1 management information systems information security management chapter 12
Post on 20-Dec-2015
219 views
TRANSCRIPT
1
Management Information SystemsManagement Information Systems
Information Security Management
Chapter 12
2
This Could Happen to You
Emerson Pharmaceuticals$800M in sales
200 person IT department
DSI$50M in sales
1 person IT department
No in-house software development
Why the difference?Directors and project managers at DSI are knowledgeable in IT
Support users at DSI want only reliable IT infrastructure
DSI has a wired/wireless LAN with two servers
What about security?
3
Study Questions
Q1. What are the sources and types of security threats?
Q2. What are the elements of a security program?
Q3. How can technical safeguards protect against security threats?
Q4. How can data safeguards protect against security threats?
Q5. How can human safeguards protect against security threats?
Q6. What is necessary for disaster preparedness?
Q7. How should organizations respond to security incidents?
4
Q1. Sources of Security Threats (1)
Human errors and mistakesAccidental problems Poorly written programsPoorly designed proceduresPhysical accidents
Malicious human activityIntentional destruction of dataDestroying system componentsHackersVirus and worm writersCriminals Terrorists
5
Sources of Security Threats (2)
Natural events and disastersFires, floods, hurricanes, earthquakes, tsunamis,
avalanches, tornados
Initial losses of capability
Losses from recovery actions
6
安全威脅
7
Types of Problems (1)
Unauthorized data disclosureHuman error
Posting private information in public place
Placing restricted information on searchable Web sites
Inadvertent disclosure
Malicious release Pretexting
Phishing
Spoofing
Sniffing
Breaking into networks
8
Types of Problems (2)
Incorrect data modificationsHuman errors
Incorrect entries and information
Procedural problems
Incorrect data modifications Systems errors
Hacking
Faulty recovery actions
Faulty ServiceIncorrect systems operations
Usurpation
9
Types of Problems (3)
Denial of service (DOS)Human error
Attacks
Loss of infrastructureAccidental
Theft
Terrorism
Natural disasters
10
MIS in Use: Phishing for Credit Card Accounts
PhishingOperation that spoofs legitimate companies in an attempt to get
credit card information, driver’s licenses, and other data
Usually initiated by e-mail request Designed to cause you to click
Asks for personal data
May install spyware, malware, adware
Defenses Know your purchases and deal directly with vendors
Implausibility of e-mail
Don’t be misled by legitimate-looking graphics, addresses
11
Q2. Elements of a Security Program
Senior management involvementMust establish a security policy
Manage risk Balancing costs and benefits
SafeguardsProtections against security threats
Incident responseMust plan for prior to incidents
12
與五元件有關的安全防護
13
Q3. Technical Safeguards (1)
Involves hardware and software components
User names and passwordsIdentification
Authentication
Smart cardsPersonal identification number (PIN)
Biometric authenticationFingerprints, facial scans, retina scans
Single sign-on
14
Technical Safeguards (2)
MalwareViruses
Worms
Trojan horses
Spyware programs
Adware
Malware safeguardsAntivirus and anti-spyware programs
Scan hard drive and e-mail
Update definitions
Open e-mail attachments only from known sources
Install updates promptly
Browse only reputable Web sites
15
科技面安全防護
16
間諜軟體和廣告軟體
17
惡意軟體研究調查結果
18
Q4. Security Threat Protection by Data Safeguards
Data administrationOrganization-wide function
Develops data policies
Enforce data standards
Database administrationDatabase function
Procedures for multi-user processing
Change control to structure
Protection of database
19
Data Safeguards
Encryption keysKey escrow
Backup copiesStore off-premise
Check validity
Physical securityLock and control access to facility
Maintain entry log
Third party contractsSafeguards are written into contracts
Right to inspect premises and interview personnel
20
資料面防護
21
Q5. Human Safeguards (1)
People and procedure component
Access restriction requires authentication and account management
User accounts considerationsDefine job tasks and responsibility
Separate duties and authorities
Grant least possible privileges
Document security sensitivity
Hiring and screening employees
22
Human Safeguards (2)
Employees need to be made aware of policies and proceduresEmployee security training
Enforcement of policiesDefine responsibilities
Hold employees accountable
Encourage compliance
Management attitude is crucial
Create policies and procedures for employee terminationProtect against malicious actions in unfriendly terminations
Remove user accounts and passwords
內部人員的安全防護法規
24
Non-Employee Personnel
Temporary personnel and vendorsScreen personnel
Training and compliance
Contract should include specific security provisions
Provide accounts and passwords with the least privileges
Public usersHarden Web site and facility
Take extraordinary measures to reduce system’s vulnerability
Partners and public that receive benefits from systemProtect these users from internal company security problems
25
Account Administration
Account management proceduresCreation of new accounts, modification of existing accounts,
removal of terminated accounts
Password managementAcknowledgment forms
Change passwords frequently
Help-desk policies Authentication of users who have lost password
Password should not be e-mailed
26
帳號認可切結書的範例
27
Guide: Metasecurity
Metadata is data about data
Securing the security systemAccounting controls
Storage of file accounts and passwords
Encryption and keys Use temporary keys
Encourage reporting of flaws
Using white hats Do you trust them?
What do you do with them when they’ve completed their check of system?
Code control
28
Information Systems Safety Procedures
Procedure types Normal operations
Backup
Recovery
Should be standardized for each procedure type
Each procedure type should be defined for both system users and operations personnelDifferent duties and responsibilities
Varying needs and goals
29
系統程序
30
Security Monitoring
Activity log analysesFirewall logs
DBMS log-in records
Web server logs
Security testingIn-house and external security professionals
Investigation of incidentsHow did the problem occur?
Lessons learnedIndication of potential vulnerability and corrective actions
31
Q6. Disaster Preparedness
DisasterSubstantial loss of infrastructure caused by acts of nature, crime, or
terrorism
Best safeguard is location of infrastructure
Backup processing centers in geographically removed site
Create backups for critical resources Hot and cold sites
Train and rehearse cutover of operations
32
Q7. Incident Response
Organization must have plan Detail reporting and response
Centralized reporting of incidents Allows for application of specialized expertise
Speed is of the essencePreparation pays off
Identify critical employees and contact numbers
Training is vital
Practice incidence response
33
How Does Knowledge from This Chapter Help You at DSI?
Use it personallyLimit DSI’s exposure
Limit your own exposure
Create strong passwords
Follow appropriate data proceduresDo not store sensitive data on computer
Limit data on laptops
Recognize phishing attacks
Send information on disaster preparedness and incidence response to management