Bodnar Ais11 PPT 06

Information Security
Chapter 6
2013 Pearson Education, Inc. Publishing as Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
61
Learning Objective 1
Describe general approaches to

analyzing vulnerabilities and threats
in information systems.
62
Overview
The term information security involves
protecting information and information systems

from unauthorized access, use, disclosure,
disruption, modification, or destruction in order
to provide
Confidentiality: preserving authorized restrictions
on access and disclosure.

Integrity: guarding against improper information
modification or destruction.
Availability: ensuring timely and reliable access.
63
Overview
The information security management system
(ISMS) is an organizational internal control

process that controls the special risks associated
with information within the organization.
The ISMS has the basic elements of any
information system, such as hardware, databases,

procedures, and reports.
The ISMS is part of the larger enterprise risk
management (ERM) process by which
management balances risk versus opportunities.
64
The Information Security

Management System Life
Cycle
Life-Cycle Phase
Objective
Systems Analysis
Analyze system vulnerabilities in

terms of relevant threats and
their associated loss exposure.
Systems Design
Design security measures and

contingency plans to control
the identified loss exposures.
Systems
Implementation
Implement the security

measures as designed.
Systems Operation,
Evaluation,
and Control
Operate the system and

assess its effectiveness and
efficiency. Make changes
as circumstances require.
65
The Information Security in

the Organization
The information security system must be managed by a chief
security officer (CSO).

This individual should report directly to the board of directors in
order to maintain complete independence.

A primary duty of the CSO is to present reports to the BOD for
approval covering each phase of the life cycle:
Life-Cycle Phase
Systems Analysis
Summary of all relevant loss exposures
Systems Design
Detailed plans for controlling and

managing losses
Systems
Implementation
Specifics on security system

performance, including an itemization
of losses and security breaches,
analysis of compliance, and costs of
operating the security system
Systems Operation,
Evaluation, and Control
Report to BOD
66
Analyzing Vulnerabilities
and Threats
Two Basic Approaches:
1. Quantitative approach to risk
assessment
2. Qualitative approach to risk
assessment
67
and Threats
Quantitative Approach to Risk Assessment
- each loss exposure is computed as the

product of the cost of an individual loss
times the likelihood of its occurrence.
Difficulties:
Identifying the relevant costs per loss and
the associated likelihoods can be difficult.

Estimating the likelihood of a given failure
requires predicting the future, which is very
difficult.
68
and Threats
Qualitative Approach to Risk
Assessment lists out the systems

vulnerabilities and threats and
subjectively ranks them in order of their
contribution to the companys total loss
exposures.
69
and Threats
Regardless of the method used, an
analysis must include loss exposure for

the following areas:
Business interruption
Loss of software
Loss of hardware
Loss of facilities
Loss of service and personnel
Loss of reputation
6 10
Identify active and passive

threats to information systems.
6 11
Vulnerabilities and Threats

A vulnerability is a weakness in a
system.
A threat is a potential exploitation of
a vulnerability.
6 12
Vulnerabilities and Threats
Two categories of threats:

Active threats include information systems
fraud and computer sabotage.
Passive threats include system faults, as
well as natural disasters (e.g.,
earthquakes, floods, fires, and hurricanes).
System faults represent component
equipment failures such as disk failures,
power outages, etc.
6 13
Individuals Posing a Threat

to the Information System
There are three groups of individuals that
could carry out an attack on an information

system:
1. Computer and information systems personnel
are often given a wide range of access

privileges to sensitive data and programs.
2. Users are given narrow access, but can still
find ways to commit fraud.
3. Intruders and attackers are given no access,
but are highly capable.
6 14

Computer and Information Systems
Personnel include:
Computer maintenance personnel
Programmers
Network operators
Information systems administrative
personnel
Data control clerks
6 15

Users are composed of heterogeneous
groups of people. Their functional area

does not lie in data processing or
information technology.
An intruder is anyone who accesses
equipment, electronic data, files, or any
kind of privileged information without
proper authorization.
6 16

A hacker is an intruder who uses electronic
and other means to break into or attack

information systems for fun, challenge, profit,
revenge, or other nefarious motives.
Not all hackers are malicious

White hat hackers legitimately probe systems for
weaknesses to help with security.
Black hat hackers attack systems for illegitimate
reasons.
Grey hat hackers are white hat hackers who skirt
the edges of the law.
6 17

Hacker Methods
Social Engineering
Pretexting, Phishing
Malware
Trojan horse, keyboard loggers, backdoor, botnet, Denial-of-Service (DoS)
Viruses, Spyware, Logic Bombs, Worms

Direct Observation
Shoulder surfing, dumpster diving, cloned cell phone
Exploits
Code injection, vulnerability scanner

6 18
Methods of Attack by
Information Systems
Personnel and Users
6 19
Information Systems
Personnel
and is
Users
Input manipulation
used in most cases
of insider computer fraud.

