managing information outside3
TRANSCRIPT
-
8/14/2019 Managing Information Outside3
1/35
1
Chapter 15Chapter 15
Managing InformationResources & Security
-
8/14/2019 Managing Information Outside3
2/35
2
Learning Objectives
Recognize the difficulties in managinginformation resources.
Understand the role of the IS department and itsrelationships with end-users.
Discuss the role of the chief information officer.
Recognize information systems vulnerability andthe possible damage from malfunctions.
-
8/14/2019 Managing Information Outside3
3/35
3
Learning Objectives (cont.)
Describe the major methods of defendinginformation systems.
Describe the security issues of the Web andelectronic commerce.
Distinguish between security auditing and
disaster recovery planning and understand theeconomics of security.
Describe the Euro 2002 issue.
-
8/14/2019 Managing Information Outside3
4/35
4
Case: Cyber Crime
On Feb. 6, 2000 - the biggest EC sites were hit by
cyber crime.
Yahoo!, eBay, Amazon.com, E*Trade
The attacker(s) used a method called denial of
service (DOS).
By hammering a Web sites equipment with too
many requests for information, an attacker can
effectively clog a system.
The total damage worldwide was estimated at $5-10
billion (U.S.).
The alleged attacker, from the Philippines, was notprosecuted because he did not break any law in the
-
8/14/2019 Managing Information Outside3
5/35
5
Lessons Learned from the Case
Information resources that include computers,networks, programs, and data are vulnerable tounforeseen attacks.
Many countries do not have sufficient laws to deal with
computer criminals.
Protection of networked systems can be a complexissue.
Attackers can zero on a single company, or can attackmany companies, without discrimination.
Attackers use different attack methods.
Although variations of the attack methods are known,
the defence against them is difficult and/or expensive.
-
8/14/2019 Managing Information Outside3
6/35
6
Information Resources Management
Information resources management (IRM)encompasses all activities related to theplanning, organizing, acquiring, maintaining,
securing, and controlling of IT resources.
The management of information resources isdivided among the information servicesdepartment (ISD) and the end-users.
The name of the ISD depends on the IT role, its size,and so forth.
The director of IS is sometimes called the chiefinformation officer (CIO).
It is extremely important to have good relations-
-
8/14/2019 Managing Information Outside3
7/35
7
End-User Computing
Let them sink or
swim.Dont do anythingletthe end-user beware.
Use the stick.
Establish policies andprocedures to controlend-user computing sothat corporate risks areminimized.
Use the carrot.
Create incentives toencourage certain end-user practices thatreduce organizationalrisks.
Offer support.Develop services to aidend-users in theircomputing activities.
Generally, the IS organization takes one of thefollowing four approaches toward end-user
computing:
-
8/14/2019 Managing Information Outside3
8/35
8
Steering Committees
The corporate steering committee is agroup of managers and staff representingvarious organizational units. Thecommittees major tasks are:
Direction setting Staffing Rationing Communication
Structuring Evaluating
-
8/14/2019 Managing Information Outside3
9/35
9
SLAs & Information Centers
Service Levelagreements (SLAs)are formal agreements
regarding the divisionof computingresponsibility amongend-users and the ISD.
Such divisions arebased on a small setof critical computingdecisions made byend-user
management.
Information centers(IC), also known as theusers service or help
center, concentrate onend-user support withPCs, client/serverapplications, and theInternet/intranet.
The IC is set up tohelp users get certainsystems built quickly.
-
8/14/2019 Managing Information Outside3
10/35
10
The New IT Organization
Rockart et al. (1996) proposed the following eightimperatives for
ISDs the New IT organization:
Achieve two-way strategic alignment
Develop effective relations with linemanagement
Quickly develop and implement new systems
Build and manage infrastructures
Reskill the IT organization Manage vendor relationships
Build high performance
Redesign and manage the federal IT
organization
-
8/14/2019 Managing Information Outside3
11/35
11
The Role of the CIO
The CIO is takingincreasing responsibilityfor defining strategic
future. The increased networked
environment may lead todisillusionment with IT.
The CIO needs tounderstand that theWeb-based era is moreabout fundamentalbusiness change than
technology.
The CIO needs to arguefor a greater measures ofcentral coordination.
The IT asset-acquisition
process must beimproved by the CIO.
The CIO is responsible fordeveloping new Web-based business models.
The CIO is becoming abusiness visionary.
-
8/14/2019 Managing Information Outside3
12/35
12
Key Terminology
Backup
Decryption
Encryption
Exposure
Faulttolerance
IS controls
Integrity (of data)
Risk
Threats (or hazards)
Vulnerability
-
8/14/2019 Managing Information Outside3
13/35
13
Security Threats
-
8/14/2019 Managing Information Outside3
14/35
14
Cyber Crime
Crimes can be performed by outsiders whopenetrate a computer system (hackers) or byinsiders who are authorized to use thecomputer system but are misusing theirauthorization.
A cracker is a malicious hacker, who mayrepresent a serious problem for a corporation.
Two basic methods of attack are used indeliberate attacks on computer systems:
data tampering
programming fraud, e.g. Viruses
-
8/14/2019 Managing Information Outside3
15/35
-
8/14/2019 Managing Information Outside3
16/35
16
Defending Information Systems
Hundreds of potentialthreats exist.
Computing resourcesmay be situated in manylocations.
Many individuals controlinformation assets.
Computer networks canbe outside theorganization and difficultto protect.
