LECTURE 12:

MANAGING INFORMATION
SECURITY AND PRIVACY
Zorana Svedic BUS 237 Information Systems in Business
 Agenda
2

Questions?

Security Threats

Security Safeguards

Disaster Preparedness

Final Exam & Course Review

BUS 237
3 Security of Information Systems
 Identity Theft
4

Understanding threats to your own privacy will help make

you more sensitive to the importance of security and privacy
In Identity Theft, vital information such as a persons name,
address, date of birth, social insurance number, and
mothers maiden name are acquired to complete
impersonation
With this information, the identity thief can take over a
victims financial accounts; open new bank accounts;
transfer bank balances; apply for loans, credit cards, and
other services

BUS 237
 Security Threats to Organizations
5

Three sources of security problems are:

1. Human error and mistakes

2. Malicious human activity

3. Natural events and disasters

BUS 237
 1. Human Errors and Mistakes
6

Human errors and mistakes include accidental

problems caused by both employees and non-
employees
An example is an employee who misunderstands
operating procedures and accidentally deletes customer
records
This category also includes poorly written programs and
poorly designed procedures
As well as physical accidents

BUS 237
 2. Malicious Human Activity
7

The second source of security problems is malicious

human activity
This category includes employees and former employees
who intentionally destroy data or other systems
components
It also includes hackers who break into a system and virus
and worm writers who infect computer systems
Malicious human activity also includes outside criminals
who break into a system to steal for financial gain; it also
includes terrorism

BUS 237
 3. Natural Events and Disasters
8

Natural events and disasters are the third source of

security problems
This category includes fires, floods, hurricanes,
earthquakes, tsunamis, avalanches, tornados, and other
acts of nature
Problems in this category include not only the initial loss
of capability and service, but also losses stemming from
actions to recover from the initial problem

BUS 237
 Security Problems
9

Types of security problems include:

1. Unauthorized data disclosure
2. Incorrect data modification
3. Faulty service
4. Denial of service
5. Loss of infrastructure

BUS 237
 Security Problems and Sources
10

BUS 237
 PIPEDA Unauthorized data disclosure
11

PIPEDA: Personal Information Protection and

Electronic Documents Act
Personal information is defined under this Act as
information about an identifiable individual, but does not
include the name, title, business address, or telephone
number of an employee of an organization
The Act gives individuals the right to know why an
organization collects, uses, or discloses their personal
information
PIPEDA governs how data are collected and used

BUS 237
 1. Unauthorized Data Disclosure
12

PIPEDA Unauthorized data disclosure can occur by human error

when someone inadvertently releases data in violation of a policy
Posting private information in public place
Placing restricted information on searchable Web sites
Pretexting occurs when someone deceives by pretending to be
someone else via telephone
Phishing is a similar technique for obtaining unauthorized data
that uses pretexting via email
Spoofing is another term for someone pretending to be someone
else (IP and email)
Sniffing is a technique for intercepting computer communications

BUS 237
 2. Incorrect Data Modification
13

Incorrect data modification can occur through human

error when employees follow procedures incorrectly or
when procedures have been incorrectly designed

Hacking occurs when a person gains unauthorized

access to a computer system

Faulty recovery action occurs when data is incorrectly

restored after a disaster

BUS 237
 3. Faulty Service
14

Faulty service includes problems that result because of

incorrect system operation
incorrect data modification
systems that work incorrectly

Usurpation occurs when unauthorized programs invade

a computer system and replace legitimate programs
Faulty service can also result from mistakes made during
the recovery from natural disasters

BUS 237
 4. Denial of Service
15

Human error in following procedures or a lack of

procedures can result in denial of service

Denial-of-Service (DOS) attacks can be also launched

maliciously
A malicious hacker can flood a Web server, for example,
with of millions of bogus services requests that so occupy
the server that it cannot service legitimate requests
Natural disasters may cause systems to fail, resulting in
denial of service

BUS 237
 5. Loss of Infrastructure
16

Human accidents can cause loss of infrastructure

A construction crew cutting fiber-optic cables, or the floor
buffer crashing into a rack of Web servers, etc.

