Managing information systems 7th edition brow ch014

publishing as Prentice Hall14-1 MANAGEMENT INFORMATION SYSTEMS CHAPTER 14 INFORMATION SECURITY... publishing as Prentice Hall14-6 COMPUTER CRIMES BY INSIDERS • Typical crimes by current

Trang 1

14-1

MANAGEMENT INFORMATION SYSTEMS

CHAPTER 14

INFORMATION SECURITY

Trang 2

- Traditional security measures include technical solutions

- Managerial measures will be a key focus of this chapter

Trang 3

14-3

COMPUTER CRIME (E-CRIME)

A crime that involves a computer or a network

Some crimes directly target computer or networks; other crimes use computer or networks to commit a crime

Computer crimes can involve a single computer or thousands

of computersDue to increased Internet connectivity, “cyber attacks” have greatly increased over the past decade

Trang 4

14-4

COMPUTER CRIMES BY EXTERNAL ATTACKERS

Virus: a small unit of code that invades a computer program or file When the invaded program is

executed or the file is opened, the virus makes copies of itself that are released to invade other programs

or files in that computer It may also do nasty things like erase files or corrupt programs Viruses are transmitted from one computer to another when an invaded computer program or files is transmitted to another computer.

Example: ILOVEYOU – May 2000 Written in Visual Basic script; transmitted as an attachment to an

e-mail with the subject line ILOVEYOU Estimated damage: $10-15 billion

Worm: a virus that has the ability to copy itself from machine to machine, normally over a network Example: Sobig.F – August 2003 Spread via email attachments; sent massive amounts of email with

forged sender information; deactivated itself Sept 10, 2003 Estimated damage: $5-10 billion

Trojan Horse: a security-breaking program that is introduced into a computer and serves as a way for

an intruder to re-enter the computer in the future Like the huge wooden horse used by the Greeks to trick the Trojans into opening their city gates to let in the horse, it may be disguised as something innocent such as an electronic greeting card, screen saver or game

Logic Bomb: a program introduced into a computer that is designed to take action at a certain time or

when a specific event occurs.

Denial of Service Attack: a large number of computers on the Internet simultaneously send repeated

messages to a target computer, resulting in the computer being overloaded or the communications lines are jammed so that legitimate users cannot obtain access.

FIGURE 14.1 Common Techniques Used by External Attackers

Trang 5

Trang 6

14-6

COMPUTER CRIMES BY INSIDERS

• Typical crimes by current employees, recent

employees, and business partners:

– Gaining unauthorized access to information, systems,

and/or networks

– Theft of intellectual property rights, trade secrets, and/or

research and development knowledge

– Data breaches by an organization’s business partners

Trang 7

14-7

SECURITY TECHNIQUES BY OSI LAYER

Layer #1:

Perimeter Layer (web servers, mail servers, etc.)

Firewalls VPN encryption Network-based Anti-virus

Pros: lots of vendor solutions, easy to

implement

Cons: hackers can easily penetrate it

Layer #2:

Network (LAN/WAN)

Intrusion detection systems (IDS) Vulnerability management systems Network access control

User control/Authentication

Pros: solutions provide deep security

not easy to breach and regular monitoring

Cons: IDS tend to report false alarms;

some solutions better for specific network devices rather than network

as a whole

Layer #3:

Host Security (individual computer, server, router, etc.)

Host IDS Host Anti-Virus

Pros: solutions provide good

operational protection at device level

Cons: time-consuming to deploy as

are fine-tuned for individual devices

Encryption Pros: solutions provide good security

Cons: Dependent on good

organizational policies and good execution by data steward

Figure 14.2

Trang 8

14-8

THE CHIEF SECURITY OFFICER ROLE

CSO Role

• The CSO is responsible for continually assessing an organization’s

information security risks and for developing and implementing effective countermeasures

• Key Tasks:

- Identify and prioritize relevant risks

- Eliminate essentially avoidable risks with reasonable investments

- Mitigate other risks to an appropriate point of diminished returns on security investments

