6th Edition
CHAPTER 16
INFORMATION SECURITY
●
any criminal violation in which
E-Crime a computer or e-media is used
in the commission of the crime
– CardSystems Inc.
Figure 16.1
Worm
●
● A self-replicating virus
Trojan horse
●
● A security-breaking program that is disguised as a legitimate program
Logic bomb
●
● A program, or code within a system that takes action when a certain even occurs
Phishing
●
● Involves the solicitation of sensitive personal information from users, commonly in
the form of email and instant messages
Spoofing
●
● The use of a fraudulent Web site mimics a legitimate one. Often used in
conjunction with phishing
Cracker
An individual who attacks
computer systems to
intentionally steal
information or cause harm
●Content-Filtering Tools
●
●Penetration-Testing Tools
●
– Example:
• One organization determined that corporate information
found on employee laptops is an important asset
• The organization estimates that a loss of the information
on a single laptop may cost $50,000 on average
Annual
Single Annual
ized
Loss Occurr
Expect
Expect ence
ed
ancy Rate
Losses
(SLE) (AOR)
(AEL)
Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 12
Information Risk Management
• Quantitative example:
– Losing the corporate data from a single laptop has
an estimated value of $50,000
– The corporation identified three occurrences in
the last two years where a laptop had been lost
• This is an Annual Occurrence Rate of 1.5
$75,00 $50,00
0 0 1.5
●
● A quantitative analysis IS managers may perform to examine the potential
business benefits and the intervention costs involved with mitigating security risks
Annuali Annual
zed
ized
Return Expect
Cost of
Benefit ed
Losses
Action
(AEL) s
"Sarbanes is the
most sweeping
legislation to affect
publicly traded
companies since the
reforms during the
Great Depression"
- Gartner Analyst
John Bace
COSO
●
● COSO is an a framework for auditors to use when assessing internal controls that
was created by the Committee of Sponsoring Organizations (COSO)
Internal Controls
●
● COSO Definition of Internal Control: “a process, effected by an entity’s board of directors,
management and other personnel, designed to provide reasonable assurance regarding
the achievement of objectives in the following categories:
●
● Effectiveness and efficiency of operations
●
● Reliability of financial reporting
●
● Compliance with applicable laws and regulations”
Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall 24
Compliance with Current Security Laws
●
● A written document describing what is, and is not, permissible use of information
in the organization and the consequences for violation of the policy
●
● Putting specific plans in place that ensure that employees and business processes
can continue when faced with any major unanticipated disruption
Cost of Prevention
Risk