Criminal events can also cause loss of infrastructure

A disgruntled, terminated employee can walk off with
corporate data servers, routers, or other crucial equipment

But, natural disasters present the largest risk for

infrastructure loss
A fire, flood, earthquake, or similar event can destroy data
centers and all they contain

BUS 237
 Security Program Elements
17

1. Senior management involvement

Must establish the Security Policy
Manage risk by balancing the costs and benefits of the
security program
2. Safeguards of various kinds
Safeguards are protections against security threats
Safeguards involve computer hardware and software,
data, procedures, and people
3. Incident response
A security program consists of the organizations planned
response to security incidents

BUS 237
 Security Safeguards as Related to the
Five Components
18

BUS 237
 Technical Safeguards
19

Involves hardware and software components

BUS 237
 1.1. Identification and Authentication
20

Every information system today should require users to sign

in with a user name and password
A smart card is a plastic card similar to a credit card, which
has a microchip loaded with identifying data -- personal
identification number (PIN)
Biometric authentication uses personal physical
characteristics such as fingerprints, facial features, and
retinal scans to authenticate users
Single Sign-on for Multiple Systems authenticates users
without sending their passwords across the computer
network

BUS 237
 1.2. Encryption
21

Senders use a key to encrypt a plaintext message and then

send the encrypted message to a recipient, who then uses a
key to decrypt the message
Symmetric - both parties use the same key
Asymmetric - the parties use two keys, one that is public and one
that is private
SSL/TLS is a protocol that uses both asymmetric and symmetric
encryption
Digital signatures ensure that plaintext messages are received
without alterations
Digital Certificates are digitally signed by Certificate Authorities
(trusted, independent third-party companies) that supply public keys

BUS 237
 1.3. Firewalls
22

A firewall is a computing device that prevents

unauthorized network access
It can be either hardware based (computer/router) or
software based such as Windows Firewall
Organizations normally use multiple firewalls
Firewalls can filter outbound traffic as well

BUS 237
 1.4. Malware Protection
23

Broad definition of malware (malicious software) covers

Viruses, Worms, Trojan Horses, Spyware, and Adware
Malware safeguards
Install antivirus and anti-spyware programs
Scan hard drive and e-mail frequently

Update malware definitions

Open e-mail attachments only from known sources

Install software updates promptly

Browse only reputable Web sites

BUS 237
 Data Safeguards (1)
24

Data safeguards are measures used to protect

databases and other organizational data
Data administration
Organization-wide function
develops data policies
enforce data standards
Database administration
Particular database function
procedures for multi-user processing
change control to structure
protection of database

BUS 237
 Data Safeguards (2)
25

Encryption keys
Key escrow
Backup copies
Store off-premise
Check validity
Physical security
Lock and control access to facility
Maintain entry log
Third party contracts
Safeguards are written into contracts
Right to inspect premises and interview personnel

BUS 237
 Human Safeguards
26

Human safeguards are designed to protect

procedures and people components of the
information systems

1. Safeguards for Employees

2. Safeguards for Non-Employee Personnel
3. Account Administration
4. System Procedures
5. System Monitoring

BUS 237
 3.1. Human Safeguards for Employees
27

Position Definitions
Effective human safeguards begin with definitions of job tasks and
responsibilities -- user access privilege should match job needs only
Hiring and Screening
Security considerations (extensive screening, background checks) should
be part of the hiring process especially for sensitive positions
Dissemination and Enforcement
Employees need to be made aware and trained according to the security
policies, procedures, and responsibilities
Termination
Companies must establish security policies and procedures for the
termination of employees such as informing system administrators prior to
employee notification of termination

