Mit6e Ch16 by Firli

8/6/2019 Mit6e Ch16 by Firli

1/46

Copyright 2009 Pearson Education, Inc. Publishing as Prentice Hall 1

Managing Information Technology

6th Edition

CHAPTER 16

INFORMATION SECURITY


2/46


Information Security

Background

Organizations face security threats from both

within and outside

Traditional security measures have addressed

external threats

Understanding the managerial aspects of

information security is important because of thechanging regulatory environment and the

potential risk exposure that some firms face


3/46


E-Crime

any criminal violation in which

a computer or e-media is usedin the commission of the crimeE-Crime


4/46

Copyright 2009 Pearson Education, Inc. Publishing as Prentice Hall

E-Crime

Example of Credit card security breaches

TJX

CardSystems Inc.

Figure 16.1


5/46


E-Crime

Many Types of E-Crime

All incur costs to organizations or individualsFigure 16.2


6/46


E-Crime

Some common ways computers are attacked

A small unit of code embedded in a file or program that when executed will replicate itself and maycause damage to infected computers

Virus

A self-replicating virus

Worm

A security-breaking program that is disguised as a legitimate program

Trojan horse

A program, or code within a system that takes action when a certain even occurs

Logic bomb

Occurs when a large number of messages are sent to a target computer simultaneously with thepurpose of disrupting the capability of the target

Denial of service attack


7/46


E-Crime

Other techniques used in E-Crime:

Involves the solicitation of sensitive personal information fromusers, commonly in the form of email and instant messages

Phishing

The use of a fraudulent Web site mimics a legitimate one. Oftenused in conjunction with phishing

Spoofing


8/46


E-Crime

Hacker vs. Cracker

Hacker

An individual with no malicious

intent who attacks computersystems for the purpose ofhighlighting securityvulnerabilities

Cracker

An individual who attackscomputer systems tointentionally steal informationor cause harm


9/46


E-Crime

All managers responsible for security

compliance should have an understanding of

the basics of security Technology

Security Basics (Figure 16.4)

Firewall and Proxy Servers

Encryption and VPNs Identity and Access Management Systems (IAM)

Content-Filtering Tools

Penetration-Testing Tools


10/46


Information Risk Management

Steps in Risk Management

Determine the organizations information assets

and their values

Decide how long can the organization function

without specific information assets

Develop and implement security procedures to

protect these information assets


11/46



Steps in Risk Management

Determine the organizations information assetsand their values

Example: One organization determined that corporate

information found on employee laptops is an important

asset The organization estimates that a loss of the

information on a single laptop may cost $50,000 onaverage


12/46



Calculation of the expected losses due to a

vulnerability can be calculated by the

following formula:

AnnualizedExpected

Losses(AEL)

Single LossExpectancy

(SLE)

AnnualOccurrenceRate (AOR)


13/46



Quantitative example:

Losing the corporate data from a single laptop has

an estimated value of $50,000

The corporation identified three occurrences in

the last two years where a laptop had been lost

This is an Annual Occurrence Rate of 1.5

AnnualizedExpected

Losses(AEL)


(SLE)



14/46



Quantitative example:

Therefore, the Annualized Expected Losses (AEL)

amount to $75,000

AnnualizedExpected

Losses(AEL)


(SLE)


$75,000 $50,000 1.5


15/46



After performing a quantitative risk analysis,

the Annualized Expected Losses (AEL) are used

to perform security cost-benefit analysis

A quantitative analysis IS managers may perform toexamine the potential business benefits and theintervention costs involved with mitigating security risks

Security Cost-Benefit Analysis


16/46




Managers must estimate the costs of the actions

performed to secure the information asset

The Return Benefit from the actions can be

estimated by the following formula:

ReturnBenefit

AnnualizedExpected

Losses(AEL)

AnnualizedCost ofActions


17/46




From the laptop example, the company estimates

that adding strong encryption to the corporate

data on the laptops will cost $100 per year for

each of the 200 laptops in the company

Overall, a $20,000 annualized cost for this

intervention would be realized

ReturnBenefit

AnnualizedExpected

Losses(AEL)



18/46




After performing a the analysis, we find that this

action has an estimated return benefit of $55,000

per year

ReturnBenefit

AnnualizedExpected

Losses(AEL)


$55,000 $75,000 $20,000


19/46


Compliance with Current Security Laws

Legal and Regulatory Environment

Impacts information security practices

Figure 16.7


20/46



Sarbanes-Oxley Act of2002 (SOX)

Created as a response to the scandals at Enron,

Tyco, WorldCom, and others

Applies to publically traded US companies


21/46



Sarbanes-Oxley Act of2002 (SOX)

"Sarbanes is the most sweeping legislationto affect publicly traded companies sincethe reforms during the Great Depression"

- Gartner Analyst John Bace


22/46



SOX affects IS leaders in two major ways:

Records retention

The act states that companies must retain electronic

communication such as email and instant messaging for

a period of at least five years

IT audit controls

Officers must certify that they are responsible for

establishing and maintaining internal controls


23/46



Section 404 of SOX states that companies

must use an internal control framework such

as COSO

COSO is an a framework for auditors to use whenassessing internal controls that was created by theCommittee of Sponsoring Organizations (COSO)

