irm for dummies

IT Trends

Web 2.0

Introduction

• The collaborative nature of the Internet is not new – people share pictures, send instant messages and post videos on different sites, be it for an educational value or simply entertainment

• Introduced in 2004

• Web 2.0 has become part of our social and professional

• One important aspect of Web 2.0 is the staggering number of Web 2.0 products and services that you can find on the Internet.

Definition

Web 2.0 can be defined as “the business revolution in the computer industry caused by the move to the internet as platform, and an attempt to understand the rules for success on that new platform. Chief among those rules is this: Build applications that harness network effects and get better, the more people use them.”

(Tim O’Reilly, 2007)

Definition

• Heavily oriented toward content generation by people who collaborate and share their content and information.

• Example:

– Blogs

– Wikis

– Social networks

Web 1.0 vs. Web 2.0

• Web 1.0 – allowed the viewing of hyperlinked documents

discovered by reference and browsing, and later by searching

– created by site owners

– repository of static information

• Web 2.0 – allows interaction with active and real-time content

– Created by interactions between users

– dynamic and interactive web

HTML vs Ajax

• HTML pages initially contained read-only content, regardless of whether the content was static (i.e. a file on the file system of a server) or dynamically generated prior to rendering the content in a browser.

• Web 2.0 removes the read-only content restriction from Web 1.0, enabling people to collaborate by dynamically updating, creating and sharing content with other users.

HTML vs Ajax

• Updating of HTML pages in Web 1.0 means the entire web page must be sent to the web server

• Web 2.0 uses Ajax to modify portions of the web page that need to be changed, offering more seamless user experience

Advantages of Web 2.0

• Collaborative nature on user-content

• Use of AJAX as a technical component

• Inputted text is saved instead of overwritten

• Full page refresh is not required (better performance)

• Page state is maintained

• Mash-ups can be readily implemented

Disadvantages of Web 2.0

• Security issues

• Lack of “bookmarkability”

• Cannot track URL history

• Harder to code applications

• Potential memory leaks

• Lack of support in older browsers

• More testing required (cross-browser support)

Popular Tools and Products

• Flickr

• YouTube

• Twitter

• Facebook

Popular Tools and Products: Flickr

• Photo sharing application launched in 2004 and later acquired by Yahoo!

• http://www.flickr.com

• Provides a set of APIs (including RSS and Atom feeds) to access its contents, and often used by mash-ups to render Flickr-based content.

• For developers, Flickr provides licensing terms and support for map-related services for cities.

http://www.flickr.com/

Popular Tools and Products: YouTube

• A video sharing application launched in 2006 and later acquired by Google

• http://www.youtube.com

• Extremely popular for sharing videos

http://www.youtube.com/

Popular Tools and Products: Twitter

• A public message-oriented application

• http://twitter.com

• “Tweets” are mostly used for casual communication, but they have been used for commercial purposes

• Provides a feature called “track” that lets people track specific words, and another feature called “follow” that lets people follow each other

• Started as a Ruby-on-Rails (RoR) application, the Twitter development team moved some of the back-end code to Scala (Java-based) to improve performance and scalability.

http://twitter.com/

Popular Tools and Products: Facebook

• Social networking site created in 2004

• http://www.facebook.com

• In 2007, Facebook released its set of APIs, which let developers create Facebook applications

http://www.facebook.com/

Collective intelligence

Web 2.0 is all about harnessing collective intelligence – which can be defined as “crowdsourcing” – wherein a large group of people would be able to “create a collective work whose value far exceeds that provided by any of the individual participants”

Web 2.0 technology

• With Web 2.0, the Web is not just a collection of destination sites, but a source of data and services that can be combined to create applications users need.

• Web 2.0 tools and services have fuelled the creation of social networks and other online communities where people can interact with one another in the manner of their choosing.

Web 2.0 technology (con’t.)

• Social networks – Social networking sites provide networking services to

users, giving them the ability to set up profiles, blogs, tag documents of interest, and use online forums to communicate with one another

• Mash-ups – Software services that enable users and system developers

to mix and match content or software components to create something entirely new

– Example: Flickr combines photos with other information about images provided by users and tools to make it usable within other programming environments


• Cloud computing – Refers to a model of computing where firms and

individuals obtain computing power and software applications over the Internet, rather than purchasing their own software and hardware.

• Wikis – Hawaiian term for “quick”

– Collaborative Web sites where visitors can add, delete, or modify content on the site, including the work of previous authors


• RSS Syndication – Rich Site Summary / Really Simple Syndication – Syndicates Web site content so that it can be used in

another setting – RSS technology pulls specified content from Web sites

and feeds it automatically to users’ computers, where it can be stored for later viewing

• Blogs – Popular term for a Weblog, is an informal yet

structured Web site where subscribing individuals can publish stories, opinions, and links to other Web sites of interest


• Semantic Technology

– Discovers relationships that exist among resources and then represents those relationships via some form of metadata.

– Uses:

• Improves relevance of search results

• Provides better ad placement in advertising

• Discover hidden patterns of behaviour

• Assists in crime detection

• Automatically finds reference papers based on keywords


• Search Engine Optimization – The art of making your website appear as high as

possible in search engine results – Search Engines uses Ontology

• Ontologies let us model systems so that we can classify existing resources and add new ones in a reasonably structured and logical manner.

