Ch. 11Computer Crime and Information Technology Security

高立翰

OUTLINECarter’s taxonomy

Risks and threats

IT controls

COBIT

Learning objectives

1. Explain Carter’s taxonomy of computer crime.

2. Identify and describe business risks and threats to information systems.

3. Discuss ways to prevent and detect computer crime.

4. Explain the main components of the CoBITframework and their implications for IT security.

AIS - Ch. 11 (http://ppt.cc/mJFq) 3

Carter’s taxonomy (1/2)

Four-part system for classifying computer crime

A specific crime may fit more than one classification

The taxonomy provides a useful framework for discussing computer crime in all types of organizations.

AIS - Ch. 11 (http://ppt.cc/mJFq) 4

Carter’s taxonomy (2/2)

TargetTargets system or its data Example: DOS attack

InstrumentalityUses computer to further criminal end Example: Phishing

IncidentalComputer not required, but related to crime Example: Extortion

AssociatedNew versions of old crimes Example: Cash larceny

AIS - Ch. 11 (http://ppt.cc/mJFq) 5

Business risks and threats (1/2)

FraudErrorService interruption and delaysDisclosure of confidential informationIntrusions

AIS - Ch. 11 (http://ppt.cc/mJFq) 6

See page 197-200 for detailed description

Business risks and threats (2/2)

Information manipulationMalicious softwareDenial-of-service attacksWeb site defacementsExtortion

AIS - Ch. 11 (http://ppt.cc/mJFq) 7

IT controls – Basic principles

ConfidentialityData are held in confidence

and are protected from unauthorized disclosure

Data integrityData are stored in an

information system are the same in the source documents

AvailabilityData can be obtained within

the required time frame

AIS - Ch. 11 (http://ppt.cc/mJFq) 8

Fig. 11.1The C-I-A Triad

IT controls – Control taxonomy

Physical controlsGuards, locks, fire

suppression systems

Technical controlsBiometric access controls,

malware protection

Administrative controlsPassword rotation policy,

password rules, overall IT security strategy

AIS - Ch. 11 (http://ppt.cc/mJFq) 9

Technicalcontrols

Administrative controls

Physicalcontrols

Fig. 11.2Control taxonomy

What is CoBIT?

Control Objectives for Information and Related Technology From Information Systems Audit and Control

Association (ISACA) It’s a framework for IT governance and

managementTwo main parts:

Principles• Five ideas that form the foundation of strong IT governance

and management Enablers

• Seven tools that match the capabilities of IT tools with users’ needs

AIS - Ch. 11 (http://ppt.cc/mJFq) 10

CoBIT five principles (1/3)

CoBIT 5 principles

1. Meeting stakeholder

needs

2. Covering the

enterprise end-to-end

3. Applying a single

integrated framework

4. Enabling a holistic

approach

5. Separating governance

from management

AIS - Ch. 11 (http://ppt.cc/mJFq) 11

CoBIT five principles (2/3)

1. Meeting stakeholder needs Different stakeholder groups have different

information needs.2. Covering the enterprise end-to-end A well-designed plan for managing information

covers the whole entity, not just the IT function.3. Applying a single integrated frameworkThe principle incorporates and builds on other

frameworks to produce a unified set of ideas.

AIS - Ch. 11 (http://ppt.cc/mJFq) 12

CoBIT five principles (3/3)

4. Enabling a holistic approach CoBIT 5 integrates functions through out the

entity, whether its organizational structure is based on function, product, or some other principles.

5. Separating governance from management Governance focuses on strategic decision making,

goal setting, and prioritization Management focuses more on the day-to-day

action needs to achieve those goals

AIS - Ch. 11 (http://ppt.cc/mJFq) 13

CoBIT seven enablers

See Table 11.1 (p.204) for examples

AIS - Ch. 11 (http://ppt.cc/mJFq) 14

Q&A

AIS - Ch. 10 (http://ppt.cc/mJFq) 15