AIS Ab - az.CH05

Information Systems Security
Chapter 5
2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
51
Learning Objective 1
Describe general approaches to analyzing vulnerabilities and threats in information systems.
52
Overview
The information security system is the subsystem of the organization that controls the special risks associated with computer-based information systems.
The information security system has the basic elements of any information system, such as hardware, databases, procedures, and reports.
2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 53
The Information Security System Life Cycle

Life-cycle Phase Objective
Analyze system vulnerabilities Systems analysis in terms of relevant threats and their associated loss exposure. Systems design Design security measures and contingency plans to control the identified loss exposures.
54
The Information Security System Life Cycle

Life-cycle Phase Systems implementation Objective Implement the security measures as designed. Operate the system and assess its effectiveness and efficiency. Make changes as circumstances require.
55
Systems operation, evaluation, and control
The Information Security System in the Organization

The information security system must be managed by a chief security officer (CSO). This individual should report directly to the board of directors in order to maintain complete independence.
56
Analyzing Vulnerabilities and Threats
Quantitative approach to risk assessment Qualitative approach
57
Cost of an individual loss Likelihood of its occurrence
58
Identifying the relevant costs per loss and the associated likelihoods can be difficult.
Estimating the likelihood of a given failure requires predicting the future, which is very difficult.
2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 59
The systems vulnerabilities and threats are subjectively ranked in order of their contribution to the companys total loss exposure.
5 10
business interruption loss of software loss of data loss of hardware loss of facilities loss of service and personnel
2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 5 11
Identify active and passive threats to information systems.
5 12
Vulnerabilities and Threats

What is a vulnerability?
A vulnerability is a weakness in a system.

What is a threat? A threat is a potential exploitation of a vulnerability.
Vulnerabilities and Threats
Active threats
Passive threats
5 14
Individuals Posing a Threat to the Information System

Groups of individuals that could be involved in an information systems attack: Information systems personnel Users Intruders
5 15
computer maintenance persons programmers network operators information systems administrative personnel data control clerks

Users are composed of heterogeneous groups of people. Their functional area does not lie in data processing.
An intruder is anyone who accesses equipment, electronic data, or files without proper authorization.
5 17

A hacker is an intruder who attacks a system for fun and challenge.
What are other types of intruders?

unnoticed intruders wiretappers piggybackers impersonating intruders eavesdroppers
Active Threats to Information Systems

Input manipulation Sabotage Misappropriation or theft of information resources
Program alteration
Direct file alteration Data theft
5 19

In most cases of computer fraud, manipulation of input is the method used. Program alteration is perhaps the least common method used to commit computer fraud.
5 20

A direct file alteration occurs when individuals find ways to bypass the normal process for inputting data into computer programs. Data theft is a serious problem in business today. What are some methods of computer sabotage?

Logic bomb Trojan horse Virus program
Denial of service attack

Defacing the companys Web site

What is a worm?
It is a type of virus that spreads itself over a computer network.
5 23

One type of misappropriation of computer resources exists when employees use company computers resources for their own business.
5 24
Identify key aspects of an information security system.
5 25
The Information System Security System

Security measures focus on preventing and detecting threats. Contingency plans focus on correcting the effects of threats.
5 26
The Control Environment

Management philosophy and operating style Organization structure
Board of directors and its committees
5 27
The Control Environment

Management control activities
Internal audit function

Personnel policies and practices External influences
5 28
Controls for Active Threats
Site-access controls
System-access controls File-access controls
The objective of site-access controls is to physically separate unauthorized individuals from computer resources.
5 30
TV monitor
Telephone
Locked door
Locked door (opened from inside vault) Locked door (entrance)
LOBBY
Service window Data archive
Intercom to vault
Scanner
Magnet detector
INNER VAULT
5 31
These controls authenticate users by using such means as user IDs, passwords, IP addresses, and hardware devices. It is often desirable to withhold administrative rights from individual PC users.
The most fundamental file-access control is the establishment of authorization guidelines and procedures for accessing and altering files.
5 33
Controls for Passive Threats
Fault-tolerant systems use redundant components.

If one part of the system fails, a redundant part immediately takes over, and the system continues operating with little or no interruption.
5 34
Controls for Passive Threats
Full backups Incremental backups Differential backups
5 35
Internet Security
Internet-related vulnerabilities may arise from weaknesses in five areas. 1. 2. 3. 4. 5. the operating system or its configuration the Web server or its configuration the private network and its configuration various server programs general security procedures
5 36
Discuss contingency planning and other disaster risk management practices.
5 37
Disaster Risk Management
Disaster risk management is essential to ensure continuity of operations in the event of a catastrophe.
Prevention planning
Contingency planning
5 38
Natural disaster Deliberate actions Human error
30% 45% 25%
A large percentage of disasters can be mitigated or avoided.


A disaster recovery plan must be implemented at the highest levels in the company. The first step in developing a disaster recovery plan should be obtaining the support of senior management and setting up a planning committee.
5 40

The design of the plan should include three major components. What are these components? Assess the companys critical needs. List priorities for recovery. Establish recovery strategies and procedures.

A complete set of recovery strategies should take into account the following: emergency response center escalation procedures alternate processing arrangements personnel relocation and replacements plans salvage plan plan for testing and maintaining the system
End of Chapter 5
5 43

AIS Ab - az.CH05

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

AIS Ab - az.CH05

Uploaded by

Copyright:

Available Formats

Information Systems Security

Describe general approaches to analyzing vulnerabilities and threats in information systems.

The Information Security System Life Cycle

The Information Security System Life Cycle

Systems operation, evaluation, and control

The Information Security System in the Organization

Analyzing Vulnerabilities and Threats

Quantitative approach to risk assessment Qualitative approach

Analyzing Vulnerabilities and Threats

Cost of an individual loss Likelihood of its occurrence

Analyzing Vulnerabilities and Threats

Analyzing Vulnerabilities and Threats

Analyzing Vulnerabilities and Threats

Identify active and passive threats to information systems.

Vulnerabilities and Threats

A vulnerability is a weakness in a system.

Vulnerabilities and Threats

Individuals Posing a Threat to the Information System

Individuals Posing a Threat to the Information System

Individuals Posing a Threat to the Information System

Individuals Posing a Threat to the Information System

What are other types of intruders?

Active Threats to Information Systems

Active Threats to Information Systems

Active Threats to Information Systems

Active Threats to Information Systems

Denial of service attack

Active Threats to Information Systems

It is a type of virus that spreads itself over a computer network.

Active Threats to Information Systems

Identify key aspects of an information security system.

The Information System Security System

The Control Environment

Board of directors and its committees

The Control Environment

Internal audit function

Controls for Active Threats

Controls for Active Threats

Controls for Active Threats

Locked door (opened from inside vault) Locked door (entrance)

Service window Data archive

Controls for Active Threats

Controls for Active Threats

Controls for Passive Threats

Fault-tolerant systems use redundant components.

Controls for Passive Threats

Full backups Incremental backups Differential backups

Discuss contingency planning and other disaster risk management practices.

Disaster Risk Management

Disaster Risk Management

Natural disaster Deliberate actions Human error

30% 45% 25%

A large percentage of disasters can be mitigated or avoided.

Disaster Risk Management

Disaster Risk Management

Disaster Risk Management

You might also like