• It can help discover relationships in a system and make inferences that are not apparent without the ontology

• Normally created for a specific set of resources, i.e. books, movies, etc.

• Web Ontology Language (OWL) – ontology specifically designed for Internet resources

New search engines

• www.bing.com – formerly named Kumo, Microsoft partnered with Yahoo in 2009 to provide the search technology for Microsoft

• www.hakia.com – ontology is capable of recognizing phrases instead of the usual individual keywords, making consecutive words “combine” to determine additional context

New search engines

• yebol.com – uses patented algorithms to create a directory for queries and users, as well as “multi-dimensional” searches that provide a wider set of related search terms

Homework

Write a comparative analysis on the latest search engines (bing, hakia, yebol) by researching the following conditions:

1. Search result accuracy

2. User interface

3. Content management

Cloud computing

• Cloud computing most commonly refers to the delivery of computing services over the Internet as an alternative to running hardware and software in your data center or computer room

What is Cloud Computing?

• You rent or subscribe to computing capability, rather than installing and running systems yourself

• Everything from raw computing power to full-blown business applications can be delivered in this way.

• Most organizations that adopt cloud computing are likely to do so alongside their in-house systems


• Cloud computing involves pooling lots of hardware and software together and sharing it out to whoever needs it, on demand

• Service providers offer public clouds, but IT departments can use the same technology to create private clouds


• Service providers, whether public or private, have the flexibility to change how the service is powered behind the scenes

• Can help in terms of:

• cost reduction

• access to latest technology

• Ability to deal with changing requirements quickly

• Can be introduced selectively to complement traditional in-house IT systems

Introduction

• New ways of working and new architectures bring increasing levels of effectiveness to each succeeding generation of computer systems.

• Virtualization – enables higher efficiencies because more work can be packed into fewer devices

• Improvements are being made in software engineering and computer operations, all aimed at creating more flexible systems

Introduction

• Business application services

• Hosted productivity tools

• Hosted communications and social tools

• Trading community services

• Plug-in services

• Operational services

• Application platform services

• Utility services

Cloud services

• Deliver complete business functionality

• Example:

• Customer Relationship Management (CRM) Systems

• Enterprise Resource Planning (ERP)

• Business application services

• Deliver horizontal capability, ranging from desktop suites for end users, through to modeling, development and project management tools for analysts and developers

• They quite often enable multi-user collaboration

• Hosted productivity tools

• Spearheaded initially by hosted email and web conferencing, the number of services offered in this area has exploded to include full unified communications and/or social tools such as directories, blogs, wikis and social networking

• Hosted communications and social tools

• Facilitate the way in which customers and suppliers collaborate and transact electronically

• Trading community services

• Application elements which plug into or combine with existing applications to enhance or extend them.

• Examples:

• Mapping

• Credit card payment services

• Credit checking

• Plug-in services

• Provides services concerned with the following:

• online backup

• Archiving

• Security (such as email filtering)

• Full-blown monitoring and management tools

• Operational services

• Provide development and runtime environments which enable organizations to build custom applications hosted online

• Example: drupal.org

• Application platform services

• Provide raw compute and storage resources to run your own software and store data

• Utility services

• Cloud technology and services provide choice on how best to deliver flexible IT capability that blends internal and external resources, as well as bridging the gap between modern and traditional approaches to IT

Cloud services

• Improve IT responsiveness

• Modernize and future-proof

• Keep pace with work practice evolution

• Reach out via the Web

• Manage costs and resources

• Address space and power constraints

• Reduce risk and ensure compliance

Benefits

• Application and plug-in services can boost IT responsiveness by short-cutting the development work and platform implementation requirements for new applications

• Can also help IT to respond quickly and efficiently to fluctuations in demand

• Improve IT responsiveness

• Keeping up with the pace of change in the technology industry can prove to be a competitive advantage, however, implementing one depends on a company’s capability

• Service providers can afford to invest in the latest technologies, which in turn, can be made available to their customers

• Modernize and future-proof

• Working practices are evolving in ways that lend themselves well to support from cloud services

• The concept of remote access is a natural fit with increasingly popular home- and mobile-working, which can sometimes be quicker and more cost effective than in-house

• Cloud services also become useful when activity crosses organizational boundaries, such as trading community services

• Keep pace with work practice evolution

• Many organizations deploy externally-facing applications to customers, trading partners, suppliers and so on

• Infrastructure requirements (security, policy management, scalability, fluctuating demand, etc.) can be dramatically different and hard to handle than in-house systems

• Application platform services via cloud can be used to deal with such requirements

• Reach out via the Web

• Costs/benefits of cloud services depend on the service being implemented

• Careful cost projection must be taken into consideration

• Not all cloud services are a fit to an organization – what may come cheap to some, may be expensive to others

• Manage costs and resources

• Organizations large and small find themselves outgrowing their computer rooms or seeing their electricity bills escalate

• Utility services can help by reducing the requirement for local equipment and by working around the problems of accommodation, power consumption, and poor server utilization

