Managing Information Systems Information Systems Security and Control Part 1 Dr. Stephania Loizidou Himona ACSC 345

Managing Information Managing Information SystemsSystems

Information Systems Security and ControlPart 1

Dr. Stephania Loizidou Himona

ACSC 345

Dr. S. Loizidou - ACSC345Dr. S. Loizidou - ACSC345 22

ObjectivesObjectives

Demonstrate the differences in vulnerability Demonstrate the differences in vulnerability between traditional systems and between traditional systems and Information SystemsInformation Systems

Demonstrate the impact of Information Demonstrate the impact of Information System vulnerabilitySystem vulnerability

Demonstrate why Information Systems are Demonstrate why Information Systems are vulnerablevulnerable


Protecting Information SystemsProtecting Information Systems

Information Systems are now very important Information Systems are now very important within organisationswithin organisations

Disabling or corrupting these Information Disabling or corrupting these Information Systems can lead to significant lossSystems can lead to significant loss– Financial impactFinancial impact– Loss of life / health and safety issuesLoss of life / health and safety issues


On-line Auction SiteOn-line Auction Site8 Hour Downtime8 Hour Downtime

Type of LossType of Loss ValueValue

Direct revenue lossDirect revenue loss $341,652$341,652

Compensatory lossCompensatory loss $943,521$943,521

Depreciation costsDepreciation costs $6,279$6,279

Lost future revenuesLost future revenues $1,024,955$1,024,955

Worker downtime lossWorker downtime loss $46,097$46,097

Contract labour lossContract labour loss $52,180$52,180

Delay-to-market lossDelay-to-market loss $358,734$358,734

TotalTotal $2,773,418$2,773,418Technology Spotlight: The Financial Impact of Site Outages. The Industry Standard, 1999


VulnerabilityVulnerability

Why are Information Systems more Why are Information Systems more vulnerable than paper-based systems?vulnerable than paper-based systems?



Paper-based systemsPaper-based systems– Documents / data stored in filing cabinetsDocuments / data stored in filing cabinets– Secured by physical accessSecured by physical access

Information systems:Information systems:– Data stored electronicallyData stored electronically– Logical, rather than physical, accessLogical, rather than physical, access



Information Systems open to more Information Systems open to more vulnerabilities than paper-based systemsvulnerabilities than paper-based systems


SecuritySecurity

What examples of threats to Information What examples of threats to Information Systems can you think of?Systems can you think of?


Malicious IntentMalicious Intent

HackersHackers– Person who gains unauthorised access to a Person who gains unauthorised access to a

system for profit, criminal purpose or pleasuresystem for profit, criminal purpose or pleasure– Trojan horseTrojan horse

Program that has hidden, secondary purposeProgram that has hidden, secondary purpose

– Denial of serviceDenial of service Overwhelm server with requests to disableOverwhelm server with requests to disable

(Partially) countered by security procedures(Partially) countered by security procedures


Malicious IntentMalicious Intent

VirusesViruses– Software that is difficult to detect, spreads Software that is difficult to detect, spreads

rapidly, destroys data, processing and memoryrapidly, destroys data, processing and memory– Logic bombLogic bomb

Timed virusTimed virus

(Partially) countered by anti-virus software(Partially) countered by anti-virus software


Malicious Intent?Malicious Intent?

The vulnerability of Information Systems is The vulnerability of Information Systems is not just restricted to external security threatsnot just restricted to external security threats



What other types of vulnerability do What other types of vulnerability do Information Systems have?Information Systems have?



Threats:Threats:– Hardware failure (disk crash, Pentium bug)Hardware failure (disk crash, Pentium bug)– Software failure (bugs, design flaws)Software failure (bugs, design flaws)– Personal actions (accidental, malicious)Personal actions (accidental, malicious)– Terminal access penetration (hacking)Terminal access penetration (hacking)– Theft of data, services or equipment (virus)Theft of data, services or equipment (virus)



Threats:Threats:– Fire (also true of paper-based systems)Fire (also true of paper-based systems)– Electrical problems (downtime)Electrical problems (downtime)– User errors (wrong data)User errors (wrong data)– Program changes (upgrades, assumptions)Program changes (upgrades, assumptions)– Telecommunications (Internet, wireless)Telecommunications (Internet, wireless)


ConcernsConcerns

Disaster:Disaster:– Hardware, software, data destroyed by fire, Hardware, software, data destroyed by fire,

flood, power failures, etc.flood, power failures, etc.– Software and data may not be replaceableSoftware and data may not be replaceable– Significant (financial) lossSignificant (financial) loss

Backup, fault toleranceBackup, fault tolerance Disaster recovery planningDisaster recovery planning

– Standby sites, equipment, personnelStandby sites, equipment, personnel


ConcernsConcerns

SecuritySecurity– Policies, procedures, technical measuresPolicies, procedures, technical measures– Prevent unauthorised access, theft, damagePrevent unauthorised access, theft, damage

ErrorsErrors– Software bugs can cause significant lossSoftware bugs can cause significant loss– Financial: rounding errors?Financial: rounding errors?– Life: missile systemsLife: missile systems


Data QualityData Quality

Data quality problems:Data quality problems:– Data preparationData preparation– ConversionConversion– InputInput– Form completionForm completion– On-line data entryOn-line data entry– KeypunchingKeypunching– ScanningScanning

– Validation Validation – ProcessingProcessing– File maintenanceFile maintenance– OutputOutput– TransmissionTransmission– DistributionDistribution


Software QualitySoftware Quality

What types of problems may a software What types of problems may a software system have?system have?



Software problemsSoftware problems– BugsBugs– Defects (wrong requirements)Defects (wrong requirements)– Misinterpretation of requirementsMisinterpretation of requirements– Incorrect assumptionsIncorrect assumptions



The more complex a system is, the less The more complex a system is, the less likely it is to be bug freelikely it is to be bug free

Impractical to test all paths of complex codeImpractical to test all paths of complex code– Difficult to testDifficult to test– Too much time requiredToo much time required

Total Quality ManagementTotal Quality Management– Can only improve quality, not eliminate bugsCan only improve quality, not eliminate bugs– Uncertain what bugs remain and their impactUncertain what bugs remain and their impact


MaintenanceMaintenance

Maintenance of software systems should be built Maintenance of software systems should be built into the designinto the design

Maintenance is the most expensive phase of a Maintenance is the most expensive phase of a systemsystem– ComplexityComplexity– Associated organisational changesAssociated organisational changes– (Regression) testing overheads(Regression) testing overheads

More expensive to fix bugs as implementation More expensive to fix bugs as implementation proceedsproceeds