BUS 237
 Security Policy for In-House Staff
28

BUS 237
 3.2. Human Safeguards for Non-Employees
29

Temporary personnel and vendors

Screen personnel
Training and compliance
Contract should include specific security provisions
Provide accounts and passwords with the least privileges

Public users
Harden web site and facility
Hardening: Take extraordinary measures to reduce systems
vulnerability
Partners and public that receive benefits from the
information system
Protect these users from internal company security problems

BUS 237
 3.3. Account Administration
30

Account Management procedures

Creation of new user accounts
Modification of existing account permissions
Removal of unneeded accounts
Password Management
Acknowledgment forms
Change passwords frequently
Help-desk policies
Authentication of users who have lost their password
Password should not be e-mailed (just a notification of password
change)

BUS 237
 3.4. System Procedures (1)
31

System procedures:
Normal operation
Backup
Recovery
Procedures of each type should exist for each
information system
Definition and use of standardized procedures reduces
the likelihood of computer crime
Each procedure type should be defined for both, system
users and operations personnel
Different duties and responsibilities
Varying needs and goals

BUS 237
 3.4. System Procedures (2)
32

BUS 237
 3.5. Security Monitoring
33

Activity log analyses

Firewall logs
DBMS log-in records
Web server logs
Security testing
In-house and external security professionals
Investigation of incidents
How did the problem occur?
Lessons learned
Indication of potential vulnerability and corrective actions
New technology changes the security landscape, and new
threats arise
Security, like quality, is an ongoing process!
BUS 237
 Disaster Preparedness
34

Disaster preparedness safeguards include asset location,

identification of mission-critical systems, and the
preparation of remote backup facilities

Best safeguard is appropriate physical location of infrastructure

placing computing centers, web farms, and other computer facilities in
locations not prone to floods, earthquakes, hurricanes, tornados, or
avalanches
preparing backup processing centers in locations geographically removed
from the primary processing site
Preparing a backup facility is very expensive.
However, the costs of establishing and maintaining that facility
are a form of insurance.

BUS 237
 Sample Recovery Strategies
35

Strategy Description
Work Area Office space with basic equipment, often pre-configured
Recovery (WAR) for companys use, at a recovery facility. Can be shared
by other companies. Charged monthly subscription fee.
Cold site A room or building used for recovery, but not set up for
immediate occupation or use. Long-term interruption.
Hot site A recovery location that is always available 24x7. The IT
systems and applications at a hot site are either running
all the time, or can be activated within two hours.
Relocate Recovery team members relocate to other locations
(companys braches or vendors) to resume or continue
their work. Short-term solution.
Shut Down Temporarily halting all non-essential activities.
Source: www.calamityprevention.com/downloads/samplesrecovery.pdf

BUS 237
 Incident-Response Plan
36

Every organization should have an Incident-Response Plan

as part of the security program
Identify mission-critical systems and resources needed to run
those systems
Identify critical personnel and their off-hours contact
information
Include how employees are to respond to specific security
problems
Provide centralized reporting of all security incidents
Train and rehearse cutover of operations
Practice the plan!

BUS 237
Final Exam & Course Review
 Final Exam
38

Date/Time: Tuesday, Dec 10th 7pm 10pm

Room: C9001
Duration: 2 hrs (120 min)
No materials allowed: closed book (turn-off all electronics!!!)
no notes or electronics cell phones, calculators, translators

Format: 80 Multiple-Choice questions

5 options (a-e) per question (same format as Midterm)

Content: Textbook Chapters 1-12 and all Lecture material

~ 1/4 pre midterm & ~ 3/4 post midterm

Bring the following:

Your SFU ID or picture ID (required)

HB pencil & eraser (to fill in answer sheet)

BUS 237
 Final Exam Procedures
39

In the exam room, you will NOT be allowed to have any bags,
jackets, or other items near you... all of these will have to be left
in the instructor area of the room.
Do not bring any valuable items with you (e.g. laptops, mp3
players, cell phones), as we cannot be responsible for your
belongings.
You will NOT be allowed to enter the exam room after 30 min
from the start... and you will NOT be able to write the final exam.
Finally, you will NOT be allowed to write the exam if you do not
provide a PHOTO ID (SFU student card, drivers license, etc.)
BONUS QUESTION FUNNY JOKE / DRAWING