• Address space and power constraints

• A competent business service provider has security, backup, fault tolerance and recovery capabilities that are likely superior to anything that its customers can afford

• When considering risk management and compliance, utilize operational services that are designed to work together with your internal structure

• Reduce risk and ensure compliance

Cloud computing can provide business benefits in a number of areas:

• It can improve responsiveness

• Enable you to scale to fluctuations in demand

• Accelerate development work

• Put the power of the latest technology to work for you

• Extend your reach to customers, partners and out-of-office staff

• Reduce your TCO (total cost of ownership)

• Cut energy costs

• Be more secure

• Be environmentally friendly

Benefits

• Private Clouds

• External Clouds

• Public Cloud

• Community Cloud

• Hybrid

Cloud Deployment Models

• Adopting a cloud computing approach internally

• Typically considered by businesses with a large scale IT infrastructure that want to make better use of their hardware and software assets

• Usually dedicated to an organization – may be managed by the organization or a third party and may exist on premise or off premise

• Organizations deploying private clouds often do so utilizing virtualization technology within their own data centers

• Private Clouds

• Require no up-front infrastructure investment

• Can scale readily to fluctuations in demand and can serve users on the move or in other organizations

• Public Cloud

• Exists externally to its end user and is generally available with little restriction as to who may pay to use it

• Most common are those accessed via the Internet

• Made available to the general public or a large industry group and is owned by an organization selling cloud services

• External Clouds

• Community Clouds • Shared by several organizations and supports a

specific community that has shared concerns - may be managed by the organization or a third party and may exist on premise or off premise

• Allow multiple independent entities to gain the cost benefits of a shared non-public cloud while avoiding security and regulatory concerns that might be associated with a generic public cloud

• Example: Different government agencies that transact business with each other can have their processing collocated in a single facility

• External Clouds

• Infrastructure is a composition of two or more clouds that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability

• Developing a private cloud and/or looking for external services in addition to the in-house services

• Organizations weigh up practical, regulatory and risk related considerations when choosing how to take advantage of cloud computing alongside their existing IT systems

• Hybrid

• Infrastructure as a Service (IaaS)

• Platform as a Service (PaaS)

• Software as a Service (SaaS)

IaaS is the foundation of all cloud services, with PaaS building upon IaaS and SaaS in turn, building upon PaaS

Cloud Service Models


• The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software which can include operating systems and applications.

• Consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications and possibly limited control of select networking components


• Includes Hardware as a Service and Storage as a Service

• A cloud based substitute for major elements of your IT infrastructure

• Often referred to as Utility services

• Useful when: • Short of space

• Lower capital/operational cost

• No maintenance required

• Demands fluctuate



• The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider.

• Consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations


• Often referred to as Application platform services

• Enables you to grab resources on-demand to prototype, test, pilot, and so on

• For deploying externally-facing applications on the web which require massive scalability and the ability to deal with highly fluctuating demand


• Software as a Service (SaaS) • The capability provided to the consumer is to use the

provider’s applications running on a cloud infrastructure

• The applications are accessible from various client devices through a thin client interface such as a Web browser

• The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings


• Offers a range of application services: • Business application services such as CRM and ERP

• Hosted productivity tools including desktop suites, modeling and project management

• Hosted communications such as email, web conferencing and social tools

• Trading community services, such as customer and supplier collaboration and transactions

• Plug in services such as mapping, credit card payments and credit checking

• Operational services like backup, archiving and email filtering

• Software as a Service (SaaS)

Future trends

The consumerization of IT for the better part of a decade has seen the impact across various aspects of the corporate IT world. However, much of this has simply been a precursor to the major wave that is starting to take hold across all aspects of information technology as several key factors come together:

• Users are more technologically-savvy and have very different expectations of technology.

• The internet and social media have empowered and emboldened users.

• The rise of powerful, affordable mobile devices changes the equation for users.

• Users have become innovators.

• Through the democratization of technology, users of all types and status within organizations can now have similar technology available to them.

Trend No. 1: Consumerization — You Ain’t Seen Nothing Yet

• Virtualization has improved flexibility and increased the options for how IT organizations can implement client environments.

Trend No. 2: Virtualization — Changing How the Game Is Played

• When the way that applications are designed, delivered and consumed by users changes, it has a dramatic impact on all other aspects of the market

Trend No. 3: “App-ification” — From Applications to Apps

• The advent of the cloud for servicing individual users opens a whole new level of opportunity.

• Every user can now have a scalable and nearly infinite set of resources available for whatever they need to do

Trend No. 4: The Ever-Available Self-Service Cloud

• Today, mobile devices combined with the cloud can fulfill most computing tasks, and any tradeoffs are outweighed in the minds of the user by the convenience and flexibility provided by the mobile devices

Trend No. 5: The Mobility Shift — Wherever and Whenever You Want

• A small server in a home or small business network that can be accessed over the Internet.

• Designed for sharing photos and videos, personal clouds enable viewing and streaming from any Internet-connected personal computer and quite often from major smartphones.

• Although personal clouds function in a similar manner to any private cloud set up in a company, their primary feature is easy installation for the average personal computer user.

