Mit6e Ch16 by Firli
Transcript of Mit6e Ch16 by Firli
-
8/6/2019 Mit6e Ch16 by Firli
1/46
Copyright 2009 Pearson Education, Inc. Publishing as Prentice Hall 1
Managing Information Technology
6th Edition
CHAPTER 16
INFORMATION SECURITY
-
8/6/2019 Mit6e Ch16 by Firli
2/46
Copyright 2009 Pearson Education, Inc. Publishing as Prentice Hall 2
Information Security
Background
Organizations face security threats from both
within and outside
Traditional security measures have addressed
external threats
Understanding the managerial aspects of
information security is important because of thechanging regulatory environment and the
potential risk exposure that some firms face
-
8/6/2019 Mit6e Ch16 by Firli
3/46
Copyright 2009 Pearson Education, Inc. Publishing as Prentice Hall 3
E-Crime
any criminal violation in which
a computer or e-media is usedin the commission of the crimeE-Crime
-
8/6/2019 Mit6e Ch16 by Firli
4/46
Copyright 2009 Pearson Education, Inc. Publishing as Prentice Hall
E-Crime
Example of Credit card security breaches
TJX
CardSystems Inc.
Figure 16.1
-
8/6/2019 Mit6e Ch16 by Firli
5/46
Copyright 2009 Pearson Education, Inc. Publishing as Prentice Hall 5
E-Crime
Many Types of E-Crime
All incur costs to organizations or individualsFigure 16.2
-
8/6/2019 Mit6e Ch16 by Firli
6/46
Copyright 2009 Pearson Education, Inc. Publishing as Prentice Hall 6
E-Crime
Some common ways computers are attacked
A small unit of code embedded in a file or program that when executed will replicate itself and maycause damage to infected computers
Virus
A self-replicating virus
Worm
A security-breaking program that is disguised as a legitimate program
Trojan horse
A program, or code within a system that takes action when a certain even occurs
Logic bomb
Occurs when a large number of messages are sent to a target computer simultaneously with thepurpose of disrupting the capability of the target
Denial of service attack
-
8/6/2019 Mit6e Ch16 by Firli
7/46
Copyright 2009 Pearson Education, Inc. Publishing as Prentice Hall 7
E-Crime
Other techniques used in E-Crime:
Involves the solicitation of sensitive personal information fromusers, commonly in the form of email and instant messages
Phishing
The use of a fraudulent Web site mimics a legitimate one. Oftenused in conjunction with phishing
Spoofing
-
8/6/2019 Mit6e Ch16 by Firli
8/46
Copyright 2009 Pearson Education, Inc. Publishing as Prentice Hall 8
E-Crime
Hacker vs. Cracker
Hacker
An individual with no malicious
intent who attacks computersystems for the purpose ofhighlighting securityvulnerabilities
Cracker
An individual who attackscomputer systems tointentionally steal informationor cause harm
-
8/6/2019 Mit6e Ch16 by Firli
9/46
Copyright 2009 Pearson Education, Inc. Publishing as Prentice Hall 9
E-Crime
All managers responsible for security
compliance should have an understanding of
the basics of security Technology
Security Basics (Figure 16.4)
Firewall and Proxy Servers
Encryption and VPNs Identity and Access Management Systems (IAM)
Content-Filtering Tools
Penetration-Testing Tools
-
8/6/2019 Mit6e Ch16 by Firli
10/46
Copyright 2009 Pearson Education, Inc. Publishing as Prentice Hall 10
Information Risk Management
Steps in Risk Management
Determine the organizations information assets
and their values
Decide how long can the organization function
without specific information assets
Develop and implement security procedures to
protect these information assets
-
8/6/2019 Mit6e Ch16 by Firli
11/46
Copyright 2009 Pearson Education, Inc. Publishing as Prentice Hall 11
Information Risk Management
Steps in Risk Management
Determine the organizations information assetsand their values
Example: One organization determined that corporate
information found on employee laptops is an important
asset The organization estimates that a loss of the
information on a single laptop may cost $50,000 onaverage
-
8/6/2019 Mit6e Ch16 by Firli
12/46
Copyright 2009 Pearson Education, Inc. Publishing as Prentice Hall 12
Information Risk Management
Calculation of the expected losses due to a
vulnerability can be calculated by the
following formula:
