Information Systems, Security,and e-Commerce*

ACCT7320, Controllership

C. Bailey

*Ch. 43-46 in Controllership : The Work of the Managerial Accountant, by Janice M. Roehl-Anderson,Steven M. Bragg, 7th Edition, 2004.

Information Security Systems:Risk Analysis Process

Controller’s Role in Information Security (p. 841)

Establishing top-level information protection goals Monitoring compliance to security standards and

policies Assessing the risk to mission-critical systems

– Balancing costs, benefits

Participating in the investigation of security incidents– Including evaluation of loss or impact

Goals concerning data

Confidentiality Integrity Availability

Types of threats

Intentional:– Unauthorized access by outsider– Unauthorized access by insider– Malicious software

Unintentional:– Hardware/software failure– Human error

Policies

Levels of information– Restricted (release would cause serious damage)– Company Confidential (dondisclosure agreements)– Internal use only (business purpose, as needed)– Public

Classes of Service (relative importance to day-to-day operations)

– Production—mission critical– Production—non-mission-critical– Developmental– Experimental/prototype

Less critical

Security measures

Technical (p. 838)– Access controls, passwords, biometrics, firewalls…

Nontechnical (p. 839)– Policies for use, physical access, insurance,

recovery plans…

Enterprise Security Challenges

Client server systems– Versus old mainframes

Networks & internet– Virtual private networking (VPN)

Interconnected customer & vendor– Encryption, key certificates, digital signatures

Enforcement (Ch. 44)

Create enforceable policy– Explicit– Implementable within tech limitations

Balanced, not extreme

– Spell out consequences– Define escalation procedures

Chain command; reporting number to call?

– Clear acceptable-use policy Signed by employee

Enforceable policy, cont’d

Notification of proprietary nature of systems– Essential for criminal case

Actions to take if intrusion is suspected– Plan spelled out

After infraction occurs

Documenting the “crime scene”– Circumstances– Define the bounds

No not contact the suspect– May rule out police involvement

Create backup Assure system integrity Assess the damage

– Quantifiable?? Approach law enforcement officials

E-Commerce Security (Ch. 45)

Architectures– Traditional; single-enterprise network– Demilitarized zone w/mail & web servers– Layered architectures

A fundamental restructuring Multiple firewalls within the network

Critical security measures

Firewalls– Monitors for suspicious strings/commands– Hardware or software based

Intrusion detection & response software Encryption

– SSL widely used for e-commerce– Assurance that:

Message not intercepted Not tampered with Person is who you think they are Appropriate where parties are strangers

Critical security measures, cont’d.

Authentication– E.g., your bank; shared secret, etc.– Relevant to both parties

Are you really dealing with your bank?!

Access control – E.g., different clerks can approve, make payments

Host hardening Vulnerability testing

Digital Signatures (Ch. 46)

Public key cryptology– Anyone can decode the message– Only the person with the private key can create it.

Does not provide privacy, just authentication Digital certificates needed to identify who

creator is– Certification authority must be trusted (like notary)

What drives adoption of digital signatures?

Internet increasingly used for commerce– vs. expensive dedicated lines

Useful even internally …but legal status still hazy

Let’s go phishing…

http://www.profbailey.com/ACCT7320/phishing.htm