Personal Cloud

• In this new world, the specifics of devices will become less important for the organization to worry about.

• Users will use a collection of devices, with the PC remaining one of many options, but no one device will be the primary hub – making way for the personal cloud

• Access to the cloud and the content stored or shared in the cloud will be managed and secured, rather than solely focusing on the device itself.

Personal cloud

• In software, semantic technology encodes meanings separately from data and content files, and separately from application code.

• This enables machines as well as people to understand, share and reason with them at execution time. With semantic technologies, adding, changing and implementing new relationships or interconnecting programs in a different way can be just as simple as changing the external model that these programs share.

Semantic Technology

• Semantic technologies are “meaning-centered.” They include tools for:

• autorecognition of topics and concepts,

• information and meaning extraction, and

• categorization.

• Given a question, semantic technologies can directly search topics, concepts, associations that span a vast number of sources.

Semantic Technology

• Semantic technologies provide an abstraction layer above existing IT technologies that enables bridging and interconnection of data, content, and processes.

• From the portal perspective, semantic technologies can be thought of as a new level of depth that provides far more intelligent, capable, relevant, and responsive interaction than with information technologies alone.

Semantic technology

• The Semantic Web provides a common framework that allows data to be shared and reused across application, enterprise, and community boundaries

• Semantic Web aims at converting the current web dominated by unstructured and semi-structured documents into a "web of data"

• The main purpose of the Semantic Web is driving the evolution of the current Web by enabling users to find, share, and combine information more easily.

• The Semantic Web is regarded as an integrator across different content, information applications and systems. It has applications in publishing, blogging, and many other areas.

Semantic Web

Content is created by the Web itself – an emergent consciousness from within the Web, capable of creating new content and applications

Allow discovery of documents by topic-centric browsing rather than by searching, enabling real-time information dissemination in may contexts using may different applications

Web 3.0

Focus:

• Products and services will leverage semantic technology

• Social networks will adopt semantic technology

• Mobile computing

• Commoditization of search technology and private search engines

• Cloud computing

• Comet/HTML5

• Offline computing

• Client-side database

Web 3.0

Managing Information Resources, Security and Ethics

Chapter 8a

Learning Objectives

• Recognize the difficulties in managing information resources.

• Understand the role of the IS department and its relationships with end users.

• Discuss the role of the chief information officer.

• Recognize information systems’ vulnerability, attack methods, and the possible damage from malfunctions.

• Describe the major methods of defending information systems.

• Describe the security issues of the Web and electronic commerce.

• Describe business continuity and disaster recovery planning.

• Understand the economics of security and risk management.

• Understand the IT code of Ethics

The IS Department

• The reporting relationship of the ISD is important in that it reflects the focus of the department. If the ISD reports to the accounting or finance areas, there is often a tendency to emphasize accounting or finance applications at the expense of those in the marketing, production, and logistics areas.

• The name of the ISD is also important. – Data Processing (DP) Department. – Management Information Systems (MIS) Department – Information Systems Department (ISD)

• Another important characteristic is the status of the ISD

IT resources are very diversified; they include personnel assets, technology assets, and IT relationship assets. The management of information resources is divided between the information services department (ISD) and the end users. The division of responsibility depends on many factors.

The End-User Relationship

• To improve collaboration, the ISD and end users may employ three common arrangements:

– the steering committee

– service-level agreements

– the information center.

Since the ISD is a service organization that manages the IT infrastructure needed to carry on end-user IT applications. It is extremely important to have a good relationship with the end users. The development of end-user computing and outsourcing was motivated in part by the poor service that end users felt they received. However, this is not an easy task since the ISD is basically a technical organization that may not understand the business and the users. While the users, may not understand information technologies.

The End-User Relationship - continued

ISD and Four approaches

1. Let them sink or swim. Don’t do anything; let the end user beware.

2. Use the stick. Establish policies and procedures to control end-user computing so that corporate risks are minimized, and try to enforce them.

3. Use the carrot. Create incentives to encourage certain end-user practices that reduce organizational risks.

4. Offer support. Develop services to aid end users in their computing activity

The CIO (Chief Information Officer)

• The changing role of the ISD highlights the fact that the CIO is becoming an important member of the firm's top management team.

– Realization of the need for IT-related disaster planning and the importance of IT to the firm’s activities.

– Aligning IT with the business strategy

– Implementing state-of-the-art solutions

– Providing information access

– Being a business visionary who drives business strategy

– Coordinating resources

Managing the ISD is similar to managing any other organizational unit. The unique aspect of the ISD is that it operates as a service department in a rapidly changing environment, thus making the department’s projections and planning difficult.

The Transition Environment

IS Vulnerability

Information resources (physical resources, data, software, procedures, and other information resources) are scattered throughout the firm. Information is transmitted to and from the firm’s components. Therefore vulnerabilities exist at many points and at any time.

IS Vulnerability

IT Security Terms

System Vulnerability

A universal vulnerability is a state in a computing system which either: allows an attacker to execute commands as another user; allows an attacker to access data that is contrary to the access restrictions for that data; allows an attacker to pose as another entity; or allows an attacker to conduct a denial of service.

