Beruflich Dokumente
Kultur Dokumente
Chapter 6
2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
61
Learning Objective 1
2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
62
Overview
The term information security involves
63
Overview
The information security management system
64
Objective
Systems Analysis
Systems Design
Systems
Implementation
Systems Operation,
Evaluation,
and Control
2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
65
Systems Design
Systems
Implementation
Systems Operation,
Evaluation, and Control
Report to BOD
2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
66
Analyzing Vulnerabilities
and Threats
Two Basic Approaches:
1. Quantitative approach to risk
assessment
2. Qualitative approach to risk
assessment
2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
67
Analyzing Vulnerabilities
and Threats
Quantitative Approach to Risk Assessment
68
Analyzing Vulnerabilities
and Threats
Qualitative Approach to Risk
2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
69
Analyzing Vulnerabilities
and Threats
Regardless of the method used, an
Business interruption
Loss of software
Loss of hardware
Loss of facilities
Loss of service and personnel
Loss of reputation
2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
6 10
Learning Objective 2
2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
6 11
system.
A threat is a potential exploitation of
a vulnerability.
2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
6 12
6 13
6 14
Personnel include:
Computer maintenance personnel
Programmers
Network operators
Information systems administrative
personnel
Data control clerks
2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
6 15
6 16
6 17
Malware
Trojan horse, keyboard loggers, backdoor, botnet, Denial-of-Service (DoS)
Exploits
6 18
Methods of Attack by
Information Systems
Personnel and Users
2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
6 19
Methods of Attack by
Information Systems
Personnel
and is
Users
Input manipulation
used in most cases
6 20
Methods of Attack by
Information Systems
Personnel
Users
information systems.
Misappropriation or theft of information
occurs when employees use company
computers resources for their own
personal use or their own business.
2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
6 21
Learning Objective 3
2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
6 22
Methods of Attack by
Information Systems
Personnel
and focus
Users
Security measures
on preventing
and detecting threats.
Contingency plans focus on correcting
the effects of threats.
The basic elements of internal control
6 23
2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
6 24
6 25
2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
6 26
6 27
Internet Security
Operating System Vulnerabilities:
Virtualization
Hypervisor
Web server vulnerabilities
Private network vulnerabilities
Vulnerabilities from server and
communication programs
2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
6 28
Internet Security
Cloud Computing
Cloud is a synonym for the Internet
Cloud computing is the use of cloudbased services and data storage.
Software as a Service (SaaS)
Grid computing involves clusters of
6 29
Learning Objective 4
2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
6 30
Disaster Risk
Management
Disaster risk management is
Prevention
Contingency planning
2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
6 31
Disaster Risk
Management
Disaster prevention is the first step in
6 32
Disaster Risk
Management
6 33
Disaster Risk
Management
The design of a disaster recovery
2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
6 34
Disaster Risk
Management
A complete set of recovery strategies
2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
6 35
Information Security
Standards
6 36
Information Security
Standards
COBIT framework is divided into four
domains:
1. Plan and Organize
2. Acquire and Implement
3. Deliver and Support
4. Monitor and Evaluate
COSOs Internal Control Integrated
Framework: Guidance on Monitoring
Internal Control.
2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
6 37
Standards
A business continuity plan is a strategy to
mitigate disruption to business operations in
the event of a disaster.
In the U.S., various economic sectors and
industries are subject to BCP compliance
standards:
Security of Federal Automated Information
Resources
Financial Institution Safeguards
Sound Practices for Management and Supervision
Specification for Business Continuity Management
2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
6 38
End of Chapter 6
2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
6 39