is security control & management. overview n why worry? n sources, frequency and severity of...
Post on 20-Dec-2015
222 views
TRANSCRIPT
IS Security Control & Management
Overview Why worry? Sources, frequency and severity of
problems Risks to computerized vs. manual
systems Purpose of control mechanisms Types of controls: General & Application Developing and managing control
systems
Why Worry?
Computer Viruses– Rogue software programs that are difficult
to detect that spread rapidly through computer systems, destroying data or disrupting processing and memory systems
• Example: ILOVEYOU virus
Hackers– People who gains unauthorized access
Why Worry?
Information System Outages– Studies show that:
• companies would sustain critical loss of business operations within 15 days of an information system outage
• At that point, firms would have less than a 25% chance of ever recovering
Need for Information System Audits Continuous improvement in hardware
performance and capabilities Decreasing hardware costs Availability of application and database
software with more functionality Advances in communication Sophistication of users Demand for greater control of information
Management’s Concerns Regarding Information Systems
Loss or misstatement of data Unauthorized access to data Loss of confidentiality of data Fraud Errors and omissions Computer downtime/damage Corruption of data
Threats to Systems
Natural disasters Sabotage and theft Operational errors Upgrades & conversions (including
fixes!)
Primary Concerns by Disaster TypeType of Disaster Areas of Concern
Natural Safety, business assets,business continuity
Sabotage or theft (internal orexternal)
Business assets, businesscontinuity
Misfortune (user error,upgrades, systemmalfunctions)
Business continuity, businessassets
Natural Disasters
Broader impact than other types– business and employees both impacted– typically many systems fail at once– often others in the area have the same
problems and are therefore seeking the same resources for recovery
Focus on reasonability of backup and recovery plans
Sabotage or Theft
Points of risk– Layoffs and firings– Mergers & reorganizations
In Fortune 500 companies with over 1,000 laptops, 14 lost per year
Often not covered by insurance Data loss worse than equipment loss
Operational Errors Hardware failures
– Risks with outdated hardware– Impact for e-commerce activities– Reliance on network connections
User generated failures (32% of all data losses involving disks and tapes are caused by user errors)
Mistakes made in attempts to recover lost or damaged data
Upgrades and Conversions
The solution causes the problem! Problem with suppliers and buyers Time lost in conversions often not
considered in cost of “upgrades”
Severity of Problems: The Firm In 1997, Nations Bank, the 4th largest
bank in the U.S. at the time, reviewed their vulnerability, they estimated that their exposure was:– $50 million in financial losses– for an interruption of more than
24 hours– where existing plans would take
2-5 days to restore operations
Severity of Problems: The Individual
A Fortune 500 CFO lost five years’ worth of accounting and stockholder data on a Friday afternoon; he needed it Monday for an annual stockholder’s meeting.
Twice daily backups didn’t help: the backup media had never been tested. When it was proven to be faulty, the CFO thought his career was over.
Data recovery specialists managed to rescue the information in time for the CFO’s Monday morning presentation
System Vulnerability
Complex IS cannot be easily replicated manually
Once an IS has been built, can be hard to decipher processes again
Probability of disasters is the same, but impact may be greater with IS failures
Security in a networked system is significantly more complicated
Quality Assurance vs. Control
Quality assurance as the prevention of errors
Quality control as the identification of errors after they occur
Data vs. system quality– Is the information stored and secured
correctly?– Are things processed correctly?
Quality Assurance in IS
Use of appropriate methods & documentation
Test plans & testing Complete the circle with customer &
employee feedback Communication, communication,
communication
Cost to Fix Mistakes After Implementation versus Before
Testing Approaches Test plans Manual approaches
– Usability tests (handout)– Testers vs. users as guinea pigs!
Automated testing– Main benefits
• simulation of large volumes of users• can be run on many configurations of hardware
– Requires tools & expertise
Testing and Quality
Types of testing: Unit, System, Acceptance
Inability to prove correctness At design phase: test with walkthrough
– Is it what they want? During construction: debugging Pre-implementation: verify goals met
Purpose of Control Mechanisms
Reduce risk of loss of business continuity and legal liability through controls
Methods, policies, and organizational procedures that assure:– Safety of organizational assets– Accuracy & reliability of records– Adherence to organizational standards
Types of Controls
General controls– Design, security & use of IS– Accomplished through system software
and manual procedures Application controls
– Specific to given applications– Accomplished through application software
General Controls
Controls over system development processes
Software system level controls Hardware controls (secure & accurate) Computer operations controls Data security controls Administrative controls (segregation of
functions, adherence to policies, etc.)
Application Controls Based on I-P-O model Input controls
– Control totals, data validations, authorization Processing controls
– Run control totals and “Computer matching” of values (redundancy checks)
Output controls– Reconciliation and Appropriate distribution of
information
Developing Control Systems
Risk analysis and assessment– Financial valuations of business
interruptions– Non-financial valuations
• legal & regulatory compliance• Other benefits
Need for upper management support
Risk Analysis Steps- Identifying and valuing assets;- Identifying threats (whether caused by people
or natural disasters);- Identifying vulnerabilities (i.e., design,
configurations, or procedures that make assets subject to threats);
- Estimating risks (calculating probabilities);- Calculating statistically expected losses; and- Identifying potential protective measures.
Testing & Audits of Control Systems
Backups & recovery plans must be tested to be relied upon– 5 - 25% of firms that do not have plans are not in
business within a year of a major disaster
Major consulting firms such as Ernst & Young have thriving business sectors in IS auditing– Verify general & application controls– Similar to accounting audits but for information systems