An exposure is a state in a computing system (or set of systems) which is not a universal vulnerability, but either: allows an attacker to conduct information gathering activities; allows an attacker to hide activities; includes a capability that behaves as expected, but can be easily compromised; is a primary point of entry that an attacker may attempt to use to gain access to the system or data; and is considered a problem according to some reasonable security policy.

System Vulnerability Continued

• These threats can be classified as:

– Unintentional • Human errors

• Environmental hazards

• Computer system failures

– Intentional

• Theft of data

• Inappropriate use of data

• Theft of mainframe computer time

• Theft of equipment and/or programs

The vulnerability of information systems is increasing as we move to a world of networked and especially wireless computing. Theoretically, there are hundreds of points in a corporate information system that can be subject to some threats.

System Vulnerability Continued

– Intentional continued

• Deliberate manipulation in handling

• Entering data

• Processing data

• Transferring data

• Programming data

• Labor strikes

• Riots

• Sabotage

• Malicious damage to computer resources

• Destruction from viruses and similar attacks

• Miscellaneous computer abuses

• Internet fraud.

• Terrorists’ attack

Programming Attack

Protecting Information Resources

• Aligned. The program must be aligned with organizational goals.

• Enterprise wide. Everyone in the organization must be included.

• Continuous. The program must be operational all the time.

• Proactive. Use innovative, preventive, and protective measures.

• Validated. The program must be tested to ensure it works.

• Formal. It must include authority, responsibility & accountability.

Information security problems are increasing rapidly, causing damage to many organizations. Protection is expensive and complex. Therefore, companies must not only use controls to prevent and detect security problems, they must do so in an organized manner. An approach similar to TQM (total quality management) would have the following characteristics:

Corporate Security Plan

Difficulties

Defense Strategy

• The major objectives of a defense strategy are: 1. Prevention and deterrence.

2. Detection.

3. Limitation of damage.

4. Recovery.

5. Correction

6. Awareness and compliance

Knowing about potential threats to IS is necessary, but understanding ways to defend against these threats is equally critical. Because of its importance to the entire enterprise, organizing an appropriate defense system is one of the major activities of the CIO. It is accomplished by inserting controls (defense mechanisms) and developing awareness.

Defense Strategy

Any defense strategy involves the use of several controls. These controls are divided into two categories general controls that protect the system regardless of the specific application and application controls that safeguard specific applications.

General Application

Defense Strategy – Biometric

Defense Strategy – Internet Security

Security Layers

The major objective of border security is access control. Then authentication or proof of identity and finally authorization which determine the action or activities a user is allowed to perform.

Business Continuity

An important element in any security system is the business continuity plan, also known as the disaster recovery plan. Such a plan outlines the process by which businesses should recover from a major disaster.

• The purpose of a business continuity plan is to keep the business running after a disaster occurs.

• Recovery planning is part of asset protection.

• Planning should focus on recovery from a total loss of all capabilities.

• Proof of capability usually involves some kind of what-if analysis that shows that the recovery plan is current.

• All critical applications must be identified and their recovery procedures addressed.

• The plan should be written so that it will be effective in case of disaster.

Business Continuity continued

• The plan should be kept in a safe place; copies should be given to all key managers; or it should be available on the Intranet and the plan should be audited periodically.

One of the most logical ways to deal with loss of data is to back it up. A business continuity plan should include backup arrangements were all copies of important files are kept offsite.

Auditing

Implementing controls in an organization can be very complicated and difficult to enforce. Are controls installed as intended? Are they effective? Did any breach of security occur? These and other questions need to be answered by independent and unbiased observers. Such observers perform an auditing task.

• There are two types of auditors:

• An internal auditor is usually a corporate employee who is not a member of the ISD.

• An external auditor is a corporate outsider. This type of auditor reviews the findings of the internal audit.

• There are two types of audits.

• The operational audit determines whether the ISD is working properly.

• The compliance audit determines whether controls have been implemented properly and are adequate.

Risk Management

It is usually not economical to prepare protection against every possible threat. Therefore, an IT security program must provide a process for assessing threats and deciding which ones to prepare for and which ones to ignore.

Risk Management

IT Security Trends

• Increasing the reliability of systems

• Self-healing computers

• Intelligent systems for early intrusion detection

• Intelligent systems in auditing and fraud detection

• Artificial intelligence in biometrics

• Expert systems for diagnosis, prognosis, and disaster planning

• Smart cards

MANAGERIAL ISSUES

• To whom should the IS department report? This issue is related to the degree of IS

decentralization and to the role of the CIO. Having the IS department reporting to a functional area may introduce biases in providing IT priorities to that functional area, which may not be justifiable. Having the IS report to the CEO is very desirable.

• Who needs a CIO? This is a critical question that is related to the role of the CIO as a senior

executive in the organization. Giving a title without authority can damage the ISD and its operation. Asking the IS director to assume a CIO’s responsibility, but not giving the authority and title, can be just as damaging. Any organization that is heavily dependent on IT should have a CIO.

