Beruflich Dokumente
Kultur Dokumente
la Toma de Decisiones
Tema 13 - Chapter 15
Managing Information
Resources & Security
1
Learning Objectives
! Recognize the difficulties in managing information resources.
MTI. Carlos J. Duarte Camacho Sistemas de Información para la Toma de Decisiones. Tema 13 Diapositiva 2
Learning Objectives (cont.)
! Describe the major methods of defending information systems.
MTI. Carlos J. Duarte Camacho Sistemas de Información para la Toma de Decisiones. Tema 13 Diapositiva 3
Case: Cyber Crime
! On Feb. 6, 2000 - the biggest EC sites were hit by cyber crime.
" Yahoo!, eBay, Amazon.com, E*Trade
MTI. Carlos J. Duarte Camacho Sistemas de Información para la Toma de Decisiones. Tema 13 Diapositiva 4
Lessons Learned from the Case
! Information resources that include computers, networks, programs, and data
are vulnerable to unforeseen attacks.
! Many countries do not have sufficient laws to deal with computer criminals.
! Although variations of the attack methods are known, the defence against
them is difficult and/or expensive.
MTI. Carlos J. Duarte Camacho Sistemas de Información para la Toma de Decisiones. Tema 13 Diapositiva 5
Information Resources Management
# Information resources management (IRM) encompasses all
activities related to the planning, organizing, acquiring,
maintaining, securing, and controlling of IT resources.
MTI. Carlos J. Duarte Camacho Sistemas de Información para la Toma de Decisiones. Tema 13 Diapositiva 6
End-User Computing
Generally, the IS organization takes one of the following four
approaches toward end-user computing:
MTI. Carlos J. Duarte Camacho Sistemas de Información para la Toma de Decisiones. Tema 13 Diapositiva 7
Steering Committees
MTI. Carlos J. Duarte Camacho Sistemas de Información para la Toma de Decisiones. Tema 13 Diapositiva 8
SLAs & Information Centers
MTI. Carlos J. Duarte Camacho Sistemas de Información para la Toma de Decisiones. Tema 13 Diapositiva 9
The New IT Organization
Rockart et al. (1996) proposed the following eight imperatives for
ISDs the “New IT organization :
# Achieve two-way strategic alignment
# Develop effective relations with line management
# Quickly develop and implement new systems
# Build and manage infrastructures
# Reskill the IT organization
# Manage vendor relationships
# Build high performance
# Redesign and manage the federal IT organization
MTI. Carlos J. Duarte Camacho Sistemas de Información para la Toma de Decisiones. Tema 13 Diapositiva 10
The Role of the CIO
# The CIO is taking increasing # The CIO needs to argue for a
responsibility for defining strategic greater measures of central
future. coordination.
# The increased networked # The IT asset-acquisition process
environment may lead to must be improved by the CIO.
disillusionment with IT.
# The CIO is responsible for
developing new Web-based
# The CIO needs to understand that business models.
the Web-based era is more about
fundamental business change than # The CIO is becoming a business
technology. visionary.
MTI. Carlos J. Duarte Camacho Sistemas de Información para la Toma de Decisiones. Tema 13 Diapositiva 11
Key Terminology
MTI. Carlos J. Duarte Camacho Sistemas de Información para la Toma de Decisiones. Tema 13 Diapositiva 12
Security Threats
MTI. Carlos J. Duarte Camacho Sistemas de Información para la Toma de Decisiones. Tema 13 Diapositiva 13
Cyber Crime
! Crimes can be performed by outsiders who penetrate a computer
system (hackers) or by insiders who are authorized to use the
computer system but are misusing their authorization.
" A cracker is a malicious hacker, who may represent a serious
problem for a corporation.
MTI. Carlos J. Duarte Camacho Sistemas de Información para la Toma de Decisiones. Tema 13 Diapositiva 14
U.S. Federal Statutes
! According to the FBI, an average white-collar crime involves $23,000;
but an average computer crime involves about $600,000.
! The following U.S. federal statutes deal with computer crime;
" Counterfeit Access Device and Computer Fraud Act of 1984
" Computer Fraud and Abuse Act of 1986
" Computer Abuse Amendment Act of 1994 (prohibits transmission of
viruses)
" Computer Security Act of 1987
" Electronic Communications Privacy Act of 1986
" Electronic Funds Transfer Act of 1980
" Video privacy protection act of 1988
MTI. Carlos J. Duarte Camacho Sistemas de Información para la Toma de Decisiones. Tema 13 Diapositiva 15
Defending Information Systems
Defending information systems is not a simple or inexpensive
task for the following reasons:
MTI. Carlos J. Duarte Camacho Sistemas de Información para la Toma de Decisiones. Tema 13 Diapositiva 16
Defense Strategies
MTI. Carlos J. Duarte Camacho Sistemas de Información para la Toma de Decisiones. Tema 13 Diapositiva 17
Types of Defense Controls
The defense controls are divided into two major categories:
" General controls
• Protect the system regardless of the specific application.
" Application controls
• Safeguards that are intended to protect specific applications.
MTI. Carlos J. Duarte Camacho Sistemas de Información para la Toma de Decisiones. Tema 13 Diapositiva 18
Types of Controls
MTI. Carlos J. Duarte Camacho Sistemas de Información para la Toma de Decisiones. Tema 13 Diapositiva 19
Security Measures
! An access control system guards against unauthorized dial-in attempts.