BUS 237
 Course Review
40

Organizational Strategy and IS

BUS 237
 Industry Structure & Competition
41

Porters five Competitive Forces:

Bargaining power of customers
Threat of substitution
Bargaining power of suppliers
Threat of new entrants
Rivalry among existing firms
Porters four Competitive Strategies:
Cost leadership across industry
Cost leadership focused on particular industry segment
Differentiation across industry
Differentiation focused on particular industry segment

BUS 237
 Porters Value Chain Model
42

A Value Chain is a network of value-creating activities:

1. Primary activities directly add value to products/services
2. Support activities indirectly responsible for benefits to customers

BUS 237
 Competitive Advantage
43

Productivity = efficiency + effectiveness

efficiency - business processes can be accomplished more quickly
and/or with fewer resources and facilities
effectiveness - company offers new and/or improved goods/services
Companies innovate to create competitive advantage:
Sustaining technologies are changes in technology that maintain the
rate of improvement in customer value
Disruptive technologies introduce a very new package of attributes
to the accepted mainstream products
Companies can create competitive advantage via:
Products - new, enhanced, differentiated
Business Processes - lock in customers/suppliers, create entry
barriers, establish alliances, reduce costs

BUS 237
 Business Processes
44

A Business Process describes a set of activities that are

necessary to complete a response to a stimulus applied to
an organization
A business process is a network of:
Activities (transformers)
Resources (value items)
Facilities (structures)
Information (tracking)
Business process design:
Business Process Automation (BPA)
Business Process Improvement (BPI)
Business Process Transformation (BPT)
BUS 237
 Information System Components
45

BUS 237
 Hardware & Software
46

Hardware (physical components):

Input (direct & indirect)
Processing (CPU, BUS, ROM, RAM)
Output (print, video, audio)
Storage (magnetic, optical, flash)
Software (logical components):
Firmware (BIOS)
Operating System (system software)
Applications (productivity software)
Horizontal-market (all industries)
Vertical-market (specific industry)
Malware (malicious software, viruses, worms, etc.)

BUS 237
 Networks
47

Telecommunications is the transfer of data (bits) between at

least two machines through one or more Transmission Media in a
Digital or Analog mode
To transfer data, a network utilizes a standard Protocol that is
recognized by both receiving and sending machines
TCP/IP, HTTP, FTP, SMTP, POP
To transfer data, machines must be connected to a Network:
Local Area Network (LAN)

Wired NIC 802.3 (Ethernet)

Wireless WNIC 802.11 (Wi-Fi) + Access Point
Wide Area Network (WAN) & Wireless WAN (cell)
Internet (Dial-Up, DSL, Cable)

BUS 237
 Data
48

Bit = binary digit (0 or 1)

Byte = character of data (1 byte = 8 bits)
Field/Column = one or more bytes
Represents an attribute of a thing/event

Record/Row = group of logically related fields

Master (status) vs. Transaction (event)

Table/Field = many records

Database = many tables + their relationships + metadata
Relationships are created using Primary and Foreign Keys

One-to-One, One-to-Many, Many-to-Many

DBMS is a program that creates, process, and administers

database

BUS 237
 Types of Information Systems
49

Functional IS support a single department (business function)

Marketing and Sales
Operations

Manufacturing

Human Resources
Accounting and Finance

Cross-functional IS operate across departments (eg. CRM, ERP)

Inter-organizational IS are cross-functional systems used by two
or more related companies (eg. SCM, E-commerce)
E-commerce categories

