Upload
earl-dickerson
View
224
Download
1
Tags:
Embed Size (px)
Citation preview
Managing Information Managing Information SystemsSystems
Information Systems Security and ControlPart 1
Dr. Stephania Loizidou Himona
ACSC 345
Dr. S. Loizidou - ACSC345Dr. S. Loizidou - ACSC345 22
ObjectivesObjectives
Demonstrate the differences in vulnerability Demonstrate the differences in vulnerability between traditional systems and between traditional systems and Information SystemsInformation Systems
Demonstrate the impact of Information Demonstrate the impact of Information System vulnerabilitySystem vulnerability
Demonstrate why Information Systems are Demonstrate why Information Systems are vulnerablevulnerable
Dr. S. Loizidou - ACSC345Dr. S. Loizidou - ACSC345 33
Protecting Information SystemsProtecting Information Systems
Information Systems are now very important Information Systems are now very important within organisationswithin organisations
Disabling or corrupting these Information Disabling or corrupting these Information Systems can lead to significant lossSystems can lead to significant loss– Financial impactFinancial impact– Loss of life / health and safety issuesLoss of life / health and safety issues
Dr. S. Loizidou - ACSC345Dr. S. Loizidou - ACSC345 44
On-line Auction SiteOn-line Auction Site8 Hour Downtime8 Hour Downtime
Type of LossType of Loss ValueValue
Direct revenue lossDirect revenue loss $341,652$341,652
Compensatory lossCompensatory loss $943,521$943,521
Depreciation costsDepreciation costs $6,279$6,279
Lost future revenuesLost future revenues $1,024,955$1,024,955
Worker downtime lossWorker downtime loss $46,097$46,097
Contract labour lossContract labour loss $52,180$52,180
Delay-to-market lossDelay-to-market loss $358,734$358,734
TotalTotal $2,773,418$2,773,418Technology Spotlight: The Financial Impact of Site Outages. The Industry Standard, 1999
Dr. S. Loizidou - ACSC345Dr. S. Loizidou - ACSC345 55
VulnerabilityVulnerability
Why are Information Systems more Why are Information Systems more vulnerable than paper-based systems?vulnerable than paper-based systems?
Dr. S. Loizidou - ACSC345Dr. S. Loizidou - ACSC345 66
VulnerabilityVulnerability
Paper-based systemsPaper-based systems– Documents / data stored in filing cabinetsDocuments / data stored in filing cabinets– Secured by physical accessSecured by physical access
Information systems:Information systems:– Data stored electronicallyData stored electronically– Logical, rather than physical, accessLogical, rather than physical, access
Dr. S. Loizidou - ACSC345Dr. S. Loizidou - ACSC345 77
VulnerabilityVulnerability
Information Systems open to more Information Systems open to more vulnerabilities than paper-based systemsvulnerabilities than paper-based systems
Dr. S. Loizidou - ACSC345Dr. S. Loizidou - ACSC345 88
SecuritySecurity
What examples of threats to Information What examples of threats to Information Systems can you think of?Systems can you think of?
Dr. S. Loizidou - ACSC345Dr. S. Loizidou - ACSC345 99
Malicious IntentMalicious Intent
HackersHackers– Person who gains unauthorised access to a Person who gains unauthorised access to a
system for profit, criminal purpose or pleasuresystem for profit, criminal purpose or pleasure– Trojan horseTrojan horse
Program that has hidden, secondary purposeProgram that has hidden, secondary purpose
– Denial of serviceDenial of service Overwhelm server with requests to disableOverwhelm server with requests to disable
(Partially) countered by security procedures(Partially) countered by security procedures
Dr. S. Loizidou - ACSC345Dr. S. Loizidou - ACSC345 1010
Malicious IntentMalicious Intent
VirusesViruses– Software that is difficult to detect, spreads Software that is difficult to detect, spreads
rapidly, destroys data, processing and memoryrapidly, destroys data, processing and memory– Logic bombLogic bomb
Timed virusTimed virus
(Partially) countered by anti-virus software(Partially) countered by anti-virus software
Dr. S. Loizidou - ACSC345Dr. S. Loizidou - ACSC345 1111
Malicious Intent?Malicious Intent?
