Chapter 12 Information Security Management © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke

Chapter 12

Information Security Management

© 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke

12-2 © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke

This Could Happen to You

Emerson Pharmaceuticals– $800M in sales– 200 person IT department

DSI– $50M in sales– 1 person IT department– No in-house software development

Why the difference?– Directors and project managers at DSI are knowledgeable in IT– Support users at DSI want only reliable IT infrastructure– DSI has a wired/wireless LAN with two servers

What about security?


Study Questions

What are the sources and types of security threats? What are the elements of a security program? How can technical safeguards protect against security

threats? How can data safeguards protect against security threats? How can human safeguards protect against security

threats? What is necessary for disaster preparedness? How should organizations respond to security incidents? How does knowledge from this chapter help you at DSI?


Sources of Security Threats

Human errors and mistakes– Accidental problems – Poorly written programs– Poorly designed procedures– Physical accidents

Malicious human activity– Intentional destruction of data– Destroying system components– Hackers– Virus and worm writers– Criminals – Terrorists


Sources of Security Threats, continued

Natural events and disasters– Fires, floods, hurricanes, earthquakes,

tsunamis,avalanches, tornados– Initial losses of capability – Losses from recovery actions


Types of Problems

Unauthorized data disclosure– Human error

Posting private information in public place Placing restricted information on searchable Web sites Inadvertent disclosure

– Malicious release Pretexting Phishing Spoofing Sniffing Breaking into networks


Types of Problems, continued

Incorrect data modifications– Human errors

Incorrect entries and information Procedural problems

– Incorrect data modifications Systems errors

– Hacking– Faulty recovery actions

Faulty Service– Incorrect systems operations– Usurpation


Types of Problems, continued

Denial of service– Human error– Attacks

Loss of infrastructure– Accidental– Theft– Terrorism– Natural disasters


MIS in Use: Phishing for Credit Card Accounts

Phishing– Operation that spoofs legitimate companies in an attempt to

get credit card information, driver’s licenses, and other data– Usually initiated by e-mail request

Designed to cause you to click Asks for personal data May install spyware, malware, adware

– Defenses Know your purchases and deal directly with vendors Implausibility of e-mail Don’t be misled by legitimate-looking graphics, addresses


Elements of a Security Program

Senior management involvement– Must establish a security policy– Manage risk

Balancing costs and benefits

Safeguards– Protections against security threats

Incident response– Must plan for prior to incidents


Technical Safeguards

Involves hardware and software components User names and passwords

– Identification– Authentication

Smart cards– Personal identification number (PIN)

Biometric authentication– Fingerprints, facial scans, retina scans

Single sign-on


Technical Safeguards, continued

Malware– Viruses– Worms– Trojan horses– Spyware programs– Adware

Malware safeguards– Antivirus and anti-spyware programs– Scan hard drive and e-mail– Update definitions– Open e-mail attachments only from known sources– Install updates promptly– Browse only reputable Web sites


Security Threat Protection by Data Safeguards

Data administration– Organization-wide function

Develops data policies Enforce data standards

Database administration– Database function

Procedures for multi-user processing Change control to structure Protection of database


Data Safeguards

Encryption keys– Key escrow

Backup copies– Store off-premise– Check validity

Physical security– Lock and control access to facility– Maintain entry log

Third party contracts– Safeguards are written into contracts – Right to inspect premises and interview personnel


Human Safeguards

People and procedure component Access restriction requires authentication and

account management User accounts considerations

– Define job tasks and responsibility– Separate duties and authorities– Grant least possible privileges– Document security sensitivity

Hiring and screening employees


Human Safeguards, continued

Employees need to be made aware of policies and procedures– Employee security training

Enforcement of policies– Define responsibilities– Hold employees accountable– Encourage compliance– Management attitude is crucial

Create policies and procedures for employee termination– Protect against malicious actions in unfriendly terminations– Remove user accounts and passwords


Non-Employee Personnel

Temporary personnel and vendors– Screen personnel– Training and compliance– Contract should include specific security provisions– Provide accounts and passwords with the least privileges

Public users– Harden Web site and facility– Take extraordinary measures to reduce system’s vulnerability

Partners and public that receive benefits from system– Protect these users from internal company security problems


Account Administration

Account management procedures– Creation of new accounts, modification of existing accounts,

removal of terminated accounts

Password management– Acknowledgment forms– Change passwords frequently

Help-desk policies – Authentication of users who have lost password– Password should not be e-mailed


Guide: Metasecurity

Metadata is data about data Securing the security system

– Accounting controls– Storage of file accounts and passwords– Encryption and keys

Use temporary keys Encourage reporting of flaws

– Using white hats Do you trust them? What do you do with them when they’ve completed their check of

system?– Code control


Information Systems Safety Procedures

Procedure types – Normal operations– Backup– Recovery

Should be standardized for each procedure type Each procedure type should be defined for both

system users and operations personnel– Different duties and responsibilities– Varying needs and goals


Security Monitoring

Activity log analyses– Firewall logs– DBMS log-in records– Web server logs

Security testing– In-house and external security professionals

Investigation of incidents– How did the problem occur?

Lessons learned– Indication of potential vulnerability and corrective actions


Disaster Preparedness

Disaster– Substantial loss of infrastructure caused by acts of nature,

crime, or terrorism

Best safeguard is location of infrastructure Backup processing centers in geographically

removed site Create backups for critical resources

– Hot and cold sites– Train and rehearse cutover of operations


Incident Response

Organization must have plan – Detail reporting and response– Centralized reporting of incidents

Allows for application of specialized expertise

Speed is of the essence– Preparation pays off

Identify critical employees and contact numbers Training is vital

– Practice incidence response


How Does Knowledge from This Chapter Help You at DSI?

Use it personally– Limit DSI’s exposure– Limit your own exposure– Create strong passwords

Follow appropriate data procedures– Do not store sensitive data on computer– Limit data on laptops– Recognize phishing attacks

Send information on disaster preparedness and incidence response to management


Active Review

What are the sources and types of security threats? What are the elements of a security program? How can technical safeguards protect against security

threats? How can data safeguards protect against security threats? How can human safeguards protect against security

threats? What is necessary for disaster preparedness? How should organizations respond to security incidents? How does knowledge from this chapter help you at DSI?

Documents

Chapter 12 Information Security Management © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke