Apoyos Semana 17 SITD

Sistemas de Información para
la Toma de Decisiones
Tema 13 - Chapter 15
Managing Information
Resources & Security
1
Learning Objectives
!  Recognize the difficulties in managing information resources.
!  Understand the role of the IS department and its relationships with

end-users.
!  Discuss the role of the chief information officer.
!  Recognize information systems’ vulnerability and the possible

damage from malfunctions.
MTI. Carlos J. Duarte Camacho Sistemas de Información para la Toma de Decisiones. Tema 13 Diapositiva 2
Learning Objectives (cont.)
!  Describe the major methods of defending information systems.
!  Describe the security issues of the Web and electronic commerce.
!  Distinguish between security auditing and disaster recovery planning

and understand the economics of security.
!  Describe the Euro 2002 issue.
Case: Cyber Crime
!  On Feb. 6, 2000 - the biggest EC sites were hit by cyber crime.
"  Yahoo!, eBay, Amazon.com, E*Trade
!  The attacker(s) used a method called denial of service (DOS).

"  By hammering a Web site’s equipment with too many requests for
information, an attacker can effectively clog a system.
!  The total damage worldwide was estimated at $5-10 billion (U.S.).

"  The alleged attacker, from the Philippines, was not prosecuted because
he did not break any law in the Philippines.
Lessons Learned from the Case
!  Information resources that include computers, networks, programs, and data
are vulnerable to unforeseen attacks.
!  Many countries do not have sufficient laws to deal with computer criminals.
!  Protection of networked systems can be a complex issue.
!  Attackers can zero on a single company, or can attack many companies,

without discrimination.
!  Attackers use different attack methods.
!  Although variations of the attack methods are known, the defence against
them is difficult and/or expensive.
Information Resources Management
#  Information resources management (IRM) encompasses all
activities related to the planning, organizing, acquiring,
maintaining, securing, and controlling of IT resources.
#  The management of information resources is divided among the

information services department (ISD) and the end-users.
"  The name of the ISD depends on the IT role, its size, and so forth.
"  The director of IS is sometimes called the chief information officer (CIO).
"  It is extremely important to have good relations between the ISD & end-
users.
End-User Computing
Generally, the IS organization takes one of the following four
approaches toward end-user computing:
Let them sink or swim. Use the carrot. Create

Don’t do anything—let the end- incentives to encourage certain
user beware. end-user practices that reduce
organizational risks.
Use the stick. Establish
policies and procedures to Offer support. Develop
control end-user computing so services to aid end-users in
that corporate risks are their computing activities.
minimized.
Steering Committees
The corporate steering committee is a group of managers

and staff representing various organizational units. The
committee’s major tasks are:
! Direction setting ! Staffing
! Rationing ! Communication
! Structuring ! Evaluating
SLAs & Information Centers
!  Service Level agreements !  Information centers (IC), also

(SLAs) are formal agreements known as the user s service or
regarding the division of help center, concentrate on
computing responsibility among end-user support with PCs,
end-users and the ISD. client/server applications, and
the Internet/intranet.
"  Such divisions are based on a
"  The IC is set up to help users
small set of critical computing
get certain systems built
decisions made by end-user
quickly.
management.
The New IT Organization
Rockart et al. (1996) proposed the following eight imperatives for
ISDs the “New IT organization :
#  Achieve two-way strategic alignment
#  Develop effective relations with line management
#  Quickly develop and implement new systems
#  Build and manage infrastructures
#  Reskill the IT organization
#  Manage vendor relationships
#  Build high performance
#  Redesign and manage the federal IT organization
The Role of the CIO
#  The CIO is taking increasing #  The CIO needs to argue for a
responsibility for defining strategic greater measures of central
future. coordination.
#  The increased networked #  The IT asset-acquisition process
environment may lead to must be improved by the CIO.
disillusionment with IT.
#  The CIO is responsible for
developing new Web-based
#  The CIO needs to understand that business models.
the Web-based era is more about
fundamental business change than #  The CIO is becoming a business
technology. visionary.
Key Terminology
" Backup " IS controls

" Decryption " Integrity (of data)
" Encryption " Risk
" Exposure " Threats (or hazards)
" Fault tolerance " Vulnerability
Security Threats
Cyber Crime
!  Crimes can be performed by outsiders who penetrate a computer
system (hackers) or by insiders who are authorized to use the
computer system but are misusing their authorization.
" A cracker is a malicious hacker, who may represent a serious
problem for a corporation.
!  Two basic methods of attack are used in deliberate attacks on

computer systems:
" data tampering
" programming fraud, e.g. Viruses
U.S. Federal Statutes
!  According to the FBI, an average white-collar crime involves $23,000;
but an average computer crime involves about $600,000.
!  The following U.S. federal statutes deal with computer crime;
"  Counterfeit Access Device and Computer Fraud Act of 1984
"  Computer Fraud and Abuse Act of 1986
"  Computer Abuse Amendment Act of 1994 (prohibits transmission of
viruses)
"  Computer Security Act of 1987
"  Electronic Communications Privacy Act of 1986
"  Electronic Funds Transfer Act of 1980
"  Video privacy protection act of 1988
Defending Information Systems
Defending information systems is not a simple or inexpensive
task for the following reasons:
!  Hundreds of potential threats exist. !  Rapid technological changes make

some controls obsolete as soon as
!  Computing resources may be they are installed.
situated in many locations.
!  Many computer crimes are
!  Many individuals control undetected for a long period of
information assets. time.
!  Computer networks can be outside !  People tend to violate security

the organization and difficult to procedures because they are
protect. inconvenient.
Defense Strategies
!  The following are the major objectives of defense strategies:

#  Prevention & deterrence
#  Detection
#  Limitation
#  Recovery
#  Correction
Types of Defense Controls
The defense controls are divided into two major categories:
" General controls
•  Protect the system regardless of the specific application.
" Application controls
•  Safeguards that are intended to protect specific applications.
Types of Controls
!  General Controls !  Application Controls

" Physical controls
" Input controls
" Access controls
" Biometric controls "  Processing controls
" Data security controls " Output controls
" Communications (networks)
controls
" Administrative controls
Security Measures
!  An access control system guards against unauthorized dial-in attempts.
" The use of preassigned personal identification number
(PIN).
!  Modems. It is quite easy for attackers to penetrate them and for
employees to leak secret corporate information to external networks.
!  Encryption is used extensively in EC for protecting payments and

privacy.
!  Troubleshooting packages such as cable tester can find almost any

fault that can occur with LAN cabling.
Security Measures (cont.)
!  Payload security involves encryption or other manipulation of data
being sent over networks.
!  Commercial Products. Hundreds of commercial security products exist

on the market.
!  Intrusion Detecting. It is worthwhile to place an intrusion detecting

device near the entrance point of the Internet to the intranet.
!  A Firewall is commonly used as a barrier between the secure corporate

intranet, or other internal networks, and the Internet.
IT Auditing
!  In the information system environment, auditing can be viewed
as an additional layer of controls or safeguards.
" It involves a periodical examination and check of financial and
accounting records and procedures.
!  Two types of auditors (and audits):
" Internal
•  An internal auditor is usually a corporate employee who is not a
member of the ISD.
" External
•  An external auditor is a corporate outsider.
IT Auditing (cont.)
Auditors attempt to answer questions such as:
1.  Are there sufficient controls in the system?
2.  Which areas are not covered by controls?
3.  Which controls are not necessary?
4.  Are the controls implemented properly?
5.  Are the controls effective; do they check the output of the system?
6.  Is there a clear separation of duties of employees?
7.  Are there procedures to ensure compliance with the controls?
8.  Are there procedures to ensure reporting and corrective actions in case
of violations of controls?
How is Auditing Executed?
IT auditing procedures can be classified into three categories:
" Auditing around the computer - verifying processing by checking for
known outputs using specific inputs.
" Auditing through the computer - inputs, outputs, and processing are

checked.
" Auditing with the computer - using a combination of client data,
auditor software, and client and auditor hardware.
Disaster Recovery Plan
#  A disaster recovery plan is essential to any security system.
#  Here are some key thoughts about disaster recovery by Knoll (1986):
"  The purpose of a recovery plan is to keep the business running after a
disaster occurs.
"  Recovery planning is part of asset protection.
"  Planning should focus first on recovery from a total loss of all capabilities.
"  Proof of capability usually involves some kind of what-if analysis that
shows that the recovery plan is current.
"  All critical applications must be identified and their recovery procedures
addressed in the plan.
Backup Location
!  In the event of a major disaster, it is often necessary to move a
centralized computing facility to a far-away backup location.
!  External hot-site vendors provide access to a fully configured

backup data center.
"  E.g., When an earthquake hit San Francisco in 1989, Charles Schwab &
Co. was ready.
"  Within a few minutes, the company s disaster plan was activated.
"  Programmers, engineers, and backup computer tapes were flown to New
Jersey, where Comdisco Disaster Recovery Service provided a hot site.
Case: Disaster Planning at Reuters
Problem:
!  Reuters is a multinational information-delivery corporation.
!  If Reuters’ information system were to fail outright, it would take more than 15
brokerage houses with it. The costs, not to mention the legal ramifications,
would be tremendous.
Solution:
!  Reuters implemented an Internet disaster recovery plan with SunGard Corp.
!  The company now operates 3 redundant Web sites in different locations from
coast to coast.
!  If all 3 were to fail, a hot site would be used to ensure continuous operation.
Risk Management
Risk-Management (cont.)
!  A risk-management approach helps identify threats and selects

cost-effective security measures.
!  Risk-management analysis can be enhanced by the use of DSS

software packages.
" Calculations can be used to compare the expected loss with the
cost of preventing it.
!  A business continuity plan outlines the process in which

businesses should recover from a major disaster.
IT Security in the 21st Century
!  Increasing the Reliability of Systems.
The objective relating to reliability is to use fault tolerance to keep
the information systems working, even if some parts fail.
!  Intelligent Systems for Early Detection.

Detecting intrusion in its beginning is extremely important,
especially for classified information and financial data.
!  Intelligent Systems in Auditing.

Intelligent systems are used to enhance the task of IS auditing.
IT Security in the 21st Century (cont.)
!  Artificial Intelligence in Biometrics.
Expert systems, neural computing, voice recognition, and fuzzy logic
can be used to enhance the capabilities of several biometric systems.
!  Expert Systems for Diagnosis, Prognosis, and Disaster

Planning. Expert systems can be used to diagnose troubles in
computer systems and to suggest solutions.
!  Smart Cards. Smart card technology can be used to protect PCs on

LANs.
!  Fighting Hackers. Several new products are available for fighting
hackers.
Case: The Euro Conversion
Some major IT issues involved in the Euro conversion are;
!  Time and cost estimates are difficult.
!  The decision on a conversion date was delegated to individual

companies, and it varies.
!  Legal requirements force organizations to keep accounting data in their

original form. This will create problems for comparisons over time.
!  It is necessary to convert the code and the existing applications that

involve currencies.
!  It is necessary to change all the data and data files in the organizations’
databases.
Case: The Euro Conversion (cont.)
In order to execute the conversion properly a CIO must…
!  Coordinate the execution with the business side of the enterprise, creating a
joint team with members of the ISD & other functional units.
!  Outsourcing some of the tasks is advisable.
!  Business impact analysis should be done first.
!  Both business and IT strategies for the conversion must be done, coordinated,
and assessed periodically.
!  A proper project management process must be conducted.
!  A proper testing program must be prepared and properly implemented.

!  A deployment strategy for the conversion should be determined.
Managerial Issues
!  To whom should the ISD
report?
!  Who needs a CIO?
!  End-users are friends, not

enemies, of the IS
department.
!  Ethical Issues.
Managerial Issues (cont.)
!  Responsibilities for security !  Auditing information systems

should be assigned in all should be institutionalized
areas. into the organizational
culture.
!  Security awareness
programs are important for !  Organizing the ISD in a
any organization, especially if multinational corporation is a
it is heavily dependent on IT. complex issue.

Apoyos Semana 17 SITD

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Apoyos Semana 17 SITD

Hochgeladen von

Copyright:

Verfügbare Formate

Sistemas de Información para

! Understand the role of the IS department and its relationships with

! Discuss the role of the chief information officer.

