Information Systems Security

Information Systems Security
Chapter 5
2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 51
Learning Objective 1
Describe general approaches to

analyzing vulnerabilities and
threats in information systems.
Overview
The information security system is the

subsystem of the organization that
controls the special risks associated
with computer-based information systems.
The information security system has

the basic elements of any information
system, such as hardware, databases,
procedures, and reports.
The Information Security
System Life Cycle
Life-cycle Phase Objective

Analyze system vulnerabilities
Systems analysis in terms of relevant threats and
their associated loss exposure.
Design security measures and
Systems design contingency plans to control
the identified loss exposures.
System Life Cycle
Life-cycle Phase Objective

Systems Implement the security
implementation measures as designed.
Operate the system and
Systems operation,
assess its effectiveness and
evaluation,
efficiency. Make changes
and control
as circumstances require.
System in the Organization
The information security system must be

managed by a chief security officer (CSO).
This individual should report directly

to the board of directors in order to
maintain complete independence.
Analyzing Vulnerabilities
and Threats
Quantitative approach
to risk assessment
Qualitative approach
and Threats
Cost of an individual loss

Likelihood of its occurrence
and Threats
Identifying the relevant costs per loss and

the associated likelihoods can be difficult.
Estimating the likelihood of a given

failure requires predicting the future,
which is very difficult.
and Threats
The systems vulnerabilities and

threats are subjectively ranked in
order of their contribution to the
companys total loss exposure.
2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 5 10
and Threats
business interruption
loss of software
loss of data
loss of hardware
loss of facilities
loss of service and personnel
Identify active and passive

threats to information systems.
Vulnerabilities and Threats
What is a vulnerability?
A vulnerability is a
weakness in a system.
What is a threat?
A threat is a potential
exploitation of a vulnerability.
Vulnerabilities and Threats
Active threats
Passive threats
Individuals Posing a Threat
to the Information System
Groups of individuals that could

be involved in an information
systems attack:
Information systems personnel
Users Intruders
computer maintenance persons

programmers
network operators
information systems administrative
personnel
data control clerks
Users are composed of heterogeneous

groups of people. Their functional
area does not lie in data processing.
An intruder is anyone who accesses

equipment, electronic data, or files
without proper authorization.
A hacker is an intruder who attacks
a system for fun and challenge.
What are other types of intruders?
unnoticed intruders
wiretappers
piggybackers
impersonating intruders
eavesdroppers
Active Threats to
Information Systems
Input manipulation Sabotage
Program alteration
Misappropriation
or theft of
Direct file alteration
information
resources
Data theft
Active Threats to
Information Systems
In most cases of computer fraud,

manipulation of input
is the method used.
Program alteration is perhaps

the least common method used
to commit computer fraud.
Active Threats to
Information Systems
A direct file alteration occurs when individuals

find ways to bypass the normal process
for inputting data into computer programs.
Data theft is a serious problem in business today.
What are some methods of computer sabotage?
Active Threats to
Information Systems
Logic bomb
Trojan horse
Virus program
Denial of service attack
Defacing the companys Web site
Active Threats to
Information Systems
What is a worm?
It is a type of virus that spreads

itself over a computer network.
Active Threats to
Information Systems
One type of misappropriation

of computer resources exists
when employees use company
computers resources for
their own business.
Identify key aspects of an

information security system.
The Information System
Security System
Security measures focus on

preventing and detecting threats.
Contingency plans focus on

correcting the effects of threats.
The Control Environment
Management philosophy
and operating style
Organization structure
Board of directors
and its committees
The Control Environment
Management control activities
Internal audit function
Personnel policies and practices
External influences
Controls for Active Threats
Site-access controls
System-access controls
File-access controls
The objective of site-access controls

is to physically separate unauthorized
individuals from computer resources.
TV monitor Telephone Locked door

Locked door
(opened from
inside vault) LOBBY
Service
Locked door
window
(entrance)
Intercom Data
to vault archive
Magnet
Scanner detector INNER
VAULT
These controls authenticate users by using

such means as user IDs, passwords,
IP addresses, and hardware devices.
It is often desirable to withhold

administrative rights from
individual PC users.
The most fundamental file-access control

is the establishment of authorization guidelines
and procedures for accessing and altering files.
Controls for Passive Threats
Fault-tolerant systems use redundant components.
If one part of the system fails, a redundant part

immediately takes over, and the system
continues operating with little or no interruption.
Controls for Passive Threats
Full backups
Incremental backups
Differential backups
Internet Security
Internet-related vulnerabilities may

arise from weaknesses in five areas.
1. the operating system or its configuration

2. the Web server or its configuration
3. the private network and its configuration
4. various server programs
5. general security procedures
Discuss contingency planning

and other disaster risk
management practices.
Disaster Risk Management
Disaster risk management is essential

to ensure continuity of operations
in the event of a catastrophe.
Prevention Contingency
planning planning
Natural disaster 30%

Deliberate actions 45%
Human error 25%
A large percentage of disasters

can be mitigated or avoided.
A disaster recovery plan must be implemented

at the highest levels in the company.
The first step in developing a disaster recovery

plan should be obtaining the support of senior
management and setting up a planning committee.
The design of the plan should

include three major components.
What are these components?
Assess the companys critical needs.

List priorities for recovery.
Establish recovery strategies and procedures.
A complete set of recovery strategies

should take into account the following:
emergency response center
escalation procedures
alternate processing arrangements
personnel relocation and replacements plans
salvage plan
plan for testing and maintaining the system
End of Chapter 5

Information Systems Security

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Information Systems Security

Caricato da

Copyright:

Formati disponibili

Information Systems Security

Describe general approaches to

The information security system is the

The information security system has

Life-cycle Phase Objective

Life-cycle Phase Objective

The information security system must be

This individual should report directly

Cost of an individual loss

Identifying the relevant costs per loss and

Estimating the likelihood of a given

The systems vulnerabilities and

Identify active and passive

Groups of individuals that could

Information systems personnel

computer maintenance persons

Users are composed of heterogeneous

An intruder is anyone who accesses

Input manipulation Sabotage

In most cases of computer fraud,

Program alteration is perhaps

A direct file alteration occurs when individuals

Data theft is a serious problem in business today.

What are some methods of computer sabotage?

Denial of service attack

Defacing the companys Web site

It is a type of virus that spreads

One type of misappropriation

Identify key aspects of an

Security measures focus on

Contingency plans focus on

Management control activities

Internal audit function

Personnel policies and practices

The objective of site-access controls

TV monitor Telephone Locked door

These controls authenticate users by using

It is often desirable to withhold

The most fundamental file-access control

Fault-tolerant systems use redundant components.

If one part of the system fails, a redundant part

Internet-related vulnerabilities may

1. the operating system or its configuration

Discuss contingency planning

Disaster risk management is essential

Natural disaster 30%

A large percentage of disasters

A disaster recovery plan must be implemented

The first step in developing a disaster recovery

The design of the plan should

What are these components?

Assess the companys critical needs.

A complete set of recovery strategies

Potrebbero piacerti anche