Mit6e Ch16 by Firli

Managing Information Technology
6th Edition
CHAPTER 16
INFORMATION SECURITY
Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 1

Information Security
• Background
– Organizations face security threats from both
within and outside
– Traditional security measures have addressed
external threats
– Understanding the managerial aspects of
information security is important because of the
changing regulatory environment and the
potential risk exposure that some firms face

E-Crime
●
any criminal violation in which
E-Crime a computer or e-media is used
in the commission of the crime

E-Crime
• Example of Credit card security breaches
– TJX
– CardSystems Inc.
Figure 16.1

E-Crime
• Many Types of E-Crime
– All incur costs to organizations or individuals
Figure 16.2

E-Crime
• Some common ways computers are attacked
Virus
●
● A small unit of code embedded in a file or program that when executed will replicate itself and may cause damage to infected computers
Worm
●
● A self-replicating virus
Trojan horse
●
● A security-breaking program that is disguised as a legitimate program
Logic bomb
●
● A program, or code within a system that takes action when a certain even occurs
Denial of service attack

●
● Occurs when a large number of messages are sent to a target computer simultaneously with the purpose of disrupting the capability of the target

E-Crime
• Other techniques used in E-Crime:
Phishing
●
● Involves the solicitation of sensitive personal information from users, commonly in
the form of email and instant messages
Spoofing
●
● The use of a fraudulent Web site mimics a legitimate one. Often used in
conjunction with phishing

E-Crime
• Hacker vs. Cracker
Hacker
An individual with no
malicious intent who attacks
computer systems for the
purpose of highlighting
security vulnerabilities
Cracker
An individual who attacks
computer systems to
intentionally steal
information or cause harm

E-Crime
• All managers responsible for security
compliance should have an understanding of
the basics of security Technology
Security Basics (Figure

16.4)
●
●Firewall and Proxy Servers
●
●Encryption and VPNs
●Identity and Access Management Systems (IAM)
●
●Content-Filtering Tools
●
●Penetration-Testing Tools
●

Information Risk Management
• Steps in Risk Management
– Determine the organization’s information assets
and their values
– Decide how long can the organization function
without specific information assets
– Develop and implement security procedures to
protect these information assets

• Steps in Risk Management
– Determine the organization’s information assets and
their values
– Example:
• One organization determined that corporate information
found on employee laptops is an important asset
• The organization estimates that a loss of the information
on a single laptop may cost $50,000 on average

• Calculation of the expected losses due to a
vulnerability can be calculated by the
following formula:
Annual
Single Annual
ized
Loss Occurr
Expect
Expect ence
ed
ancy Rate
Losses
(SLE) (AOR)
(AEL)
• Quantitative example:
– Losing the corporate data from a single laptop has
an estimated value of $50,000
– The corporation identified three occurrences in
the last two years where a laptop had been lost
• This is an Annual Occurrence Rate of 1.5
Annuali Single Annual

zed Loss Occurr
Expecte Expect ence
d Losses ancy Rate
(AEL) (SLE) (AOR)

• Quantitative example:
– Therefore, the Annualized Expected Losses (AEL)
amount to $75,000
Annuali Single Annual
zed Loss Occurr
Expecte Expect ence
d Losses ancy Rate
(AEL) (SLE) (AOR)
$75,00 $50,00
0 0 1.5

• After performing a quantitative risk analysis,
the Annualized Expected Losses (AEL) are used
to perform security cost-benefit analysis
Security Cost-Benefit Analysis
●
● A quantitative analysis IS managers may perform to examine the potential
business benefits and the intervention costs involved with mitigating security risks

• Security Cost-Benefit Analysis
– Managers must estimate the costs of the actions
performed to secure the information asset
– The Return Benefit from the actions can be
estimated by the following formula:
Annuali Annual
zed
ized
Return Expect
Cost of
Benefit ed
Losses
Action
(AEL) s

– From the laptop example, the company estimates
that adding strong encryption to the corporate
data on the laptops will cost $100 per year for
each of the 200 laptops in the company
– Overall, a $20,000 annualized cost for this
intervention would be realized
Annuali Annual
zed
ized
Return Expect
Cost of
Benefit ed
Losses
Action
(AEL) s
– After performing a the analysis, we find that this
action has an estimated return benefit of $55,000
per year
Annuali Annual
zed
Return ized
Expect
Benefi Cost of
ed
t Losses Action
(AEL) s
$55,00 $75,00 $20,00