The vulnerability of Information Systems is The vulnerability of Information Systems is not just restricted to external security threatsnot just restricted to external security threats
Dr. S. Loizidou - ACSC345Dr. S. Loizidou - ACSC345 1212
VulnerabilityVulnerability
What other types of vulnerability do What other types of vulnerability do Information Systems have?Information Systems have?
Dr. S. Loizidou - ACSC345Dr. S. Loizidou - ACSC345 1313
VulnerabilityVulnerability
Threats:Threats:– Hardware failure (disk crash, Pentium bug)Hardware failure (disk crash, Pentium bug)– Software failure (bugs, design flaws)Software failure (bugs, design flaws)– Personal actions (accidental, malicious)Personal actions (accidental, malicious)– Terminal access penetration (hacking)Terminal access penetration (hacking)– Theft of data, services or equipment (virus)Theft of data, services or equipment (virus)
Dr. S. Loizidou - ACSC345Dr. S. Loizidou - ACSC345 1414
VulnerabilityVulnerability
Threats:Threats:– Fire (also true of paper-based systems)Fire (also true of paper-based systems)– Electrical problems (downtime)Electrical problems (downtime)– User errors (wrong data)User errors (wrong data)– Program changes (upgrades, assumptions)Program changes (upgrades, assumptions)– Telecommunications (Internet, wireless)Telecommunications (Internet, wireless)
Dr. S. Loizidou - ACSC345Dr. S. Loizidou - ACSC345 1515
ConcernsConcerns
Disaster:Disaster:– Hardware, software, data destroyed by fire, Hardware, software, data destroyed by fire,
flood, power failures, etc.flood, power failures, etc.– Software and data may not be replaceableSoftware and data may not be replaceable– Significant (financial) lossSignificant (financial) loss
Backup, fault toleranceBackup, fault tolerance Disaster recovery planningDisaster recovery planning
– Standby sites, equipment, personnelStandby sites, equipment, personnel
Dr. S. Loizidou - ACSC345Dr. S. Loizidou - ACSC345 1616
ConcernsConcerns
SecuritySecurity– Policies, procedures, technical measuresPolicies, procedures, technical measures– Prevent unauthorised access, theft, damagePrevent unauthorised access, theft, damage
ErrorsErrors– Software bugs can cause significant lossSoftware bugs can cause significant loss– Financial: rounding errors?Financial: rounding errors?– Life: missile systemsLife: missile systems
Dr. S. Loizidou - ACSC345Dr. S. Loizidou - ACSC345 1717
Data QualityData Quality
Data quality problems:Data quality problems:– Data preparationData preparation– ConversionConversion– InputInput– Form completionForm completion– On-line data entryOn-line data entry– KeypunchingKeypunching– ScanningScanning
– Validation Validation – ProcessingProcessing– File maintenanceFile maintenance– OutputOutput– TransmissionTransmission– DistributionDistribution
Dr. S. Loizidou - ACSC345Dr. S. Loizidou - ACSC345 1818
Software QualitySoftware Quality
What types of problems may a software What types of problems may a software system have?system have?
Dr. S. Loizidou - ACSC345Dr. S. Loizidou - ACSC345 1919
Software QualitySoftware Quality
Software problemsSoftware problems– BugsBugs– Defects (wrong requirements)Defects (wrong requirements)– Misinterpretation of requirementsMisinterpretation of requirements– Incorrect assumptionsIncorrect assumptions
Dr. S. Loizidou - ACSC345Dr. S. Loizidou - ACSC345 2020
Software QualitySoftware Quality
The more complex a system is, the less The more complex a system is, the less likely it is to be bug freelikely it is to be bug free
Impractical to test all paths of complex codeImpractical to test all paths of complex code– Difficult to testDifficult to test– Too much time requiredToo much time required
Total Quality ManagementTotal Quality Management– Can only improve quality, not eliminate bugsCan only improve quality, not eliminate bugs– Uncertain what bugs remain and their impactUncertain what bugs remain and their impact
Dr. S. Loizidou - ACSC345Dr. S. Loizidou - ACSC345 2121
MaintenanceMaintenance
Maintenance of software systems should be built Maintenance of software systems should be built into the designinto the design
Maintenance is the most expensive phase of a Maintenance is the most expensive phase of a systemsystem– ComplexityComplexity– Associated organisational changesAssociated organisational changes– (Regression) testing overheads(Regression) testing overheads
More expensive to fix bugs as implementation More expensive to fix bugs as implementation proceedsproceeds