Chapter 15

Managing Information
Resources & Security

1
 Learning Objectives
 Recognize the difficulties in managing
information resources.

 Understand the role of the IS department and its

relationships with end-users.

 Discuss the role of the chief information officer.

 Recognize information systems’ vulnerability and

the possible damage from malfunctions.

2
 Learning Objectives (cont.)
 Describe the major methods of defending
information systems.

 Describe the security issues of the Web and

electronic commerce.

 Distinguish between security auditing and

disaster recovery planning and understand the
economics of security.

 Describe the Euro 2002 issue.

3
 Case: Cyber Crime
 On Feb. 6, 2000 - the biggest EC sites were hit by
cyber crime.
 Yahoo!, eBay, Amazon.com, E*Trade

 The attacker(s) used a method called denial of

service (DOS).
 By hammering a Web site’s equipment with too
many requests for information, an attacker can
effectively clog a system.

 The total damage worldwide was estimated at $5-10

billion (U.S.).
 The alleged attacker, from the Philippines, was not 4
prosecuted because he did not break any law in the
 Lessons Learned from the Case
 Information resources that include computers,
networks, programs, and data are vulnerable to
unforeseen attacks.

 Many countries do not have sufficient laws to deal with

computer criminals.

 Protection of networked systems can be a complex

issue.

 Attackers can zero on a single company, or can attack

many companies, without discrimination.

 Attackers use different attack methods.

 Although variations of the attack methods are known,

the defence against them is difficult and/or expensive. 5
 Information Resources Management
 Information resources management (IRM)
encompasses all activities related to the
planning, organizing, acquiring, maintaining,
securing, and controlling of IT resources.

 The management of information resources is

divided among the information services
department (ISD) and the end-users.
 The name of the ISD depends on the IT role, its size,
and so forth.
 The director of IS is sometimes called the chief
information officer (CIO).
 It is extremely important to have good relations 6
 End-User Computing
Generally, the IS organization takes one of the
following four approaches toward end-user
computing:
Let them sink or Use the carrot.
swim. Create incentives to
Don’t do anything—let encourage certain end-
the end-user beware. user practices that
reduce organizational
Use the stick. risks.
Establish policies and
procedures to control Offer support.
end-user computing so Develop services to aid
that corporate risks are end-users in their
minimized. computing activities.
7
 Steering Committees

The corporate steering committee is a

group of managers and staff representing
various organizational units. The
committee’s major tasks are:
 Direction setting  Staffing
 Rationing  Communication
 Structuring  Evaluating

8
 SLAs & Information Centers

 Service Level  Information centers

agreements (SLAs) (IC), also known as the
are formal agreements user’s service or help
regarding the division center, concentrate on
of computing end-user support with
responsibility among PCs, client/server
end-users and the ISD. applications, and the
Internet/intranet.
 Such divisions are
 The IC is set up to
based on a small set
help users get certain
of critical computing
systems built quickly.
decisions made by
end-user
9
management.
 The “New IT Organization”
Rockart et al. (1996) proposed the following eight
imperatives for
ISDs the “New IT organization“:
 Achieve two-way strategic alignment
 Develop effective relations with line
management
 Quickly develop and implement new systems
 Build and manage infrastructures
 Reskill the IT organization
 Manage vendor relationships
 Build high performance
 Redesign and manage the “federal” IT
organization 10
 The Role of the CIO
 The CIO needs to argue
 The CIO is taking for a greater measures of
increasing responsibility central coordination.
for defining strategic
future.  The IT asset-acquisition
process must be
 The increased networked improved by the CIO.
environment may lead to  The CIO is responsible for
disillusionment with IT. developing new Web-
based business models.

 The CIO needs to  The CIO is becoming a

understand that the business visionary.
Web-based era is more
about fundamental
business change than
technology. 11
 Key Terminology

Backup  IS controls
Decryption  Integrity (of data)
Encryption  Risk
Exposure  Threats (or hazards)
Fault  Vulnerability
tolerance

12
Security Threats

13
 Cyber Crime
 Crimes can be performed by outsiders who
penetrate a computer system (hackers) or by
insiders who are authorized to use the
computer system but are misusing their
authorization.
 A cracker is a malicious hacker, who may
represent a serious problem for a corporation.

