View
234
Download
2
Tags:
Embed Size (px)
Citation preview
Chapter 12
Information Security Management
© 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke
12-2 © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke
This Could Happen to You
Emerson Pharmaceuticals– $800M in sales– 200 person IT department
DSI– $50M in sales– 1 person IT department– No in-house software development
Why the difference?– Directors and project managers at DSI are knowledgeable in IT– Support users at DSI want only reliable IT infrastructure– DSI has a wired/wireless LAN with two servers
What about security?
12-3 © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke
Study Questions
What are the sources and types of security threats? What are the elements of a security program? How can technical safeguards protect against security
threats? How can data safeguards protect against security threats? How can human safeguards protect against security
threats? What is necessary for disaster preparedness? How should organizations respond to security incidents? How does knowledge from this chapter help you at DSI?
12-4 © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke
Sources of Security Threats
Human errors and mistakes– Accidental problems – Poorly written programs– Poorly designed procedures– Physical accidents
Malicious human activity– Intentional destruction of data– Destroying system components– Hackers– Virus and worm writers– Criminals – Terrorists
12-5 © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke
Sources of Security Threats, continued
Natural events and disasters– Fires, floods, hurricanes, earthquakes,
tsunamis,avalanches, tornados– Initial losses of capability – Losses from recovery actions
12-6 © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke
Types of Problems
Unauthorized data disclosure– Human error
Posting private information in public place Placing restricted information on searchable Web sites Inadvertent disclosure
– Malicious release Pretexting Phishing Spoofing Sniffing Breaking into networks
12-7 © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke
Types of Problems, continued
Incorrect data modifications– Human errors
Incorrect entries and information Procedural problems
– Incorrect data modifications Systems errors
– Hacking– Faulty recovery actions
Faulty Service– Incorrect systems operations– Usurpation
12-8 © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke
Types of Problems, continued
Denial of service– Human error– Attacks
Loss of infrastructure– Accidental– Theft– Terrorism– Natural disasters
12-9 © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke
MIS in Use: Phishing for Credit Card Accounts
Phishing– Operation that spoofs legitimate companies in an attempt to
get credit card information, driver’s licenses, and other data– Usually initiated by e-mail request
Designed to cause you to click Asks for personal data May install spyware, malware, adware
– Defenses Know your purchases and deal directly with vendors Implausibility of e-mail Don’t be misled by legitimate-looking graphics, addresses
12-10 © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke
Elements of a Security Program
Senior management involvement– Must establish a security policy– Manage risk
Balancing costs and benefits
Safeguards– Protections against security threats
Incident response– Must plan for prior to incidents
12-11 © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke
Technical Safeguards
Involves hardware and software components User names and passwords
– Identification– Authentication
Smart cards– Personal identification number (PIN)
Biometric authentication– Fingerprints, facial scans, retina scans
Single sign-on
12-12 © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke
Technical Safeguards, continued
Malware– Viruses– Worms– Trojan horses– Spyware programs– Adware
Malware safeguards– Antivirus and anti-spyware programs– Scan hard drive and e-mail– Update definitions– Open e-mail attachments only from known sources– Install updates promptly– Browse only reputable Web sites
12-13 © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke
Security Threat Protection by Data Safeguards
Data administration– Organization-wide function
Develops data policies Enforce data standards
Database administration– Database function
Procedures for multi-user processing Change control to structure Protection of database
12-14 © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke
Data Safeguards
Encryption keys– Key escrow
Backup copies– Store off-premise– Check validity
Physical security– Lock and control access to facility– Maintain entry log
Third party contracts– Safeguards are written into contracts – Right to inspect premises and interview personnel
12-15 © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke
Human Safeguards
People and procedure component Access restriction requires authentication and
account management User accounts considerations
– Define job tasks and responsibility– Separate duties and authorities– Grant least possible privileges– Document security sensitivity
Hiring and screening employees
12-16 © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke
Human Safeguards, continued
Employees need to be made aware of policies and procedures– Employee security training
Enforcement of policies– Define responsibilities– Hold employees accountable– Encourage compliance– Management attitude is crucial
Create policies and procedures for employee termination– Protect against malicious actions in unfriendly terminations– Remove user accounts and passwords
12-17 © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke
Non-Employee Personnel
Temporary personnel and vendors– Screen personnel– Training and compliance– Contract should include specific security provisions– Provide accounts and passwords with the least privileges
Public users– Harden Web site and facility– Take extraordinary measures to reduce system’s vulnerability
Partners and public that receive benefits from system– Protect these users from internal company security problems
12-18 © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke
Account Administration
Account management procedures– Creation of new accounts, modification of existing accounts,
removal of terminated accounts
Password management– Acknowledgment forms– Change passwords frequently
Help-desk policies – Authentication of users who have lost password– Password should not be e-mailed
12-19 © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke
Guide: Metasecurity
Metadata is data about data Securing the security system
– Accounting controls– Storage of file accounts and passwords– Encryption and keys
Use temporary keys Encourage reporting of flaws
– Using white hats Do you trust them? What do you do with them when they’ve completed their check of
system?– Code control
12-20 © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke
Information Systems Safety Procedures
Procedure types – Normal operations– Backup– Recovery
Should be standardized for each procedure type Each procedure type should be defined for both
system users and operations personnel– Different duties and responsibilities– Varying needs and goals
12-21 © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke
Security Monitoring
Activity log analyses– Firewall logs– DBMS log-in records– Web server logs
Security testing– In-house and external security professionals
Investigation of incidents– How did the problem occur?
Lessons learned– Indication of potential vulnerability and corrective actions
12-22 © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke
Disaster Preparedness
Disaster– Substantial loss of infrastructure caused by acts of nature,
crime, or terrorism
Best safeguard is location of infrastructure Backup processing centers in geographically
removed site Create backups for critical resources
– Hot and cold sites– Train and rehearse cutover of operations
12-23 © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke
Incident Response
Organization must have plan – Detail reporting and response– Centralized reporting of incidents
Allows for application of specialized expertise
Speed is of the essence– Preparation pays off
Identify critical employees and contact numbers Training is vital
– Practice incidence response
12-24 © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke
How Does Knowledge from This Chapter Help You at DSI?
Use it personally– Limit DSI’s exposure– Limit your own exposure– Create strong passwords
Follow appropriate data procedures– Do not store sensitive data on computer– Limit data on laptops– Recognize phishing attacks
Send information on disaster preparedness and incidence response to management
12-25 © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke
Active Review
What are the sources and types of security threats? What are the elements of a security program? How can technical safeguards protect against security
threats? How can data safeguards protect against security threats? How can human safeguards protect against security
threats? What is necessary for disaster preparedness? How should organizations respond to security incidents? How does knowledge from this chapter help you at DSI?