• End users are friends, not enemies, of the IS department. The relationship

between end users and the ISD can be very delicate. In the past, many ISDs were known to be insensitive to end-user needs. This created a strong desire for end-user independence, which can be both expensive and ineffective. Successful companies develop a climate of cooperation and friendship between the two parties.

• Ethical issues. The reporting relationship of the ISD can result in some unethical behavior. For

example, if the ISD reports to the finance department, the finance department will have access to information about individuals or other departments that could be misused.

MANAGERIAL ISSUES Continued

• Responsibilities for security should be assigned in all areas. The more

organizations use the Internet, extranets, and intranets, the greater are the security issues. It is important to make sure that employees know who is responsible and accountable for what information and that they understand the need for security control. The vast majority of information resources is in the hands of end users. Therefore, functional managers must understand and practice IT security management and other proper asset management tasks.

• Security awareness programs are important for any organization, especially if it is heavily dependent on IT. Such programs should be corporate wide

and supported by senior executives. In addition, monitoring security measures and ensuring compliance with administrative controls are essential to the success of any security plan. For many people, following administrative controls means additional work, which they prefer not to do.

• Auditing information systems should be institutionalized into the organizational culture. Organizations should audit IS because it can save considerable

amounts of money. Conversely, over-auditing is not cost-effective.

MANAGERIAL ISSUES Continued

• Multinational corporations. Organizing the ISD in a multinational corporation is a

complex issue. Some organizations prefer a complete decentralization, having an ISD in each country or even several ISDs in one country. Others keep a minimum of centralized staff. Some companies prefer a highly centralized structure. Legal issues, government constraints, and the size of the IS staff are some factors that determine the degree of decentralization.

• Sarbanes-Oxley. The Sarbanes-Oxley Act, according to the CSI/FBI survey (Gordon et al., 2004) is having a major impact on IT, especially in the financial, utility, and telecommunications sectors (see Minicase 2).

What is Ethics?

• Ethics

– Set of beliefs about right and wrong behavior

• Ethical behavior

– Conforms to generally accepted social norms

• Doing what is ethical can be difficult

Improving Corporate Ethics

• Unethical behavior has led to serious negative consequences that have had a global impact

– Failure of major corporations like Enron and WorldCom due to accounting scandals

– Collapse of many financial institutions due to unwise and unethical decision making

• Organizations today recognize the need to take action to ensure that their employees operate in an ethical manner when using technology

Appointing a Corporate Ethics Officer

• Corporate ethics – Includes ethical conduct, legal compliance, and

corporate social responsibility

• Corporate ethics officer – Senior-level manager

– Provides vision and direction in the area of business conduct

• Corporation will place a higher emphasis on ethics policies following a major scandal within the organization

Ethical Standards Set by Board of Directors

• Board of directors

– Responsible for supervising the management team

– Expected to conduct themselves according to the highest standards of personal and professional integrity

– Set the standard for company-wide ethical conduct and ensure compliance with laws and regulations

Establishing a Corporate Code of Ethics

• Code of ethics – Highlights an organization’s key ethical issues – Identifies the overarching values and principles that

are important to the organization

• Formal, written statements about: – Purpose of the organization – Values – Principles that guide its employees’ actions

• Develop with employee participation • Fully endorsed by the organization’s leadership

Establishing a Corporate Code of Ethics (continued)

Requiring Employees to Take Ethics Training

• Company’s code of ethics must be promoted and continually communicated within the organization – From top to bottom

• Comprehensive ethics education program – Small workshop formats

• Existence of formal training programs – Can reduce a company’s liability in the event of

legal action

Including Ethical Criteria in Employee Appraisals

• Employees evaluated on their demonstration of qualities and characteristics highlighted in the corporate code of ethics

– Considered along with more traditional criteria used in performance appraisals

IT Code of Conduct

RFC 1087

In January 1989, the Internet Architecture Board (IAB) in RFC 1087 defines an activity as unethical and unacceptable if it:

1. Seeks to gain unauthorized access to the resources of the

Internet. 2. Disrupts the intended use of the Internet. 3. Wastes resources (people, capacity, computer) through

such actions. 4. Destroys the integrity of computer-based information, or 5. Compromises the privacy of users (RFC 1087, 1989).

The Code of Fair Information Practices

The Code of Fair Information Practices is based on five principles outlining the requirements for records keeping systems. This requirement was implemented in 1973 by the U.S. Department of Health, Education and Welfare.

1. There must be no personal data record-keeping systems whose very existence is

secret. 2. There must be a way for a person to find out what information about the person

is in a record and how it is used. 3. There must be a way for a person to prevent information about the person that

was obtained for one purpose from being used or made available for other purposes without the person's consent.

4. There must be a way for a person to correct or amend a record of identifiable information about the person.

5. Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precautions to prevent misuses of the data

(Harris, 2003)

(ISC)2 Code of Ethics

(ISC)2 an organization committed to certification of computer security professional has further defined its own Code of Ethics generally as:

1. Act honestly, justly, responsibly, and legally, and protecting the commonwealth. 2. Work diligently and provide competent services and advance the security

profession. 3. Encourage the growth of research – teach, mentor, and value the certification. 4. Discourage unsafe practices, and preserve and strengthen the integrity of

public infrastructures. 5. Observe and abide by all contracts, expressed or implied, and give prudent

advice. 6. Avoid any conflict of interest, respect the trust that others put in you, and take

on only those jobs you are qualified to perform. 7. Stay current on skills, and do not become involved with activities that could

injure the reputation of other security professionals (Harris, 2003)

Computer Security Risks

Chapter 8b

Computer Security RisksWhat is a computer security risk? Action that causes loss of or damage to computer

system

Computer Viruses, Worms, and Trojan Horses

What are viruses, worms, and Trojan horses?