Trang 9

14-9

THE CHIEF SECURITY OFFICER ROLE

• Since it is impossible to eliminate all risk, the CSO must balance

the trade-offs between risks and the costs of minimizing them

Risk

Costs to Minimize

Trang 10

14-10

INFORMATION RISK MANAGEMENT

- Determine the organization’s information assets & their values

- Determine length of time the organization can function without a given information asset

- Develop and implement security procedures to protect the assets

Example for a specific organization:

- Corporate information on employee laptops is an important asset

- Loss of the information on a laptop averages $50,000

Trang 11

14-11

• The expected losses due to a vulnerability can be calculated by

the following formula:

Trang 12

14-12

Example continued:

- Loss of the information on a laptop averages $50,000

- Company identifies three occurrences in the last two years where a laptop had been lost: Annual Occurrence Rate = 1.5

Trang 13

14-13

• Managers estimate the costs of the actions performed to secure

valued information assets

• Cost estimates and Annualized Expected Losses (AEL)

are then used to perform security cost-benefit analysis

• The Return Benefit is estimated as follows:

Security Cost-Benefit Analysis: Quantitative analysis to calculate the potential business benefits and the

intervention costs involved with mitigating security risks

Trang 14

14-14

Example continued:

- Company estimates that adding strong encryption to the

corporate data on the laptops will cost $100 per year for each of the 200 laptops in the company

= $20,000 annualized cost for this intervention

- Return Benefit for this action = $55,000

Trang 15

14-15

RECENT INFORMATION SCURITY BREACHES

Organization & Date Information Security Breach

Blue Cross Blue Shield - 2009 Personal laptop stolen with unencrypted copy of

database with national provider ID number and personal information of more than 850,000 physicians and other U.S Healthcare providers.

Kaiser Hospital - 2009 Hospital fined $182,500 and $250,000 by state of

California for privacy violation involving at least 27 employees improperly accessing records of mother

of octuplets and her children.

TJX - 2005 More than 45 million customers’ credit card

information was stolen over a period of more than 6 months.

U.S Military - 2009 Computer hard drive with data for 76 million U.S

veterans was erroneously sent out for repair.

Figure 14.5

Trang 16

14-16

COMPLIANCE WITH RECENT U.S LAWS

Recent U.S Laws with Information Security Impacts

Figure 14.6

Trang 17

14-17

COMPLIANCE WITH RECENT U.S LAWS

Sarbanes-Oxley Act of 2002 (SOX)

- Legislation in response to corporate scandals at Enron,

Tyco, WorldCom, and others

- Applies to publicly traded U.S companies

Trang 18

14-18

SARBANES–OXLEY ACT OF 2002 ( SOX)

• Impact of SOX on IS organization:

- Records retention

- The act states that companies must retain electronic communication such as email and instant messaging for a period of at least five years

- IT audit controls

- Company officers must certify that they are responsible for

establishing and maintaining internal controls

• Section 404 states that companies must use an internal control framework such as COSO

Trang 19

COSO definition of an Internal Control

“a process, effected by an entity’s board of directors, management and other

personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

- Effectiveness and efficiency of operations

- Reliability of financial reporting

- Compliance with applicable laws and regulations”

COSO Framework contains five interrelated categories:

- Risk Assessment - Control Environment

- Control Activities - Monitoring

- Information and Communication

Trang 20

14-20

GRAMM-LEACH-BLILEY ACT of 1999 (GBLA)

Gramm-Leach-Bliley Act (GBLA)

- Mandates that all organizations maintain a high level of

confidentiality of all financial information of their clients

or customers

- Federal agencies and states enforce the following rules:

- Financial Privacy Rule

- Safeguards Rule

Trang 21

14-21

GRAMM-LEACH-BLILEY ACT OF 1999 (GBLA)

– Financial Privacy Rule

- Requires financial institutions to provide customers with privacy notices

- Organizations must clearly state their privacy policies when establishing relationships with customers