Merchant: B2C, B2B, B2G

Non-Merchant: auctions, clearinghouses, exchanges

BUS 237
 Decision Making
50

Level: Operational, Managerial, Strategic

Structure (method): Structured vs. Unstructured

BUS 237
 Rational Decision Making Model
51

1. Intelligence - gather information from external and

internal sources
2. Design - generate alternative decisions
3. Choice - select one of the alternatives
4. Implementation - put chosen alternative into action
Rationality (optimal) vs. Satisficing (satisfactory)

Multiple Attribute Decision Making (MADM):

Options identify possible alternatives
Criteria what is important

Weight how important

Score rate each option

BUS 237
 Data vs. Information
52

Data are recorded facts or figures

Information is processed data
Good information:
Accurate
Timely

Relevant

Just Barely Sufficient

Worth Its Cost

Knowledge is finding relationships among pieces of

information

BUS 237
 Data Processing
53

Online Transaction Processing (OLTP) systems collect data

Real-time or Batch
Online Analytic Processing (OLAP) systems make OLTP-
collected data useful for decision making
Data Warehouse supports decision making
Data Mart is a subset of a data warehouse
Business Intelligence (BI) systems provide information for
improving decision making:
Reporting systems
Data Mining systems (supervised vs. unsupervised)
Knowledge-management systems
Expert systems

BUS 237
 Information System Acquisition
54

Build (in-house or contract)

IT Projects
Systems Development Life Cycle (SDLC)

Rapid Application Development (RAD)

Buy (COTS)
match org needs with COTS capabilities
Rent
Outsourcing (same country)
Nearshoring (border country)

Offshoring (another country)

BUS 237
 System Development Life Cycle (SDLC)
55

1. Systems Definition: Why should the system be built?

Define goals and scope, assess feasibility, form project team
2. Requirements Analysis: Who, what, where, and when?
Identify features and functions, involve users
3. Component Design: How will the system be built?
Based on approved user requirements, all 5 IS components
4. Implementation: Put it in action
Build, test, and install new IS (parallel, pilot, phased, plunge)
5. System Maintenance:
Repair, add new features, maintain

BUS 237
 Security Threats & Problems
56

Threats to individuals: Identity Theft

Threats to organizations:
Human error and mistakes
Malicious human activity

Natural events and disasters

Types of security problems include:

Unauthorized data disclosure
Incorrect data modification

Faulty service

Denial of service

Loss of infrastructure

BUS 237
 Security Program Elements
57

Security Policy
Risk management
Safeguards
Technical (hardware and software)
Data (content)

Human (procedures and people)

Incident Response Plan

Physical location
Recovery (WAR, cold/hot site, relocate, shut down)

Practice!

BUS 237
 IT/IS Issues
58

IT Alignment process of matching organizational

objectives with IT architecture
IS Audit providing assurance that organizational data is of
high quality (accurate, timely, accessible) and secure
IS Governance developing leadership, structures and
processes that ensure that IT sustains and extends org.
strategies/objectives
Sarbanes-Oxley Act & Budget Measures Act

IS Ethics the way we think and act in situations where our

choices affect others, using IT in appropriate way
Green IT - using IT resources to better support the Triple
Bottom Line for organizations
BUS 237
 MIS and You...
59

You must realize that information systems are critical to running a

business, a department, or even a team
To be a more effective manager, you will need a thorough
understanding of what IS can do for you
Take this opportunity as a business student to learn as much as
you can about IS
The MIS concentration is inherently interdisciplinary and is a
valuable competitive advantage for students concentrating in
other areas such as accounting, marketing, management science,
human resources, or finance

BUS 237
 The End
60

The Final, Final Word

Congratulations!
Youve made it through the entire course
With this knowledge you are well prepared to be an effective
user of information systems
Information technology will continue to cause fundamental
changes in the business environment
So as you finish your business degree, stay alert for new
technology-based opportunities
If you found this course interesting, take more MIS classes !
If you enjoy this material, become an MIS major !!!

BUS 237
 Thank You!
61

Good luck in your exam,

school, careers,
and all future endeavours

BUS 237