ch.11 - computer crime and information technology …myweb.scu.edu.tw/~hankgau/docs/ais/im/ch.11 -...
TRANSCRIPT
Learning objectives
1. Explain Carter’s taxonomy of computer crime.
2. Identify and describe business risks and threats to information systems.
3. Discuss ways to prevent and detect computer crime.
4. Explain the main components of the CoBITframework and their implications for IT security.
AIS - Ch. 11 (http://ppt.cc/mJFq) 3
Carter’s taxonomy (1/2)
Four-part system for classifying computer crime
A specific crime may fit more than one classification
The taxonomy provides a useful framework for discussing computer crime in all types of organizations.
AIS - Ch. 11 (http://ppt.cc/mJFq) 4
Carter’s taxonomy (2/2)
TargetTargets system or its data Example: DOS attack
InstrumentalityUses computer to further criminal end Example: Phishing
IncidentalComputer not required, but related to crime Example: Extortion
AssociatedNew versions of old crimes Example: Cash larceny
AIS - Ch. 11 (http://ppt.cc/mJFq) 5
Business risks and threats (1/2)
FraudErrorService interruption and delaysDisclosure of confidential informationIntrusions
AIS - Ch. 11 (http://ppt.cc/mJFq) 6
See page 197-200 for detailed description
Business risks and threats (2/2)
Information manipulationMalicious softwareDenial-of-service attacksWeb site defacementsExtortion
AIS - Ch. 11 (http://ppt.cc/mJFq) 7
IT controls – Basic principles
ConfidentialityData are held in confidence
and are protected from unauthorized disclosure
Data integrityData are stored in an
information system are the same in the source documents
AvailabilityData can be obtained within
the required time frame
AIS - Ch. 11 (http://ppt.cc/mJFq) 8
Fig. 11.1The C-I-A Triad
IT controls – Control taxonomy
Physical controlsGuards, locks, fire
suppression systems
Technical controlsBiometric access controls,
malware protection
Administrative controlsPassword rotation policy,
password rules, overall IT security strategy
AIS - Ch. 11 (http://ppt.cc/mJFq) 9
Technicalcontrols
Administrative controls
Physicalcontrols
Fig. 11.2Control taxonomy
What is CoBIT?
Control Objectives for Information and Related Technology From Information Systems Audit and Control
Association (ISACA) It’s a framework for IT governance and
managementTwo main parts:
Principles• Five ideas that form the foundation of strong IT governance
and management Enablers
• Seven tools that match the capabilities of IT tools with users’ needs
AIS - Ch. 11 (http://ppt.cc/mJFq) 10
CoBIT five principles (1/3)
CoBIT 5 principles
1. Meeting stakeholder
needs
2. Covering the
enterprise end-to-end
3. Applying a single
integrated framework
4. Enabling a holistic
approach
5. Separating governance
from management
AIS - Ch. 11 (http://ppt.cc/mJFq) 11
CoBIT five principles (2/3)
1. Meeting stakeholder needs Different stakeholder groups have different
information needs.2. Covering the enterprise end-to-end A well-designed plan for managing information
covers the whole entity, not just the IT function.3. Applying a single integrated frameworkThe principle incorporates and builds on other
frameworks to produce a unified set of ideas.
AIS - Ch. 11 (http://ppt.cc/mJFq) 12
CoBIT five principles (3/3)
4. Enabling a holistic approach CoBIT 5 integrates functions through out the
entity, whether its organizational structure is based on function, product, or some other principles.
5. Separating governance from management Governance focuses on strategic decision making,
goal setting, and prioritization Management focuses more on the day-to-day
action needs to achieve those goals
AIS - Ch. 11 (http://ppt.cc/mJFq) 13