Virus is a

potentially

damaging

computer

program

Worm copies itself repeatedly,

using up resources

and possibly shutting down computer or

network

Trojan horse hides

within

or looks like

legitimate

program until

triggered

Payload

(destructive

event) that is

delivered when

you open file, run

infected program,

or boot computer

with infected disk

in disk driveCan spread

and

damage

files

Does not

replicate

itself on

other

computers

Computer Viruses, Worms, and Trojan HorsesHow can a virus spread through an e-mail message?

Step 1. Unscrupulous

programmers create a virus

program. They hide the

virus in a Word document

and attach the Word

document to an e-mail

message.

Step 2. They use

the Internet to send

the e-mail message

to thousands of

users around the

world.

Step 3b. Other users do not

recognize the name of the

sender of the e-mail message.

These users do not open the

e-mail message. Instead they

delete the e-mail message.

These users’ computers are not

infected with the virus.

Step 3a. Some

users open the

attachment and

their computers

become infected

with the virus.


How can you protect your system from a macro virus? Set macro security level in applications that allow you

to write macros

At medium security

level, warning displays

that document contains

macro

Macros are instructions

saved in an application,

such as word processing

or spreadsheet program


What is an antivirus program? Identifies and removes

computer viruses

Most also protect against

worms and Trojan

horses


What is a virus signature? Specific pattern of virus code

Also called virus definition

Antivirus programs

look for virus

signatures

Keeps file

in separate

area of hard disk


How does an antivirus program inoculate a program file?

Records

information

about program such

as file size and

creation

date Attempts

to remove

any detected

virus

Uses

information

to detect if

virus tampers

with fileQuarantines

infected

files that it

cannot

remove

Computer Viruses, Worms, and Trojan HorsesWhat are some tips for preventing virus, worm, and Trojan horse infections?

Install a personal

firewall program

If the antivirus

program flags an

e-mail attachment

as infected, delete

the attachment

immediately

Set the macro security

in programs so you

can enable or disable

macros

Never open an

e-mail attachment

unless you are

expecting it and

it is from a

trusted source

Install an antivirus

program on all of

your computers

Check all

downloaded

programs for

viruses, worms,

or Trojan horses


What is a denial of service attack and back door?

A denial of service attack is an assault which

disrupts computer access to an Internet service

such as the Web or e-mail

A back door is a program or set of instructions

in a program that allow users to bypass

security controls when accessing a computer

resource


What is spoofing?

Makes a

network

or Internet

Transmission appear legitimate

IP spoofing occurs when an intruder

computer fools a network into believing

its IP address is from a trusted source

Perpetrators of IP spoofing trick their

victims into interacting

with a phony Web site


What is a firewall? Security system consisting of hardware and/or

software that prevents unauthorized intrusion


What is a personal firewall utility? Program that protects personal computer and its data

from unauthorized intrusions

Monitors transmissions to and from computer

Informs you of attempted intrusion

Unauthorized Access and UseHow can companies protect against hackers?

Intrusion detection software

analyzes network traffic, assesses

system vulnerabilities, and identifies

intrusions and suspicious behavior

Access control defines who

can access computer and

what actions they can take

Audit trail records access

attempts

Unauthorized Access and UseWhat are other ways to protect your personal

computer?

Disable file and

printer sharing on

Internet connection File and

printer sharing

turned off

Unauthorized Access and UseWhat is a user name? Unique combination of characters that identifies user

Password is private

combination of

characters associated

with the user name

that allows access

to computer

resources

Unauthorized Access and UseHow can you make your password more secure? Longer passwords provide greater security

Unauthorized Access and UseWhat is a possessed object? Item that you must carry to gain access to

computer or facility

Often used with

numeric password

called personal

identification

number (PIN)

Unauthorized Access and UseWhat is a biometric device? Authenticates person’s

identity using personal

characteristic

Fingerprint, hand geometry,

voice, signature, and iris

Hardware Theft and VandalismWhat are hardware theft and hardware

vandalism? Hardware theft is act of stealing

computer equipment

Cables sometimes used to lock

equipment

Some notebook computers use

passwords, possessed objects, and

biometrics as security methods

For PDAs, you can password-

protect the device

Hardware vandalism is act of

defacing or destroying computer

equipment

Software TheftWhat is software theft?

Act of stealing or

illegally copying

software or

intentionally

erasing

programs

Software piracy

is illegal

duplication

of copyrighted

software

Software TheftWhat is a license agreement? Right to use software

Single-user license agreement allows user to install software

on one computer, make backup copy, and sell software after

removing from computer

Software TheftWhat are some other safeguards against software

theft?