0 0 0

Compliance with Current Security Laws
• Legal and Regulatory Environment
– Impacts information security practices
Figure 16.7

• Sarbanes-Oxley Act of 2002 (SOX)

– Created as a response to the scandals at Enron,
Tyco, WorldCom, and others
– Applies to publically traded US companies

• Sarbanes-Oxley Act of 2002 (SOX)
"Sarbanes is the
most sweeping
legislation to affect
publicly traded
companies since the
reforms during the
Great Depression"
- Gartner Analyst
John Bace

• SOX affects IS leaders in two major ways:

– Records retention
• The act states that companies must retain electronic
communication such as email and instant messaging for
a period of at least five years
– IT audit controls
• Officers must certify that they are responsible for
establishing and maintaining internal controls

• Section 404 of SOX states that companies

must use an internal control framework such
as COSO
COSO
●
● COSO is an a framework for auditors to use when assessing internal controls that
was created by the Committee of Sponsoring Organizations (COSO)

• Internal controls are assurance processes
• COSO defines internal controls:
Internal Controls
●
● COSO Definition of Internal Control: “a process, effected by an entity’s board of directors,
management and other personnel, designed to provide reasonable assurance regarding
the achievement of objectives in the following categories:
●
● Effectiveness and efficiency of operations
●
● Reliability of financial reporting
●
● Compliance with applicable laws and regulations”
• The COSO framework contains five

interrelated categories:
– Risk Assessment
– Control Environment
– Control Activities
– Monitoring
– Information and Communication

• Gramm-Leach-Bliley Act of 1999 (GBLA)

– Mandates that all organizations maintain a high
level of confidentiality of all financial information
of their clients or customers
– The act gives federal agencies and states to
enforce the following rules:
• Financial Privacy Rule
• Safeguards Rule


– Financial Privacy Rule
• Requires financial institutions to provide customers
with privacy notices
• Organizations must clearly state their privacy policies
when establishing relationships with customers
• Organizations cannot disclose nonpublic personal
information to a third-party
– Safeguards Rule


– Safeguards Rule
• Organizations must have a written security plan in place
to protect customer’s nonpublic confidential
information

• Health Insurance Portability and

Accountability Act (HIPAA)
– HIPPA requires organizations to secure nonpublic
confidential medical information
– Noncompliance can lead to serious penalties and
fines

• Uniting and Strengthening America by

Providing Appropriate Tools Required to
Intercept and Obstruct Terrorism Act of 2001
(USA PATRIOT)
– Commonly called the PATRIOT Act
– Gives the US government greater ability to access
information
– Victims of computer hacking can now request law
enforcement assistance

• California Information Practices Act (Senate

Bill 1386)
– In the past, companies have often been silent
when information theft occurred
– This act requires organizations that store
nonpublic information on California residents to
report information theft within 96 hours
– Noncompliance may lead to civil or criminal
consequences

Developing and Information Security Policy
• Information Security Policies

– Required by many regulations (e.g., SOX)
– Required to obtain insurance
Information Security Policy
●
● A written document describing what is, and is not, permissible use of information
in the organization and the consequences for violation of the policy

• Who should develop the security policy?

– Representatives of all affected user groups and
stakeholders
– Must have support of managers who train and
enforce the policy
– Committee who develops policy should meet
regularly to ensure that security policy meets the
organization’s needs and satisfies current
regulations

• What should be in the policy?