" The use of preassigned personal identification number
(PIN).
! Modems. It is quite easy for attackers to penetrate them and for
employees to leak secret corporate information to external networks.
MTI. Carlos J. Duarte Camacho Sistemas de Información para la Toma de Decisiones. Tema 13 Diapositiva 20
Security Measures (cont.)
! Payload security involves encryption or other manipulation of data
being sent over networks.
MTI. Carlos J. Duarte Camacho Sistemas de Información para la Toma de Decisiones. Tema 13 Diapositiva 21
IT Auditing
! In the information system environment, auditing can be viewed
as an additional layer of controls or safeguards.
" It involves a periodical examination and check of financial and
accounting records and procedures.
! Two types of auditors (and audits):
" Internal
• An internal auditor is usually a corporate employee who is not a
member of the ISD.
" External
• An external auditor is a corporate outsider.
MTI. Carlos J. Duarte Camacho Sistemas de Información para la Toma de Decisiones. Tema 13 Diapositiva 22
IT Auditing (cont.)
Auditors attempt to answer questions such as:
1. Are there sufficient controls in the system?
2. Which areas are not covered by controls?
3. Which controls are not necessary?
4. Are the controls implemented properly?
5. Are the controls effective; do they check the output of the system?
6. Is there a clear separation of duties of employees?
7. Are there procedures to ensure compliance with the controls?
8. Are there procedures to ensure reporting and corrective actions in case
of violations of controls?
MTI. Carlos J. Duarte Camacho Sistemas de Información para la Toma de Decisiones. Tema 13 Diapositiva 23
How is Auditing Executed?
IT auditing procedures can be classified into three categories:
" Auditing around the computer - verifying processing by checking for
known outputs using specific inputs.
MTI. Carlos J. Duarte Camacho Sistemas de Información para la Toma de Decisiones. Tema 13 Diapositiva 24
Disaster Recovery Plan
# A disaster recovery plan is essential to any security system.
# Here are some key thoughts about disaster recovery by Knoll (1986):
" The purpose of a recovery plan is to keep the business running after a
disaster occurs.
" Recovery planning is part of asset protection.
" Planning should focus first on recovery from a total loss of all capabilities.
" Proof of capability usually involves some kind of what-if analysis that
shows that the recovery plan is current.
" All critical applications must be identified and their recovery procedures
addressed in the plan.
MTI. Carlos J. Duarte Camacho Sistemas de Información para la Toma de Decisiones. Tema 13 Diapositiva 25
Backup Location
! In the event of a major disaster, it is often necessary to move a
centralized computing facility to a far-away backup location.
MTI. Carlos J. Duarte Camacho Sistemas de Información para la Toma de Decisiones. Tema 13 Diapositiva 26
Case: Disaster Planning at Reuters
Problem:
! Reuters is a multinational information-delivery corporation.
! If Reuters’ information system were to fail outright, it would take more than 15
brokerage houses with it. The costs, not to mention the legal ramifications,
would be tremendous.
Solution:
! Reuters implemented an Internet disaster recovery plan with SunGard Corp.
! The company now operates 3 redundant Web sites in different locations from
coast to coast.
! If all 3 were to fail, a hot site would be used to ensure continuous operation.
MTI. Carlos J. Duarte Camacho Sistemas de Información para la Toma de Decisiones. Tema 13 Diapositiva 27
Risk Management
MTI. Carlos J. Duarte Camacho Sistemas de Información para la Toma de Decisiones. Tema 13 Diapositiva 28
Risk-Management (cont.)
MTI. Carlos J. Duarte Camacho Sistemas de Información para la Toma de Decisiones. Tema 13 Diapositiva 29
IT Security in the 21st Century
! Increasing the Reliability of Systems.
The objective relating to reliability is to use fault tolerance to keep
the information systems working, even if some parts fail.
MTI. Carlos J. Duarte Camacho Sistemas de Información para la Toma de Decisiones. Tema 13 Diapositiva 30
IT Security in the 21st Century (cont.)
! Artificial Intelligence in Biometrics.
Expert systems, neural computing, voice recognition, and fuzzy logic
can be used to enhance the capabilities of several biometric systems.
MTI. Carlos J. Duarte Camacho Sistemas de Información para la Toma de Decisiones. Tema 13 Diapositiva 31
Case: The Euro Conversion
Some major IT issues involved in the Euro conversion are;
! Time and cost estimates are difficult.
MTI. Carlos J. Duarte Camacho Sistemas de Información para la Toma de Decisiones. Tema 13 Diapositiva 32
Case: The Euro Conversion (cont.)
In order to execute the conversion properly a CIO must…
! Coordinate the execution with the business side of the enterprise, creating a
joint team with members of the ISD & other functional units.
! Outsourcing some of the tasks is advisable.
! Business impact analysis should be done first.
! Both business and IT strategies for the conversion must be done, coordinated,
and assessed periodically.
! A proper project management process must be conducted.
MTI. Carlos J. Duarte Camacho Sistemas de Información para la Toma de Decisiones. Tema 13 Diapositiva 33
Managerial Issues
! To whom should the ISD
report?
! Ethical Issues.
MTI. Carlos J. Duarte Camacho Sistemas de Información para la Toma de Decisiones. Tema 13 Diapositiva 34
Managerial Issues (cont.)
MTI. Carlos J. Duarte Camacho Sistemas de Información para la Toma de Decisiones. Tema 13 Diapositiva 35