Вы находитесь на странице: 1из 43

Information Systems Security

Chapter 5

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood

51

Learning Objective 1

Describe general approaches to analyzing vulnerabilities and threats in information systems.

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood

52

Overview
The information security system is the subsystem of the organization that controls the special risks associated with computer-based information systems.

The information security system has the basic elements of any information system, such as hardware, databases, procedures, and reports.
2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 53

The Information Security System Life Cycle


Life-cycle Phase Objective

Analyze system vulnerabilities Systems analysis in terms of relevant threats and their associated loss exposure. Systems design Design security measures and contingency plans to control the identified loss exposures.
54

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood

The Information Security System Life Cycle


Life-cycle Phase Systems implementation Objective Implement the security measures as designed. Operate the system and assess its effectiveness and efficiency. Make changes as circumstances require.
55

Systems operation, evaluation, and control

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood

The Information Security System in the Organization


The information security system must be managed by a chief security officer (CSO). This individual should report directly to the board of directors in order to maintain complete independence.

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood

56

Analyzing Vulnerabilities and Threats

Quantitative approach to risk assessment Qualitative approach

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood

57

Analyzing Vulnerabilities and Threats

Cost of an individual loss Likelihood of its occurrence

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood

58

Analyzing Vulnerabilities and Threats

Identifying the relevant costs per loss and the associated likelihoods can be difficult.
Estimating the likelihood of a given failure requires predicting the future, which is very difficult.
2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 59

Analyzing Vulnerabilities and Threats

The systems vulnerabilities and threats are subjectively ranked in order of their contribution to the companys total loss exposure.

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood

5 10

Analyzing Vulnerabilities and Threats

business interruption loss of software loss of data loss of hardware loss of facilities loss of service and personnel
2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 5 11

Learning Objective 2

Identify active and passive threats to information systems.

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood

5 12

Vulnerabilities and Threats


What is a vulnerability?

A vulnerability is a weakness in a system.


What is a threat? A threat is a potential exploitation of a vulnerability.
2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 5 13

Vulnerabilities and Threats

Active threats

Passive threats

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood

5 14

Individuals Posing a Threat to the Information System


Groups of individuals that could be involved in an information systems attack: Information systems personnel Users Intruders

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood

5 15

Individuals Posing a Threat to the Information System

computer maintenance persons programmers network operators information systems administrative personnel data control clerks
2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 5 16

Individuals Posing a Threat to the Information System


Users are composed of heterogeneous groups of people. Their functional area does not lie in data processing.

An intruder is anyone who accesses equipment, electronic data, or files without proper authorization.

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood

5 17

Individuals Posing a Threat to the Information System


A hacker is an intruder who attacks a system for fun and challenge.

What are other types of intruders?


unnoticed intruders wiretappers piggybackers impersonating intruders eavesdroppers
2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 5 18

Active Threats to Information Systems


Input manipulation Sabotage Misappropriation or theft of information resources

Program alteration
Direct file alteration Data theft

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood

5 19

Active Threats to Information Systems


In most cases of computer fraud, manipulation of input is the method used. Program alteration is perhaps the least common method used to commit computer fraud.

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood

5 20

Active Threats to Information Systems


A direct file alteration occurs when individuals find ways to bypass the normal process for inputting data into computer programs. Data theft is a serious problem in business today. What are some methods of computer sabotage?
2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 5 21

Active Threats to Information Systems


Logic bomb Trojan horse Virus program

Denial of service attack


Defacing the companys Web site
2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 5 22

Active Threats to Information Systems


What is a worm?

It is a type of virus that spreads itself over a computer network.

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood

5 23

Active Threats to Information Systems


One type of misappropriation of computer resources exists when employees use company computers resources for their own business.

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood

5 24

Learning Objective 3

Identify key aspects of an information security system.

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood

5 25

The Information System Security System


Security measures focus on preventing and detecting threats. Contingency plans focus on correcting the effects of threats.

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood

5 26

The Control Environment


Management philosophy and operating style Organization structure

Board of directors and its committees

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood

5 27

The Control Environment


Management control activities

Internal audit function


Personnel policies and practices External influences

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood

5 28

Controls for Active Threats

Site-access controls
System-access controls File-access controls
2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 5 29

Controls for Active Threats

The objective of site-access controls is to physically separate unauthorized individuals from computer resources.

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood

5 30

Controls for Active Threats

TV monitor

Telephone

Locked door

Locked door (opened from inside vault) Locked door (entrance)

LOBBY

Service window Data archive

Intercom to vault

Scanner

Magnet detector

INNER VAULT

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood

5 31

Controls for Active Threats

These controls authenticate users by using such means as user IDs, passwords, IP addresses, and hardware devices. It is often desirable to withhold administrative rights from individual PC users.
2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 5 32

Controls for Active Threats

The most fundamental file-access control is the establishment of authorization guidelines and procedures for accessing and altering files.

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood

5 33

Controls for Passive Threats

Fault-tolerant systems use redundant components.


If one part of the system fails, a redundant part immediately takes over, and the system continues operating with little or no interruption.

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood

5 34

Controls for Passive Threats

Full backups Incremental backups Differential backups

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood

5 35

Internet Security
Internet-related vulnerabilities may arise from weaknesses in five areas. 1. 2. 3. 4. 5. the operating system or its configuration the Web server or its configuration the private network and its configuration various server programs general security procedures
5 36

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood

Learning Objective 4

Discuss contingency planning and other disaster risk management practices.

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood

5 37

Disaster Risk Management

Disaster risk management is essential to ensure continuity of operations in the event of a catastrophe.

Prevention planning

Contingency planning
5 38

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood

Disaster Risk Management

Natural disaster Deliberate actions Human error

30% 45% 25%

A large percentage of disasters can be mitigated or avoided.


2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 5 39

Disaster Risk Management


A disaster recovery plan must be implemented at the highest levels in the company. The first step in developing a disaster recovery plan should be obtaining the support of senior management and setting up a planning committee.

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood

5 40

Disaster Risk Management


The design of the plan should include three major components. What are these components? Assess the companys critical needs. List priorities for recovery. Establish recovery strategies and procedures.
2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 5 41

Disaster Risk Management


A complete set of recovery strategies should take into account the following: emergency response center escalation procedures alternate processing arrangements personnel relocation and replacements plans salvage plan plan for testing and maintaining the system
2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 5 42

End of Chapter 5

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood

5 43