AnnualizedExpected
Losses(AEL)
Single LossExpectancy
(SLE)
AnnualOccurrenceRate (AOR)
-
8/6/2019 Mit6e Ch16 by Firli
13/46
Copyright 2009 Pearson Education, Inc. Publishing as Prentice Hall 13
Information Risk Management
Quantitative example:
Losing the corporate data from a single laptop has
an estimated value of $50,000
The corporation identified three occurrences in
the last two years where a laptop had been lost
This is an Annual Occurrence Rate of 1.5
AnnualizedExpected
Losses(AEL)
Single LossExpectancy
(SLE)
AnnualOccurrenceRate (AOR)
-
8/6/2019 Mit6e Ch16 by Firli
14/46
Copyright 2009 Pearson Education, Inc. Publishing as Prentice Hall 14
Information Risk Management
Quantitative example:
Therefore, the Annualized Expected Losses (AEL)
amount to $75,000
AnnualizedExpected
Losses(AEL)
Single LossExpectancy
(SLE)
AnnualOccurrenceRate (AOR)
$75,000 $50,000 1.5
-
8/6/2019 Mit6e Ch16 by Firli
15/46
Copyright 2009 Pearson Education, Inc. Publishing as Prentice Hall 15
Information Risk Management
After performing a quantitative risk analysis,
the Annualized Expected Losses (AEL) are used
to perform security cost-benefit analysis
A quantitative analysis IS managers may perform toexamine the potential business benefits and theintervention costs involved with mitigating security risks
Security Cost-Benefit Analysis
-
8/6/2019 Mit6e Ch16 by Firli
16/46
Copyright 2009 Pearson Education, Inc. Publishing as Prentice Hall 16
Information Risk Management
Security Cost-Benefit Analysis
Managers must estimate the costs of the actions
performed to secure the information asset
The Return Benefit from the actions can be
estimated by the following formula:
ReturnBenefit
AnnualizedExpected
Losses(AEL)
AnnualizedCost ofActions
-
8/6/2019 Mit6e Ch16 by Firli
17/46
Copyright 2009 Pearson Education, Inc. Publishing as Prentice Hall 17
Information Risk Management
Security Cost-Benefit Analysis
From the laptop example, the company estimates
that adding strong encryption to the corporate
data on the laptops will cost $100 per year for
each of the 200 laptops in the company
Overall, a $20,000 annualized cost for this
intervention would be realized
ReturnBenefit
AnnualizedExpected
Losses(AEL)
AnnualizedCost ofActions
-
8/6/2019 Mit6e Ch16 by Firli
18/46
Copyright 2009 Pearson Education, Inc. Publishing as Prentice Hall 18
Information Risk Management
Security Cost-Benefit Analysis
After performing a the analysis, we find that this
action has an estimated return benefit of $55,000
per year
ReturnBenefit
AnnualizedExpected
Losses(AEL)
AnnualizedCost ofActions
$55,000 $75,000 $20,000
-
8/6/2019 Mit6e Ch16 by Firli
19/46
Copyright 2009 Pearson Education, Inc. Publishing as Prentice Hall 19
Compliance with Current Security Laws
Legal and Regulatory Environment
Impacts information security practices
Figure 16.7
-
8/6/2019 Mit6e Ch16 by Firli
20/46
Copyright 2009 Pearson Education, Inc. Publishing as Prentice Hall 20
Compliance with Current Security Laws
Sarbanes-Oxley Act of2002 (SOX)
Created as a response to the scandals at Enron,
Tyco, WorldCom, and others
Applies to publically traded US companies
-
8/6/2019 Mit6e Ch16 by Firli
21/46
Copyright 2009 Pearson Education, Inc. Publishing as Prentice Hall 21
Compliance with Current Security Laws
Sarbanes-Oxley Act of2002 (SOX)
"Sarbanes is the most sweeping legislationto affect publicly traded companies sincethe reforms during the Great Depression"
- Gartner Analyst John Bace
-
8/6/2019 Mit6e Ch16 by Firli
22/46
Copyright 2009 Pearson Education, Inc. Publishing as Prentice Hall 22
Compliance with Current Security Laws
SOX affects IS leaders in two major ways:
Records retention
The act states that companies must retain electronic
communication such as email and instant messaging for
a period of at least five years
IT audit controls
Officers must certify that they are responsible for
establishing and maintaining internal controls
-
8/6/2019 Mit6e Ch16 by Firli
23/46
Copyright 2009 Pearson Education, Inc. Publishing as Prentice Hall 23
Compliance with Current Security Laws
Section 404 of SOX states that companies
must use an internal control framework such