 Two basic methods of attack are used in

deliberate attacks on computer systems:
 data tampering
 programming fraud, e.g. Viruses
14
 U.S. Federal Statutes
 According to the FBI, an average white-collar crime
involves $23,000; but an average computer crime
involves about $600,000.
 The following U.S. federal statutes deal with
computer crime;
 Counterfeit Access Device and Computer Fraud Act
of 1984
 Computer Fraud and Abuse Act of 1986
 Computer Abuse Amendment Act of 1994 (prohibits
transmission of viruses)
 Computer Security Act of 1987
 Electronic Communications Privacy Act of 1986
 Electronic Funds Transfer Act of 1980
 Video privacy protection act of 1988 15
 Defending Information Systems
Defending information systems is not a simple or
inexpensive
task for the following reasons:
 Hundreds of potential  Rapid technological
threats exist. changes make some
controls obsolete as soon
 Computing resources as they are installed.
may be situated in many
locations.  Many computer crimes
are undetected for a long
 Many individuals control
period of time.
information assets.
 People tend to violate
 Computer networks can security procedures
be outside the because they are
organization and difficult
to protect. inconvenient.
16
 Defense Strategies

 The following are the major objectives of

defense strategies:
 Prevention & deterrence
 Detection
 Limitation
 Recovery
 Correction

17
 Types of Defense Controls
The defense controls are divided into two major
categories:

 General controls

• Protect the system regardless of the specific

application.

 Application controls
• Safeguards that are intended to protect specific
applications.

18
 Types of Controls

 General Controls  Application

 Physical controls Controls
 Access controls  Input controls
 Biometric controls
 Data security  Processing
controls controls
 Communications  Output controls
(networks) controls
 Administrative
controls

19
 Security Measures
 An access control system guards against
unauthorized dial-in attempts.
 The use of preassigned personal
identification number (PIN).
 Modems. It is quite easy for attackers to penetrate
them and for employees to leak secret corporate
information to external networks.

 Encryption is used extensively in EC for protecting

payments and privacy.

 Troubleshooting packages such as cable tester can

20
find almost any fault that can occur with LAN
 Security Measures (cont.)
 Payload security involves encryption or other
manipulation of data being sent over networks.

 Commercial Products. Hundreds of commercial

security products exist on the market.

 Intrusion Detecting. It is worthwhile to place an

intrusion detecting device near the entrance point
of the Internet to the intranet.

 A Firewall is commonly used as a barrier between

the secure corporate intranet, or other internal
networks, and the Internet.
21
 IT Auditing

 In the information system environment,

auditing can be viewed as an additional layer
of controls or safeguards.
 It involves a periodical examination and check of
financial and accounting records and
procedures.
 Two types of auditors (and audits):
 Internal
• An internal auditor is usually a corporate
employee who is not a member of the ISD.
 External
22
• An external auditor is a corporate outsider.
 IT Auditing (cont.)
Auditors attempt to answer questions such as:
 Are there sufficient controls in the system?
 Which areas are not covered by controls?
 Which controls are not necessary?
 Are the controls implemented properly?
 Are the controls effective; do they check the output
of the system?
 Is there a clear separation of duties of employees?
 Are there procedures to ensure compliance with the
controls?
 Are there procedures to ensure reporting and
corrective actions in case of violations of controls?
23
 How is Auditing Executed?
IT auditing procedures can be classified into
three categories:
 Auditing around the computer - verifying
processing by checking for known outputs using
specific inputs.

 Auditing through the computer - inputs, outputs,

and processing are checked.
 Auditing with the computer - using a
combination of client data, auditor software, and
client and auditor hardware.