Product activation allows user to input product

identification number online or by phone and

receive unique installation identification number

Business Software Alliance (BSA) promotes better

understanding of software piracy problems

Information TheftWhat is encryption? Safeguards against information theft

Process of converting plaintext (readable data) into ciphertext

(unreadable characters)

Encryption key (formula) often uses more than one method

To read the data, the recipient must decrypt, or decipher, the data

Secure site

is Web site that uses

encryption to secure data

Internet Security RisksHow do Web browsers provide secure data transmission?

Digital certificate is notice that

guarantees Web site is legitimate

Many Web browsers

use encryption

Internet Security RisksWhat is a certificate authority (CA)? Authorized person

or company that

issues and verifies

digital certificates

Users apply for

digital certificate

from CA

Internet Security RisksWhat is Secure Sockets Layer (SSL)? Provides encryption of all data that passes between

client and Internet server

Web addresses

beginning with

“https” indicate

secure connections

Undervoltage—drop

in electrical supply

System FailureWhat is a system failure?

Overvoltage or

power surge—

significant increase

in electrical power

Noise—unwanted

electrical signal

Caused by aging hardware,

natural disasters, or electrical

power disturbances

Can cause loss of hardware,

software, or data

Prolonged malfunction

of computer

System FailureWhat is a surge protector? Protects computer and

equipment from electrical power

disturbances Uninterruptible power supply

(UPS) is surge protector that

provides power during power loss

Backing Up — The Ultimate SafeguardWhat is a backup?

Duplicate of file, program, or disk

Full backup

all files in

computer

Selective backup

select which files

to back up

Three-generation

backup

preserves

three copies of

important files

In case of system failure or corrupted files,

restore files by copying to original location

Wireless SecurityHow can I ensure my wireless communication is secure? Secure your wireless access point (WAP)

WAP should not broadcast your network name

Enable Wired Equivalent Privacy or Wi-Fi

Protected Access (WPA)

Perpetrators

Defensive Measures

• Risk assessment

– Organization’s review of potential threats to its computers and networks

– Identify which investments of time and resources will best protect the organization from its most likely and serious threats

– Reasonable assurance

• Managers must use their judgment to ensure that the cost of control does not exceed the system’s benefits or the risks involved

Establishing a Security Policy

• Security policy

– Defines an organization’s security requirements

– Defines controls and sanctions needed to meet those requirements

• National Institute of Standards and Technology (NIST)

– Computer Security Division

• Automated system rules should mirror an organization’s written policies

Establishing a Security Policy (continued)

• E-mail attachments

– Critical security issue

• Virtual private network (VPN)

– Uses the Internet to relay communications

– Maintains privacy through security procedures and tunneling protocols

Educating Employees, Contractors, and Part-Time Workers

• Must be educated about the importance of security

– Discuss recent security incidents

• Protect an organization’s information systems and data by:

– Guarding their passwords

– Applying strict access controls

– Reporting all unusual activity to the organization’s IT security group

Prevention

• Installing a corporate firewall

– Established through the use of software, hardware, or a combination of both

– Can lead to complacency

• Intrusion prevention systems

– Prevent an attack by blocking viruses, malformed packets, and other threats from getting into the company network

Prevention (continued)

• Installing antivirus software on personal computers

– Virus signature

• Specific sequence of bytes

– United States Computer Emergency Response Team (US-CERT)

• Most of the virus and worm attacks that the team analyzes use already known programs

• Crucial that antivirus software be updated continually with the latest virus detection information


• Implementing safeguards against attacks by malicious insiders

– IT staff must delete the computer accounts, login IDs, and passwords of departing employees

– Create roles and user accounts so that users have the authority to perform their responsibilities and no more


• Addressing the most critical Internet security threats

– Overwhelming majority of successful computer attacks are made possible by taking advantage of well-known vulnerabilities

– SANS (System Administration, Networking, and Security) Institute and US-CERT regularly update a summary of the most frequent, high-impact vulnerabilities


• Conducting periodic IT security audits

– Evaluate whether an organization has a well-considered security policy in place and if it is being followed

– Test system safeguards

– Federal Computer Security Report Card

Detection

• Intrusion detection system

– Software and/or hardware

– Monitors system and network resources and activities and notifies network security personnel when it identifies possible intrusions

– Different approaches to intrusion detection

• Knowledge-based approaches

• Behavior-based approaches

Response

• Primary goal

– Regain control and limit damage

• Not to attempt to monitor or catch an intruder

• Incident notification

– Define who to notify and who not to notify

• Protecting evidence and activity logs

– Document all details of a security incident

• Incident containment

– Act quickly to contain an attack

Response (continued)

• Eradication

– Collect and log all possible criminal evidence from the system

– Verify that all necessary backups are current

– Create a forensic disk image of each compromised system

– Keep a log of all actions taken

Response (continued)

• Incident follow-up

– Determine how the organization’s security was compromised

– Develop an estimate of the monetary damage

– Determine amount of effort that should be put into capturing the perpetrator

irm for dummies

Documents

web server web

definition web

disadvantages of web

trends web

entire web page

staggering number of

important aspect of

realtime content