as COSO
COSO is an a framework for auditors to use whenassessing internal controls that was created by theCommittee of Sponsoring Organizations (COSO)
COSO
-
8/6/2019 Mit6e Ch16 by Firli
24/46
Copyright 2009 Pearson Education, Inc. Publishing as Prentice Hall 24
Compliance with Current Security Laws
Internal controls are assurance processes
COSO defines internal controls:
COSO Definition of Internal Control: a process,effected by an entitys board of directors, managementand other personnel, designed to provide reasonableassurance regarding the achievement of objectives inthe following categories:
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and regulations
Internal Controls
-
8/6/2019 Mit6e Ch16 by Firli
25/46
Copyright 2009 Pearson Education, Inc. Publishing as Prentice Hall 25
Compliance with Current Security Laws
The COSO framework contains five
interrelated categories:
Risk Assessment
Control Environment
Control Activities
Monitoring
Information and Communication
-
8/6/2019 Mit6e Ch16 by Firli
26/46
Copyright 2009 Pearson Education, Inc. Publishing as Prentice Hall 26
Compliance with Current Security Laws
Gramm-Leach-Bliley Act of 1999 (GBLA)
Mandates that all organizations maintain a high
level of confidentiality of all financial information
of their clients or customers
The act gives federal agencies and states to
enforce the following rules:
Financial Privacy Rule Safeguards Rule
-
8/6/2019 Mit6e Ch16 by Firli
27/46
Copyright 2009 Pearson Education, Inc. Publishing as Prentice Hall 27
Compliance with Current Security Laws
Gramm-Leach-Bliley Act of 1999 (GBLA)
Financial Privacy Rule
Requires financial institutions to provide customers
with privacy notices
Organizations must clearly state their privacy policies
when establishing relationships with customers
Organizations cannot disclose nonpublic personal
information to a third-party
Safeguards Rule
-
8/6/2019 Mit6e Ch16 by Firli
28/46
Copyright 2009 Pearson Education, Inc. Publishing as Prentice Hall 28
Compliance with Current Security Laws
Gramm-Leach-Bliley Act of 1999 (GBLA)
Safeguards Rule
Organizations must have a written security plan in place
to protect customers nonpublic confidential
information
-
8/6/2019 Mit6e Ch16 by Firli
29/46
Copyright 2009 Pearson Education, Inc. Publishing as Prentice Hall 29
Compliance with Current Security Laws
Health Insurance Portability and
Accountability Act (HIPAA)
HIPPA requires organizations to secure nonpublic
confidential medical information
Noncompliance can lead to serious penalties and
fines
-
8/6/2019 Mit6e Ch16 by Firli
30/46
Copyright 2009 Pearson Education, Inc. Publishing as Prentice Hall 30
Compliance with Current Security Laws
Uniting and Strengthening America by
Providing Appropriate Tools Required to
Intercept and Obstruct Terrorism Act of2001
(USA PATRIOT)
Commonly called the PATRIOT Act
Gives the US government greater ability to access
information Victims of computer hacking can now request law
enforcement assistance
-
8/6/2019 Mit6e Ch16 by Firli
31/46
Copyright 2009 Pearson Education, Inc. Publishing as Prentice Hall 31
Compliance with Current Security Laws
California Information Practices Act (Senate
Bill 1386)
In the past, companies have often been silent
when information theft occurred
This act requires organizations that store
nonpublic information on California residents to
report information theft within 96 hours Noncompliance may lead to civil or criminal
consequences
-
8/6/2019 Mit6e Ch16 by Firli
32/46
Copyright 2009 Pearson Education, Inc. Publishing as Prentice Hall 32
Developing and Information Security
Policy
Information Security Policies
Required by many regulations (e.g., SOX)
Required to obtain insurance
A written document describing what is, and is not,permissible use of information in the organizationand the consequences for violation of the policy
Information Security Policy
-
8/6/2019 Mit6e Ch16 by Firli
33/46
-
8/6/2019 Mit6e Ch16 by Firli
34/46
Copyright 2009 Pearson Education, Inc. Publishing as Prentice Hall 34
Developing and Information Security
Policy
What should be in the policy?
