Beruflich Dokumente
Kultur Dokumente
MANAGING INFORMATION
SECURITY AND PRIVACY
Zorana Svedic BUS 237 Information Systems in Business
Agenda
2
Questions?
Security Threats
Security Safeguards
Disaster Preparedness
BUS 237
3 Security of Information Systems
Identity Theft
4
BUS 237
Security Threats to Organizations
5
BUS 237
1. Human Errors and Mistakes
6
BUS 237
2. Malicious Human Activity
7
BUS 237
3. Natural Events and Disasters
8
BUS 237
Security Problems
9
BUS 237
Security Problems and Sources
10
BUS 237
PIPEDA Unauthorized data disclosure
11
BUS 237
1. Unauthorized Data Disclosure
12
BUS 237
2. Incorrect Data Modification
13
BUS 237
3. Faulty Service
14
BUS 237
4. Denial of Service
15
BUS 237
5. Loss of Infrastructure
16
BUS 237
Security Program Elements
17
BUS 237
Security Safeguards as Related to the
Five Components
18
BUS 237
Technical Safeguards
19
BUS 237
1.1. Identification and Authentication
20
BUS 237
1.2. Encryption
21
BUS 237
1.3. Firewalls
22
BUS 237
1.4. Malware Protection
23
BUS 237
Data Safeguards (1)
24
BUS 237
Data Safeguards (2)
25
Encryption keys
Key escrow
Backup copies
Store off-premise
Check validity
Physical security
Lock and control access to facility
Maintain entry log
Third party contracts
Safeguards are written into contracts
Right to inspect premises and interview personnel
BUS 237
Human Safeguards
26
BUS 237
3.1. Human Safeguards for Employees
27
Position Definitions
Effective human safeguards begin with definitions of job tasks and
responsibilities -- user access privilege should match job needs only
Hiring and Screening
Security considerations (extensive screening, background checks) should
be part of the hiring process especially for sensitive positions
Dissemination and Enforcement
Employees need to be made aware and trained according to the security
policies, procedures, and responsibilities
Termination
Companies must establish security policies and procedures for the
termination of employees such as informing system administrators prior to
employee notification of termination
BUS 237
Security Policy for In-House Staff
28
BUS 237
3.2. Human Safeguards for Non-Employees
29
Public users
Harden web site and facility
Hardening: Take extraordinary measures to reduce systems
vulnerability
Partners and public that receive benefits from the
information system
Protect these users from internal company security problems
BUS 237
3.3. Account Administration
30
BUS 237
3.4. System Procedures (1)
31
System procedures:
Normal operation
Backup
Recovery
Procedures of each type should exist for each
information system
Definition and use of standardized procedures reduces
the likelihood of computer crime
Each procedure type should be defined for both, system
users and operations personnel
Different duties and responsibilities
Varying needs and goals
BUS 237
3.4. System Procedures (2)
32
BUS 237
3.5. Security Monitoring
33
BUS 237
Sample Recovery Strategies
35
Strategy Description
Work Area Office space with basic equipment, often pre-configured
Recovery (WAR) for companys use, at a recovery facility. Can be shared
by other companies. Charged monthly subscription fee.
Cold site A room or building used for recovery, but not set up for
immediate occupation or use. Long-term interruption.
Hot site A recovery location that is always available 24x7. The IT
systems and applications at a hot site are either running
all the time, or can be activated within two hours.
Relocate Recovery team members relocate to other locations
(companys braches or vendors) to resume or continue
their work. Short-term solution.
Shut Down Temporarily halting all non-essential activities.
Source: www.calamityprevention.com/downloads/samplesrecovery.pdf
BUS 237
Incident-Response Plan
36
BUS 237
Final Exam & Course Review
Final Exam
38
BUS 237
Final Exam Procedures
39
In the exam room, you will NOT be allowed to have any bags,
jackets, or other items near you... all of these will have to be left
in the instructor area of the room.
Do not bring any valuable items with you (e.g. laptops, mp3
players, cell phones), as we cannot be responsible for your
belongings.
You will NOT be allowed to enter the exam room after 30 min
from the start... and you will NOT be able to write the final exam.
Finally, you will NOT be allowed to write the exam if you do not
provide a PHOTO ID (SFU student card, drivers license, etc.)
BONUS QUESTION FUNNY JOKE / DRAWING
BUS 237
Course Review
40
BUS 237
Industry Structure & Competition
41
BUS 237
Porters Value Chain Model
42
BUS 237
Competitive Advantage
43
BUS 237
Business Processes
44
BUS 237
Hardware & Software
46
BUS 237
Networks
47
BUS 237
Data
48
BUS 237
Types of Information Systems
49
Manufacturing
Human Resources
Accounting and Finance
BUS 237
Decision Making
50
BUS 237
Rational Decision Making Model
51
BUS 237
Data vs. Information
52
Relevant
BUS 237
Data Processing
53
BUS 237
Information System Acquisition
54
Buy (COTS)
match org needs with COTS capabilities
Rent
Outsourcing (same country)
Nearshoring (border country)
BUS 237
System Development Life Cycle (SDLC)
55
BUS 237
Security Threats & Problems
56
Faulty service
Denial of service
Loss of infrastructure
BUS 237
Security Program Elements
57
Security Policy
Risk management
Safeguards
Technical (hardware and software)
Data (content)
Practice!
BUS 237
IT/IS Issues
58
BUS 237
The End
60
BUS 237
Thank You!
61
BUS 237