! Recognize information systems’ vulnerability and the possible

! Describe the security issues of the Web and electronic commerce.

! Distinguish between security auditing and disaster recovery planning

! Describe the Euro 2002 issue.

! The attacker(s) used a method called denial of service (DOS).

! The total damage worldwide was estimated at $5-10 billion (U.S.).

! Protection of networked systems can be a complex issue.

! Attackers can zero on a single company, or can attack many companies,

! Attackers use different attack methods.

# The management of information resources is divided among the

Let them sink or swim. Use the carrot. Create

The corporate steering committee is a group of managers

! Service Level agreements ! Information centers (IC), also

" Backup " IS controls

! Two basic methods of attack are used in deliberate attacks on

! Hundreds of potential threats exist. ! Rapid technological changes make

! Computer networks can be outside ! People tend to violate security

! The following are the major objectives of defense strategies:

! General Controls ! Application Controls

! Encryption is used extensively in EC for protecting payments and

! Troubleshooting packages such as cable tester can find almost any

! Commercial Products. Hundreds of commercial security products exist

! Intrusion Detecting. It is worthwhile to place an intrusion detecting

! A Firewall is commonly used as a barrier between the secure corporate

" Auditing through the computer - inputs, outputs, and processing are

! External hot-site vendors provide access to a fully configured

! A risk-management approach helps identify threats and selects

! Risk-management analysis can be enhanced by the use of DSS

! A business continuity plan outlines the process in which

! Intelligent Systems for Early Detection.

! Intelligent Systems in Auditing.

! Expert Systems for Diagnosis, Prognosis, and Disaster

! Smart Cards. Smart card technology can be used to protect PCs on

! The decision on a conversion date was delegated to individual

! Legal requirements force organizations to keep accounting data in their

! It is necessary to convert the code and the existing applications that

! A proper testing program must be prepared and properly implemented.

! Who needs a CIO?

! End-users are friends, not

! Responsibilities for security ! Auditing information systems

Das könnte Ihnen auch gefallen

!  Understand the role of the IS department and its relationships with

!  Discuss the role of the chief information officer.

!  Recognize information systems’ vulnerability and the possible

!  Describe the security issues of the Web and electronic commerce.

!  Distinguish between security auditing and disaster recovery planning

!  Describe the Euro 2002 issue.

!  The attacker(s) used a method called denial of service (DOS).

!  The total damage worldwide was estimated at $5-10 billion (U.S.).

!  Protection of networked systems can be a complex issue.

!  Attackers can zero on a single company, or can attack many companies,

!  Attackers use different attack methods.

#  The management of information resources is divided among the

!  Service Level agreements !  Information centers (IC), also

" Backup " IS controls

!  Two basic methods of attack are used in deliberate attacks on

!  Hundreds of potential threats exist. !  Rapid technological changes make

!  Computer networks can be outside !  People tend to violate security

!  The following are the major objectives of defense strategies:

!  General Controls !  Application Controls

!  Encryption is used extensively in EC for protecting payments and

!  Troubleshooting packages such as cable tester can find almost any

!  Commercial Products. Hundreds of commercial security products exist

!  Intrusion Detecting. It is worthwhile to place an intrusion detecting

!  A Firewall is commonly used as a barrier between the secure corporate

" Auditing through the computer - inputs, outputs, and processing are

!  External hot-site vendors provide access to a fully configured

!  A risk-management approach helps identify threats and selects

!  Risk-management analysis can be enhanced by the use of DSS

!  A business continuity plan outlines the process in which

!  Intelligent Systems for Early Detection.

!  Intelligent Systems in Auditing.

!  Expert Systems for Diagnosis, Prognosis, and Disaster

!  Smart Cards. Smart card technology can be used to protect PCs on

!  The decision on a conversion date was delegated to individual

!  Legal requirements force organizations to keep accounting data in their

!  It is necessary to convert the code and the existing applications that

!  A proper testing program must be prepared and properly implemented.

!  Who needs a CIO?

!  End-users are friends, not

!  Responsibilities for security !  Auditing information systems