- Organizations cannot disclose non-public personal

information to a third-party

– Safeguards Rule

- Organizations must have a written security plan in place to protect a customer’s non-public confidential information

Trang 22

14-22

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)

• Health Insurance Portability and Accountability Act (HIPAA)

– Includes Privacy and Security Rules

– Healthcare providers must maintain privacy of non-public confidential medical information of all patients

– Non-compliance can lead to serious civil penalties and fines– Security rules are for electronic personal health information – Note: Recent legislation also requires that healthcare providers perform

a formal security risk assessment

Trang 23

14-23

PATRIOT ACT: INTERCEPT AND OBSTRUCT TERRORISM ACT OF 2001

• Uniting and Strengthening America by Providing Appropriate

Tools Required to Intercept and Obstruct Terrorism Act of 2001

- Commonly called the PATRIOT Act

- Gives the US government greater ability to use tools to access information about individuals

- Victims of computer hacking can now request law enforcement assistance

Trang 24

14-24

CALIFORNIA INFORMATION PRACTICES ACT (CA Senate Bill 1386)

– Requires organizations that store non-public information on

California residents to report information theft within 96 hours

– Noncompliance may lead to civil or criminal consequences

Note: Companies in the past have often been silent about thefts of

electronic information on individuals (employees, customers), and the act makes this illegal

Trang 25

14-25

ORGANIZATIONAL POLICIES FOR INFORMATION SECURITY

- Required by many laws and regulations (e.g., SOX)

- Required by U.S insurance companies due to risks of heavy civil or criminal penalties for non-compliance

Information Security Policy

A written policy document describing what is, and is not, permissible use of information in the organization, and the consequences for violation of the policy

Trang 26

14-26

DEVELOPING AN INFORMATION SECURITY POLICY

• WHO should develop the security policy?

- Policy Committee with representatives of all affected user groups and stakeholders

- Policy Committee that develops policy should also meet

regularly to ensure that it continues to meet the organization’s needs and satisfies current regulations

- Managers need to communicate, provide training on, and

enforce the policy

Trang 27

- Access control policies

- External access policies

- User and Physical policies

Examples or templates of security policies are available from several Internet sites.

SANS Security Policy Template

Trang 28

- Stevens Institute of Technology, 2010

Trang 29

14-29

DEVELOPING AN INFORMATION SECURITY POLICY

• Other General Guidelines :

– Policies should be appropriate for the estimated risks of the organization

– Policies should be quickly modified when new situations arise affecting security and affected organizational members should be notified about these policy modifications

– Policies should be easily accessed by employees

Trang 30

14-30

BUSINESS CONTINUITY PLANNING

Research has shown that businesses that cannot resume operations in a reasonable time frame do not survive

Business Continuity Planning (BCP)

Plans to ensure that employees and business processes can continue when faced with any major, unanticipated disruption

Trang 31

14-31

BUSINESS CONTINUITY PLANNING

1 Define the critical business processes and departments

2 Identify interdependencies between them

3 Examine all possible disruptions to these systems

4 Gather quantitative and qualitative information on these

threats

5 Provide remedies for restoring systems

Trang 32

14-32

BCP LESSONS LEARNED AFTER 9/11 TERRORIST ATTACKS IN U.S

BCP Plans should include:

- Alternate workspaces for people with working computers and

phone lines

- Backup IT sites that are not too close, but not too far away

- Up-to-date evacuation plans that everyone knows and has practiced

- Backed-up laptops and departmental servers, because a lot of

corporate information is housed on these machines rather than

in the data center

- Easily accessible phone lists, e-mail lists, and even

instant-messenger lists so that people can communicate with loved ones and colleagues

Trang 33

14-33

BCP LESSONS LEARNED AFTER HURRICANE KATRINA IN U.S.

• Keep Data and Data Centers more than 1000 miles apart.

• Plan for the Public Infrastructure to not be available.

• Plan for Civil unrest

• In case your A-Team is not available, assemble a B-Team

Source: Junglas and Ives, 2007

Định dạng
Số trang	36
Dung lượng	917,07 KB