COSO


24/46



Internal controls are assurance processes

COSO defines internal controls:

COSO Definition of Internal Control: a process,effected by an entitys board of directors, managementand other personnel, designed to provide reasonableassurance regarding the achievement of objectives inthe following categories:

Effectiveness and efficiency of operations

Reliability of financial reporting

Compliance with applicable laws and regulations

Internal Controls


25/46



The COSO framework contains five

interrelated categories:

Risk Assessment

Control Environment

Control Activities

Monitoring

Information and Communication


26/46



Gramm-Leach-Bliley Act of 1999 (GBLA)

Mandates that all organizations maintain a high

level of confidentiality of all financial information

of their clients or customers

The act gives federal agencies and states to

enforce the following rules:

Financial Privacy Rule Safeguards Rule


27/46




Financial Privacy Rule

Requires financial institutions to provide customers

with privacy notices

Organizations must clearly state their privacy policies

when establishing relationships with customers

Organizations cannot disclose nonpublic personal

information to a third-party

Safeguards Rule


28/46




Safeguards Rule

Organizations must have a written security plan in place

to protect customers nonpublic confidential

information


29/46



Health Insurance Portability and

Accountability Act (HIPAA)

HIPPA requires organizations to secure nonpublic

confidential medical information

Noncompliance can lead to serious penalties and

fines


30/46



Uniting and Strengthening America by

Providing Appropriate Tools Required to

Intercept and Obstruct Terrorism Act of2001

(USA PATRIOT)

Commonly called the PATRIOT Act

Gives the US government greater ability to access

information Victims of computer hacking can now request law

enforcement assistance


31/46



California Information Practices Act (Senate

Bill 1386)

In the past, companies have often been silent

when information theft occurred

This act requires organizations that store

nonpublic information on California residents to

report information theft within 96 hours Noncompliance may lead to civil or criminal

consequences


32/46


Developing and Information Security

Policy

Information Security Policies

Required by many regulations (e.g., SOX)

Required to obtain insurance

A written document describing what is, and is not,permissible use of information in the organizationand the consequences for violation of the policy

Information Security Policy


33/46


34/46



Policy

What should be in the policy?

Common Topics

Access control policies

External access policies

User a physical policies

Example Policies

SANS Institute provides template of many policy types


35/46



Policy

Policy should be appropriate to the estimated

risks of the organization

They should be quickly modified when newsituations arise affecting security

Organizations should make it easy for

employees to access the most recent policy


36/46


Planning for Business Continuity

This is more than simple disaster recovery

When an organization cannot resumeoperations in a reasonable time frame, it leads

to business failure

Putting specific plans in place that ensure thatemployees and business processes can continue

when faced with any major unanticipated disruption

Business Continuity Planning (PCP)


37/46



McNurlin & Sprague identified the following

components of BCP that were often

overlooked before the 9/11 terrorist attacks:

Alternate workspaces for people with working

computers and phone lines

Backup IT sites that are not too close, but not too

far away Up-to-date evacuation plans that everyone knows

and has practiced


38/46



McNurlin & Sprague identified the followingcomponents of BCP that were oftenoverlooked before the 9/11 terrorist attacks:

Backed-up laptops and departmental servers,because a lot of corporate information is housedon these machines rather than in the data center

Helping people cope with a disaster by having

easily accessible phone lists, e-mail lists, and eveninstant-messenger lists so that people cancommunicate with loved ones and colleagues


39/46


40/46



Disruptions are usually ranked based on thefollowing categories:

Lower-priority

30 days

Normal

7 days

Important

72 hours

Urgent 24 hours

Critical

< 12 hours


41/46



Electronic Records Management (ERM)

Covers the retention of important digital

documents

Grew out of the need to satisfy regulation such as

SOX and HIPAA

May require a centralized approach

eDiscovery amendments to rules for civilprocedures make ERM even more important


42/46




ERM managers are responsible for the following Defining what constitutes an electronic record

Analyzing the current business environment anddeveloping appropriate ERM policies

Classifying specific records based upon theirimportance, regulatory requirements, and duration

Authenticating records by maintaining accurate logsand procedures to prove that these are the actualrecords, and that they have not been altered

Managing policy compliance


43/46




Managers must realize that businesses may be

digitally liable for actions their employees have

taken when communicating electronically

Electronic corporate information may reside on

computers external to the company (e.g. cached

email)


44/46


The Chief Information Security Role

With increasing pressure to comply with laws

and regulations, many companies have added

a chief information security officer (CISO) to

there is organization

Responsible for monitoring information

security risks and developing strategies to

mitigate that risk


45/46


The Chief Information Security Role

As it is impossible to eliminate all risk, the

CISO must balance the trade-offs between

risks and the costs of eliminating them

Cost ofPrevention

Risk


46/46


All rights reserved. No part of this publication may be reproduced, stored in a

retrieval system, or transmitted, in any form or by any means, electronic,

mechanical, photocopying, recording, or otherwise, without the prior written

permission of the publisher. Printed in the United States of America.

Copyright 2009 Pearson Education, Inc.Publishing as Prentice Hall

Mit6e Ch16 by Firli

Documents

Transcript of Mit6e Ch16 by Firli