Information Systems, Security, and e-Commerce* ACCT7320, Controllership C. Bailey *Ch. 43-46 in...
-
Upload
terence-adams -
Category
Documents
-
view
217 -
download
3
Transcript of Information Systems, Security, and e-Commerce* ACCT7320, Controllership C. Bailey *Ch. 43-46 in...
Information Systems, Security,and e-Commerce*
ACCT7320, Controllership
C. Bailey
*Ch. 43-46 in Controllership : The Work of the Managerial Accountant, by Janice M. Roehl-Anderson,Steven M. Bragg, 7th Edition, 2004.
Information Security Systems:Risk Analysis Process
Controller’s Role in Information Security (p. 841)
Establishing top-level information protection goals Monitoring compliance to security standards and
policies Assessing the risk to mission-critical systems
– Balancing costs, benefits
Participating in the investigation of security incidents– Including evaluation of loss or impact
Goals concerning data
Confidentiality Integrity Availability
Types of threats
Intentional:– Unauthorized access by outsider– Unauthorized access by insider– Malicious software
Unintentional:– Hardware/software failure– Human error
Policies
Levels of information– Restricted (release would cause serious damage)– Company Confidential (dondisclosure agreements)– Internal use only (business purpose, as needed)– Public
Classes of Service (relative importance to day-to-day operations)
– Production—mission critical– Production—non-mission-critical– Developmental– Experimental/prototype
Less critical
Security measures
Technical (p. 838)– Access controls, passwords, biometrics, firewalls…
Nontechnical (p. 839)– Policies for use, physical access, insurance,
recovery plans…
Enterprise Security Challenges
Client server systems– Versus old mainframes
Networks & internet– Virtual private networking (VPN)
Interconnected customer & vendor– Encryption, key certificates, digital signatures
Enforcement (Ch. 44)
Create enforceable policy– Explicit– Implementable within tech limitations
Balanced, not extreme
– Spell out consequences– Define escalation procedures
Chain command; reporting number to call?
– Clear acceptable-use policy Signed by employee
Enforceable policy, cont’d
Notification of proprietary nature of systems– Essential for criminal case
Actions to take if intrusion is suspected– Plan spelled out
After infraction occurs
Documenting the “crime scene”– Circumstances– Define the bounds
No not contact the suspect– May rule out police involvement
Create backup Assure system integrity Assess the damage
– Quantifiable?? Approach law enforcement officials
E-Commerce Security (Ch. 45)
Architectures– Traditional; single-enterprise network– Demilitarized zone w/mail & web servers– Layered architectures
A fundamental restructuring Multiple firewalls within the network
Critical security measures
Firewalls– Monitors for suspicious strings/commands– Hardware or software based
Intrusion detection & response software Encryption
– SSL widely used for e-commerce– Assurance that:
Message not intercepted Not tampered with Person is who you think they are Appropriate where parties are strangers
Critical security measures, cont’d.
Authentication– E.g., your bank; shared secret, etc.– Relevant to both parties
Are you really dealing with your bank?!
Access control – E.g., different clerks can approve, make payments
Host hardening Vulnerability testing
Digital Signatures (Ch. 46)
Public key cryptology– Anyone can decode the message– Only the person with the private key can create it.
Does not provide privacy, just authentication Digital certificates needed to identify who
creator is– Certification authority must be trusted (like notary)
What drives adoption of digital signatures?
Internet increasingly used for commerce– vs. expensive dedicated lines
Useful even internally …but legal status still hazy
Let’s go phishing…
http://www.profbailey.com/ACCT7320/phishing.htm