Program alteration is one of the least
common methods.
Direct file alteration occurs when
individuals find ways to bypass the
normal process for inputting data into
computer programs.
6 20
Information Systems
Personnel
Users
Data theft is aand

serious
problem.
Sabotage poses a serious danger to
information systems.
Misappropriation or theft of information
occurs when employees use company
computers resources for their own
personal use or their own business.
6 21
Identify key aspects of an

information security system.
6 22
Information Systems
Personnel
and focus
Users
Security measures
on preventing
and detecting threats.
Contingency plans focus on correcting
the effects of threats.
The basic elements of internal control
(control environment, risk assessment,

control activities, information and
communication, and monitoring) are
important to the ISMS.
6 23
The Control Environment

Establishing a good control environment
depends on seven factors:
Management philosophy and operating style

Organizational structure
Board of directors and its committees
Methods of assigning authority and
responsibility
Management control activities
Internal audit function
Personnel policies and practices
External influences
6 24
Controls for Active

Threats
The layered approach to access control involves
erecting multiple layers of controls that separate

the would-be perpetrator from his or her potential
target.
Site-access controls physically separates
unauthorized individuals from information systems

resources.
System-access controls authenticate users with
user IDs, passwords, IP addresses, and hardware
devices.
File-access controls prevent unauthorized access to
data and program files.
6 25
Controls for Passive

Threats
Preventative controls:
Fault-tolerance systems use redundant
components to take over when one part

of the system fails, so the system can
continue operating with little or no
interruption.
6 26
Controls for Passive

Threats
Corrective controls:
File backups
A full backup backs up all files on a given disk.
Each file contains an archive bit that is set to 0.
An incremental backup backs up only those files
that have been modified since the last full or

incremental backup.
A differential backup is the same as an
incremental backup, and only the archive bits are
not reset to 0.
6 27
Internet Security
Operating System Vulnerabilities:
Virtualization
Hypervisor
Web server vulnerabilities
Private network vulnerabilities
Vulnerabilities from server and
communication programs
6 28
Internet Security
Cloud Computing
Cloud is a synonym for the Internet
Cloud computing is the use of cloudbased services and data storage.
Software as a Service (SaaS)
Grid computing involves clusters of
interlinked computers that share

common workloads.
General Security Procedures
6 29
Discuss contingency planning

and other disaster risk
management practices.
6 30
Disaster Risk
Management
Disaster risk management is
essential to ensure continuity of

operations in the event of a
catastrophe.
Prevention
Contingency planning
6 31
Disaster Risk
Management
Disaster prevention is the first step in
managing disaster risk.

Frequencies of disaster causes:
Natural disasters
30%
Deliberate actions 45%
Human error
25%
Disasters can be mitigated or avoided by
a good security policy.
6 32
Disaster Risk
Management
Contingency Planning for Disasters

A disaster recovery plan must be
implemented at the highest levels in the
company.
The first step in developing a disaster
recovery plan is obtaining the support
of senior management and setting up
a planning committee.
6 33
Disaster Risk
Management
The design of a disaster recovery
plan should include three major

components:
1. Assess the companys critical needs.

2. List priorities for recovery.
3. Establish strategies and procedures.
6 34
Disaster Risk
Management
A complete set of recovery strategies
should take into account the following

considerations:
Emergency response center
Escalation procedures
Alternate processing arrangements
Personnel relocation and replacements
plans
Salvage plan
Plan for testing and maintaining the system
6 35
Standards
ISO/IEC 27000 12 Categories:

1. Risk assessment
2. Security policies
3. Organization and governance of IS
4. Asset management
5. Human resources
6. Physical and environmental security
7. Communications and operations management
8. Access control
9. IS acquisition, development, & maintenance
10. IS incident management
11. Business continuity management
12. Compliance
6 36
Standards
COBIT framework is divided into four
domains:
1. Plan and Organize
2. Acquire and Implement
3. Deliver and Support
4. Monitor and Evaluate
COSOs Internal Control Integrated
Framework: Guidance on Monitoring
Internal Control.
6 37
Business Continuity Planning

and Disaster Recovery
Standards
A business continuity plan is a strategy to
mitigate disruption to business operations in
the event of a disaster.
In the U.S., various economic sectors and
industries are subject to BCP compliance
standards:
Security of Federal Automated Information
Resources
Financial Institution Safeguards
Sound Practices for Management and Supervision
Specification for Business Continuity Management
6 38
End of Chapter 6
6 39

Bodnar Ais11 PPT 06

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Bodnar Ais11 PPT 06

Hochgeladen von

Copyright:

Verfügbare Formate

Information Security

Describe general approaches to

protecting information and information systems

on access and disclosure.

(ISMS) is an organizational internal control

information system, such as hardware, databases,

The Information Security

Analyze system vulnerabilities in

Design security measures and

Implement the security

Operate the system and

The Information Security in

security officer (CSO).

order to maintain complete independence.

Summary of all relevant loss exposures

Detailed plans for controlling and

Specifics on security system

- each loss exposure is computed as the

the associated likelihoods can be difficult.

Assessment lists out the systems

analysis must include loss exposure for

Identify active and passive

Vulnerabilities and Threats

Vulnerabilities and Threats

Two categories of threats:

Individuals Posing a Threat

could carry out an attack on an information

are often given a wide range of access

Individuals Posing a Threat

Individuals Posing a Threat

groups of people. Their functional area

Individuals Posing a Threat

and other means to break into or attack

Not all hackers are malicious

Individuals Posing a Threat

Viruses, Spyware, Logic Bombs, Worms

Code injection, vulnerability scanner

of insider computer fraud.

Data theft is aand

Identify key aspects of an

(control environment, risk assessment,

The Control Environment

depends on seven factors:

Management philosophy and operating style

Controls for Active

erecting multiple layers of controls that separate

unauthorized individuals from information systems

Controls for Passive

components to take over when one part

Controls for Passive

An incremental backup backs up only those files

that have been modified since the last full or

interlinked computers that share

Discuss contingency planning

essential to ensure continuity of

managing disaster risk.

Contingency Planning for Disasters

plan should include three major

1. Assess the companys critical needs.

should take into account the following

ISO/IEC 27000 12 Categories:

Business Continuity Planning

Das könnte Ihnen auch gefallen