8/3/2019 l9 - Security

1/20

SECURITY & ETHICAL ISSUES

8/3/2019 l9 - Security

2/20

4/29/2012 2

ISSUES & CONCERNS

Information systems are all encompassing

They contain enormous amounts of organizationalassets ( they process all kinds of data)

H-ware & S-ware are valuable assets in themselvesContain vital information

Contain sensitive personal & private information which

should not be viewed by unauthorized personnel

8/3/2019 l9 - Security

3/20

4/29/2012 3

WHAT TO SECURE?

Control the loss of assets

Ensure integrity & reliability of data

Improve efficiency / effectiveness of the data

To ensure all these, the manager must make sure thatall risks are identified and appropriate security controls

applied

8/3/2019 l9 - Security

4/20

4/29/2012 4

DANGERS

Natural disasters

Thieves

Industrial spies

Disgruntled employees

Computer viruses

Accidents

Poorly trained & nave employees

8/3/2019 l9 - Security

5/20

4/29/2012 5

RISKCould be total or partial monetary loss due to loss of

informationManager needs to understand & calculate the cost ofsecuring a system against the money lost if it isharmed

Compute the loss that could occur with the probabilityof the occurrence

Basic question is how will the organization respond toa specific loss. ( is how valuable is the asset )

Potential loss due to loss of data or an inaccuratesystem, which produces incorrect reports.

8/3/2019 l9 - Security

6/20

4/29/2012 6

COMMON CONTROLSPhysical controls Locks on doors, keyboards etc. Also ways to control natural

threats from heat, dust fire etcElectronic controlsHeat, motion, humidity sensors, log-on ID, passwords, hand/

voice/ retina print controls

Software controlsProgramming code to prevent errors, controls on login

beyond working hours, monitor who logs on and when

Management controls

Enforced backups, necessary employee training

Some of these may be simple, implemented by themanager, but others may requires specialists

8/3/2019 l9 - Security

7/204/29/2012 7

NATURAL DISASTERS

Floods, water damage, earthquakes, tornadoes,hurricanes, wind & storm damage

Disaster prevention

Backup power supplies, special building materials &locations, drainage systems or special construction

Disaster containment

Contingency plans in place, in case something happens

Hot site recovery firms provide computer facility for otherswhich can be used almost immediately

8/3/2019 l9 - Security

8/204/29/2012 8

EMPLOYEE ERRORS

Accidental formatting of hard disk instead of floppyIncorrect data entry, (price, or salary etc) which mightbe connected to many files & programs, compoundingthe error

Logical errors, like rounding off of whole numbers, onspreadsheets resulting in major losses

COMPUTER CRIMES LIKE FRAUD, FORGERY &THEFT CAN HAPPEN FROM WITHIN THEORGANIZATION OR FROM OUTSIDE

8/3/2019 l9 - Security

9/204/29/2012 9

INDUSTRIAL ESPIONAGE

Using scanners or phone taps to get faxes ofimportant documents

Dial-in access can be misused by spies

Laptops or notebooks could be physically stolen tocapture the data they contain

8/3/2019 l9 - Security

10/204/29/2012 10

HACKING

Unauthorized entry into computer systems

Infecting the system by sending virus, stealing data,

damaging it or vandalizing it

8/3/2019 l9 - Security

11/204/29/2012 11

COMPUTER VIRUSESA virus is a hidden program that inserts itself into yourcomputer system and forces the system to clone it. It

can travel over the network to all other computersconnected to it.

Some viruses disguise themselves as utility programs

May result in modifying data, erasing files, formattingdisks

Infection can come through email, or through anywebsite

Some viruses may lie dormant and start reproducingat a particular time

Best way to counter them is to use more than oneanti-virus program, and regularly upgrade them

8/3/2019 l9 - Security

12/20

4/29/2012 12

H-WARE, S-WARE THEFT

Any loss of hardware means loss of data on the h-ware as well. This could be many times more than thecost of the h-ware that was stolen

Software piracy is rampant in many countries. Alsomany individuals indulge in it by copying programsfrom office for home use, without registering

8/3/2019 l9 - Security

13/20

4/29/2012 13

PRIVACY VIOLATIONSPrivacy is the capacity of individuals or organizations to controlinformation about themselves. Privacy rights imply the types

and amount of data that may be collected about individuals ororganizations is limited; that individuals & organizations havethe ability to access, examine & correct the data stored aboutthem, and that disclosure, use or dissemination of those data is

limitedPrivacy also includes e-mail messages

EDI is also an issue, as it contains important financialinformation

Hard copies should be shredded & disks demagnetized &shredded

Automatic screen blanking to ensure that no one passing bycan view a screen of a computer left running

8/3/2019 l9 - Security

14/20

4/29/2012 14

SECURING INFO SYSTEM FACILITIESsystems on higher floors

Install pumps for waterbackup at another site

Buy insurance

Special construction

Store info off-site

fire extinguishers, smokedetectors

Surge protectors

Humidifiers

UPS

Orderly shut downs

Dedicated power lines for

major computer systemsWaterproof covers

Air filters /conditioners

Window bars & proper locks

Alarm systems, CC TVs

Security guards

Bond employees

Screen job applicants

Develop procedures fordisgruntled employees

Use ID, Passwords

8/3/2019 l9 - Security

15/20

4/29/2012 15

COMMUNICATION SYSTEMSLine conditioning /shielding

Error detection & correction

methodsRedundant lines & backuptransmission lines

Archived files

Firewalls

Auditing software

Insurance

Log of h-ware & line failures

User ID, passwords

Modem dial-back

Access of logs of users &terminals including invalid

access logs

Lockout after hours

Encryption of transmittedpasswords

Encrypted data transmission

Restrict access to other filedirectories & files

Terminals in secure areas

Train comm. Employees

Enforce info sys compatibilitystandards

8/3/2019 l9 - Security

16/20

4/29/2012 16

SECURING INFORMATION SYSTEMS

Make or buy

Compare costs

Compare functions

Compare installation & implementation

Check maintenance & up-gradation - How and when, andhow secure is it

What if vendor goes out of business

What if vendor bought by a competitor

8/3/2019 l9 - Security

17/20

4/29/2012 17

TESTING & EVALUATING S-WAREAppropriateness

How suitable to company's requirements

StabilityCompatible with all possible platforms,

Security featuresAutomatic backups, encryption, decryption, password protection

Access & update securityRestrict access & control fraudulent change in codes

Input /output controlsData validation, GIGO - reduces input of inaccurate data or re-entry

Outputs should reach the right person & not unauthorized ones

Process controlsFaulty logic or other incorrect formulae

Cured by exception reports, end of file checks, sequence checks

8/3/2019 l9 - Security

18/20

4/29/2012 18

ETHICAL / PRIVACY ISSUES

Ethics is the moral quality of a course of action, mostlyillegal behavior

Copying copyrighted software

Privacy deals with how personal data is usedReading others email

Selling data to others

Using data for purposes other than actually meant for

8/3/2019 l9 - Security

19/20

Thank you

4/29/2012 19

8/3/2019 l9 - Security

20/20

Practice Questions

Q1. List and explain the common threats to computersystems

Q2. Explain how client / server information systems can help

managers

Q3. Give out some recommendation for managing password

Q4. What is Virus and Hacking.

Q5. List the common threats and controls for informationtechnology

4/29/2012 20