24
 Disaster Recovery Plan
 A disaster recovery plan is essential to any security
system.
 Here are some key thoughts about disaster
recovery by Knoll (1986):
 The purpose of a recovery plan is to keep the
business running after a disaster occurs.
 Recovery planning is part of asset protection.
 Planning should focus first on recovery from a total
loss of all capabilities.
 Proof of capability usually involves some kind of
what-if analysis that shows that the recovery plan is
current.
 All critical applications must be identified and their
recovery procedures addressed in the plan. 25
 Backup Location
 In the event of a major disaster, it is often
necessary to move a centralized computing
facility to a far-away backup location.

 External hot-site vendors provide access to a

fully configured backup data center.
 E.g., When an earthquake hit San Francisco in 1989,
Charles Schwab & Co. was ready.
 Within a few minutes, the company’s disaster plan
was activated.
 Programmers, engineers, and backup computer
tapes were flown to New Jersey, where Comdisco
Disaster Recovery Service provided a hot site. 26
 Case: Disaster Planning at Reuters
Problem:
 Reuters is a multinational information-delivery
corporation.
 If Reuters’ information system were to fail outright, it
would take more than 15 brokerage houses with it. The
costs, not to mention the legal ramifications, would be
tremendous.
Solution:
 Reuters implemented an Internet disaster recovery plan
with SunGard Corp.
 The company now operates 3 redundant Web sites in
different locations from coast to coast.
 If all 3 were to fail, a hot site would be used to ensure
continuous operation.
27
Risk Management

28
 Risk-Management (cont.)

 A risk-management approach helps identify

threats and selects cost-effective security
measures.

 Risk-management analysis can be enhanced

by the use of DSS software packages.
 Calculations can be used to compare the
expected loss with the cost of preventing it.

 A business continuity plan outlines the process

in which businesses should recover from a
major disaster.
29
 IT Security in the 21st Century
 Increasing the Reliability of Systems. 
The objective relating to reliability is to use
fault tolerance to keep the information
systems working, even if some parts fail.

 Intelligent Systems for Early Detection. 

Detecting intrusion in its beginning is
extremely important, especially for classified
information and financial data.

 Intelligent Systems in Auditing. 

Intelligent systems are used to enhance the 30
task of IS auditing.
 IT Security in the 21st Century (cont.)
 Artificial Intelligence in Biometrics. 
Expert systems, neural computing, voice
recognition, and fuzzy logic can be used to
enhance the capabilities of several biometric
systems.

 Expert Systems for Diagnosis, Prognosis, and

Disaster Planning. Expert systems can be used to
diagnose troubles in computer systems and to
suggest solutions.

 Smart Cards. Smart card technology can be used

to protect PCs on LANs.
 Fighting Hackers. Several new products are 31
 Case: The Euro Conversion
Some major IT issues involved in the Euro conversion
are;
 Time and cost estimates are difficult.

 The decision on a conversion date was delegated

to individual companies, and it varies.

 Legal requirements force organizations to keep

accounting data in their original form. This will
create problems for comparisons over time.

 It is necessary to convert the code and the existing

applications that involve currencies.
 It is necessary to change all the data and data files
32
in the organizations’ databases.
 Case: The Euro Conversion (cont.)
In order to execute the conversion properly a CIO
must…

 Coordinate the execution with the business side of the

enterprise, creating a joint team with members of the
ISD & other functional units.

 Outsourcing some of the tasks is advisable.

 Business impact analysis should be done first.

 Both business and IT strategies for the conversion must
be done, coordinated, and assessed periodically.
 A proper project management process must be 33
conducted.
 Managerial Issues
 To whom should the
ISD report?

 Who needs a CIO?

 End-users are
friends, not enemies,
of the IS department.

 Ethical Issues.
34
 Managerial Issues (cont.)
 Responsibilities for  Auditing information
security should be systems should be
assigned in all areas. institutionalized into
the organizational
 Security awareness culture.
programs are
important for any  Organizing the ISD in
organization, a multinational
especially if it is corporation is a
heavily dependent complex issue.
on IT.

35