Common Topics
Access control policies
External access policies
User a physical policies
Example Policies
SANS Institute provides template of many policy types
-
8/6/2019 Mit6e Ch16 by Firli
35/46
Copyright 2009 Pearson Education, Inc. Publishing as Prentice Hall 35
Developing and Information Security
Policy
Policy should be appropriate to the estimated
risks of the organization
They should be quickly modified when newsituations arise affecting security
Organizations should make it easy for
employees to access the most recent policy
-
8/6/2019 Mit6e Ch16 by Firli
36/46
Copyright 2009 Pearson Education, Inc. Publishing as Prentice Hall 36
Planning for Business Continuity
This is more than simple disaster recovery
When an organization cannot resumeoperations in a reasonable time frame, it leads
to business failure
Putting specific plans in place that ensure thatemployees and business processes can continue
when faced with any major unanticipated disruption
Business Continuity Planning (PCP)
-
8/6/2019 Mit6e Ch16 by Firli
37/46
Copyright 2009 Pearson Education, Inc. Publishing as Prentice Hall 37
Planning for Business Continuity
McNurlin & Sprague identified the following
components of BCP that were often
overlooked before the 9/11 terrorist attacks:
Alternate workspaces for people with working
computers and phone lines
Backup IT sites that are not too close, but not too
far away Up-to-date evacuation plans that everyone knows
and has practiced
-
8/6/2019 Mit6e Ch16 by Firli
38/46
Copyright 2009 Pearson Education, Inc. Publishing as Prentice Hall 38
Planning for Business Continuity
McNurlin & Sprague identified the followingcomponents of BCP that were oftenoverlooked before the 9/11 terrorist attacks:
Backed-up laptops and departmental servers,because a lot of corporate information is housedon these machines rather than in the data center
Helping people cope with a disaster by having
easily accessible phone lists, e-mail lists, and eveninstant-messenger lists so that people cancommunicate with loved ones and colleagues
-
8/6/2019 Mit6e Ch16 by Firli
39/46
-
8/6/2019 Mit6e Ch16 by Firli
40/46
Copyright 2009 Pearson Education, Inc. Publishing as Prentice Hall 40
Planning for Business Continuity
Disruptions are usually ranked based on thefollowing categories:
Lower-priority
30 days
Normal
7 days
Important
72 hours
Urgent 24 hours
Critical
< 12 hours
-
8/6/2019 Mit6e Ch16 by Firli
41/46
Copyright 2009 Pearson Education, Inc. Publishing as Prentice Hall 41
Planning for Business Continuity
Electronic Records Management (ERM)
Covers the retention of important digital
documents
Grew out of the need to satisfy regulation such as
SOX and HIPAA
May require a centralized approach
eDiscovery amendments to rules for civilprocedures make ERM even more important
-
8/6/2019 Mit6e Ch16 by Firli
42/46
Copyright 2009 Pearson Education, Inc. Publishing as Prentice Hall 42
Planning for Business Continuity
Electronic Records Management (ERM)
ERM managers are responsible for the following Defining what constitutes an electronic record
Analyzing the current business environment anddeveloping appropriate ERM policies
Classifying specific records based upon theirimportance, regulatory requirements, and duration
Authenticating records by maintaining accurate logsand procedures to prove that these are the actualrecords, and that they have not been altered
Managing policy compliance
-
8/6/2019 Mit6e Ch16 by Firli
43/46
Copyright 2009 Pearson Education, Inc. Publishing as Prentice Hall 43
Planning for Business Continuity
Electronic Records Management (ERM)
Managers must realize that businesses may be
digitally liable for actions their employees have
taken when communicating electronically
Electronic corporate information may reside on
computers external to the company (e.g. cached
email)
-
8/6/2019 Mit6e Ch16 by Firli
44/46
Copyright 2009 Pearson Education, Inc. Publishing as Prentice Hall 44
The Chief Information Security Role
With increasing pressure to comply with laws
and regulations, many companies have added
a chief information security officer (CISO) to
there is organization
Responsible for monitoring information
security risks and developing strategies to
mitigate that risk
-
8/6/2019 Mit6e Ch16 by Firli
45/46
Copyright 2009 Pearson Education, Inc. Publishing as Prentice Hall 45
The Chief Information Security Role
As it is impossible to eliminate all risk, the
CISO must balance the trade-offs between
risks and the costs of eliminating them
Cost ofPrevention
Risk
-
8/6/2019 Mit6e Ch16 by Firli
46/46
Copyright 2009 Pearson Education, Inc. Publishing as Prentice Hall 4646
All rights reserved. No part of this publication may be reproduced, stored in a
retrieval system, or transmitted, in any form or by any means, electronic,
mechanical, photocopying, recording, or otherwise, without the prior written
permission of the publisher. Printed in the United States of America.
Copyright 2009 Pearson Education, Inc.Publishing as Prentice Hall