaffSlide58
Which of the following statements is true about the position definitions component of human safeguards
?
A) System administrators should retain user accounts after an employee has been terminated.
B) All employees must be provided with uniform, general training on security regardless of the sensitivity of their positions.
C) Documenting position sensitivity enables security personnel to prioritize their activities based on possible risk.
D) Holding public users of Web sites accountable for security violations is easy and inexpensive
.
Answer
: ________
CSlide59
Account
Administration
Account
Management
S
tandards for new user
accounts
, modification of account
permissions,
removal
of unneeded
accounts
Password Management
U
sers
should change passwords
frequently
Help Desk PoliciesSlide60
Sample Account Acknowledgment Form
Figure 10-14 Sample Account Acknowledgment FormSlide61
Systems Procedures
Figure 10-15 Systems ProceduresSlide62
Q8: How Should Organizations Respond to Security Incidents?
Figure 10-16 Factors in Incident ResponseSlide63
Security Wrap Up
Be aware
of threats to computer security as an individual, business professional and
employee
Know trade-offs of loss risks and cost of
safeguards
Ways to protect your computing devices and
data
Understand technical, data, and human
safeguards
Understand how organizations should respond to security
incidentsSlide64
________ are the primary means of authentication for a user's computer and other networks and servers to which the user may have access
.
A) Private keys
B) User names
C) PasswordsD) Personal identification
numbers
Answer
: ________
CSlide65
Q
9:
2026?
APTs
more
common
.
Concern about balance
of national security and data privacy
.
Security on
devices will be
improved.
Skill
level
of
cat-and-mouse
activity increases substantially.
I
mproved
security at large
organizations.
Strong local “electronic”
sheriffs.Slide66
END of CHAPTER 10