– Common Topics
• Access control policies
• External access policies
• User a physical policies
– Example Policies
• SANS Institute provides template of many policy types

• Policy should be appropriate to the estimated

risks of the organization
• They should be quickly modified when new
situations arise affecting security
• Organizations should make it easy for
employees to access the most recent policy

Planning for Business Continuity
Business Continuity Planning (PCP)
●
● Putting specific plans in place that ensure that employees and business processes
can continue when faced with any major unanticipated disruption
• This is more than simple disaster recovery

• When an organization cannot resume
operations in a reasonable time frame, it leads
to business failure
• McNurlin & Sprague identified the following
components of BCP that were often
overlooked before the 9/11 terrorist attacks:
– Alternate workspaces for people with working
computers and phone lines
– Backup IT sites that are not too close, but not too
far away
– Up-to-date evacuation plans that everyone knows
and has practiced

• McNurlin & Sprague identified the following
components of BCP that were often overlooked
before the 9/11 terrorist attacks:
– Backed-up laptops and departmental servers,
because a lot of corporate information is housed on
these machines rather than in the data center
– Helping people cope with a disaster by having easily
accessible phone lists, e-mail lists, and even instant-
messenger lists so that people can communicate
with loved ones and colleagues
• Creating a BCP begins with a business impact
analysis with the following steps:
1. Define the critical business processes and
departments
2. Identify interdependencies between them
3. Examine all possible disruptions to these systems
4. Gather quantitative and qualitative information
on these threats
5. Provide remedies for restoring systems

• Disruptions are usually ranked based on the
following categories:
Lower- Importa Urgent Critical

Normal
priority nt 24 <
7
30 72 ho 12
da
da ho ur ho
ys
ys urs s urs

• Electronic Records Management (ERM)
– Covers the retention of important digital
documents
– Grew out of the need to satisfy regulation such as
SOX and HIPAA
– May require a centralized approach
– eDiscovery amendments to rules for civil
procedures make ERM even more important

– ERM managers are responsible for the following
• Defining what constitutes an electronic record
• Analyzing the current business environment and
developing appropriate ERM policies
• Classifying specific records based upon their importance,
regulatory requirements, and duration
• Authenticating records by maintaining accurate logs and
procedures to prove that these are the actual records, and
that they have not been altered
• Managing policy compliance

– Managers must realize that businesses may be
digitally liable for actions their employees have
taken when communicating electronically
– Electronic corporate information may reside on
computers external to the company (e.g. cached
email)

The Chief Information Security Role
• With increasing pressure to comply with laws
and regulations, many companies have added
a chief information security officer (CISO) to
there is organization
• Responsible for monitoring information
security risks and developing strategies to
mitigate that risk

The Chief Information Security Role
• As it is impossible to eliminate all risk, the
CISO must balance the trade-offs between
risks and the costs of eliminating them
Cost of Prevention
Risk

All rights reserved. No part of this publication may be reproduced, stored in a
retrieval system, or transmitted, in any form or by any means, electronic,
mechanical, photocopying, recording, or otherwise, without the prior written
permission of the publisher. Printed in the United States of America.
Copyright © 2009 Pearson Education, Inc.

Publishing as Prentice Hall

Mit6e Ch16 by Firli

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Mit6e Ch16 by Firli

Diunggah oleh

Hak Cipta:

Format Tersedia

Managing Information Technology

Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 1

Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 2

Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 3

Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 4

Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 5

Denial of service attack

Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 6

Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 7

Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 8

Security Basics (Figure

Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 9

Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 10

Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 11

Annuali Single Annual

Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 13

Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 14

Security Cost-Benefit Analysis

Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 15

Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 16

$55,00 $75,00 $20,00

Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 18

Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 19

• Sarbanes-Oxley Act of 2002 (SOX)

Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 20

• Sarbanes-Oxley Act of 2002 (SOX)

Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 21

• SOX affects IS leaders in two major ways:

Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 22

• Section 404 of SOX states that companies

Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 23

• The COSO framework contains five

Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 25

• Gramm-Leach-Bliley Act of 1999 (GBLA)

Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 26

• Gramm-Leach-Bliley Act of 1999 (GBLA)

Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 27

• Gramm-Leach-Bliley Act of 1999 (GBLA)

Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 28

• Health Insurance Portability and

Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 29

• Uniting and Strengthening America by

Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 30

• California Information Practices Act (Senate

Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 31

• Information Security Policies

Information Security Policy

Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 32

• Who should develop the security policy?

Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 33

• What should be in the policy?

Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 34

• Policy should be appropriate to the estimated

Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 35

• This is more than simple disaster recovery

Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 37

Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 39

Lower- Importa Urgent Critical

Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 40

Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 41

Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 42

Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 43

Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 44

Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 45