Rapid technologicalchanges make some
controls obsolete as soonas they are installed.
Many computer crimesare undetected for a long
period of time.
People tend to violatesecurity proceduresbecause they areinconvenient.
Defending information systems is not a simple orinexpensive
task for the following reasons:
-
8/14/2019 Managing Information Outside3
17/35
17
Defense Strategies
The following are the major objectives ofdefense strategies:
Prevention & deterrence Detection
Limitation
Recovery
Correction
-
8/14/2019 Managing Information Outside3
18/35
18
Types of Defense Controls
The defense controls are divided into two majorcategories:
General controls
Protect the system regardless of the specificapplication.
Application controls Safeguards that are intended to protect specific
applications.
-
8/14/2019 Managing Information Outside3
19/35
19
Types of Controls
General Controls
Physical controls
Access controls
Biometric controls
Data securitycontrols
Communications
(networks) controls
Administrativecontrols
ApplicationControls
Input controls
Processingcontrols
Output controls
-
8/14/2019 Managing Information Outside3
20/35
20
Security Measures
An access control system guards againstunauthorized dial-in attempts.
The use of preassigned personal
identification number (PIN).
Modems. It is quite easy for attackers to penetratethem and for employees to leak secret corporateinformation to external networks.
Encryption is used extensively in EC for protecting
payments and privacy.
Troubleshooting packages such as cable testercanfind almost any fault that can occur with LAN
-
8/14/2019 Managing Information Outside3
21/35
21
Security Measures (cont.)
Payload securityinvolves encryption or othermanipulation of data being sent over networks.
Commercial Products. Hundreds of commercial
security products exist on the market.
Intrusion Detecting. It is worthwhile to place anintrusion detecting device near the entrance pointof the Internet to the intranet.
A Firewall is commonly used as a barrier betweenthe secure corporate intranet, or other internalnetworks, and the Internet.
-
8/14/2019 Managing Information Outside3
22/35
22
IT Auditing
In the information system environment,auditing can be viewed as an additional layer
of controls or safeguards. It involves a periodical examination and checkoffinancial and accounting records andprocedures.
Two types of auditors (and audits):
Internal
An internal auditoris usually a corporateemployee who is not a member of the ISD.
External
An external auditoris a corporate outsider.
-
8/14/2019 Managing Information Outside3
23/35
23
IT Auditing (cont.)
Auditors attempt to answer questions such as:
Are there sufficient controls in the system?
Which areas are not covered by controls?
Which controls are not necessary? Are the controls implemented properly?
Are the controls effective; do they check the outputof the system?
Is there a clear separation of duties of employees?
Are there procedures to ensure compliance with thecontrols?
Are there procedures to ensure reporting andcorrective actions in case of violations of controls?
-
8/14/2019 Managing Information Outside3
24/35
24
How is Auditing Executed?
IT auditing procedures can be classified intothree categories:
Auditing around the computer- verifying
processing by checking for known outputs usingspecific inputs.
Auditing through the computer - inputs, outputs,and processing are checked.
Auditing with the computer- using acombination of client data, auditor software, andclient and auditor hardware.
-
8/14/2019 Managing Information Outside3
25/35
25
Disaster Recovery Plan
A disaster recovery plan is essential to any securitysystem.
Here are some key thoughts about disasterrecovery by Knoll (1986):
The purpose of a recovery plan is to keep thebusiness running after a disaster occurs.
Recovery planning is part ofasset protection.
Planning should focus first on recovery from a total
loss of all capabilities. Proof of capability usually involves some kind of
what-if analysis that shows that the recovery plan iscurrent.
All critical applications must be identified and their
recovery procedures addressed in the plan.
-
8/14/2019 Managing Information Outside3
26/35
26
Backup Location
In the event of a major disaster, it is oftennecessary to move a centralized computingfacility to a far-away backup location.
External hot-site vendors provide access to afully configured backup data center.
E.g., When an earthquake hit San Francisco in 1989,
Charles Schwab & Co. was ready. Within a few minutes, the companys disaster plan
was activated.
Programmers, engineers, and backup computertapes were flown to New Jersey, where Comdisco
Disaster Recovery Service provided a hot site.
-
8/14/2019 Managing Information Outside3
27/35
27
Case: Disaster Planning at Reuters
Problem:
Reuters is a multinational information-deliverycorporation.
If Reuters information system were to fail outright, it
would take more than 15 brokerage houses with it. Thecosts, not to mention the legal ramifications, would betremendous.
Solution:
Reuters implemented an Internet disaster recovery plan
with SunGard Corp. The company now operates 3 redundant Web sites in
different locations from coast to coast.
If all 3 were to fail, a hot site would be used to ensurecontinuous operation.
-
8/14/2019 Managing Information Outside3
28/35
28
Risk Management
-
8/14/2019 Managing Information Outside3
29/35
29
Risk-Management (cont.)
A risk-managementapproach helps identifythreats and selects cost-effective securitymeasures.
Risk-management analysis can be enhancedby the use of DSS software packages.
Calculations can be used to compare the
expected loss with the cost of preventing it.
A business continuity planoutlines the processin which businesses should recover from amajor disaster.
-
8/14/2019 Managing Information Outside3
30/35
30
IT Security in the 21st Century
Increasing the Reliability of Systems.
The objective relating to reliability is to usefault tolerance to keep the informationsystems working, even if some parts fail.
Intelligent Systems for Early Detection.
Detecting intrusion in its beginning isextremely important, especially for classifiedinformation and financial data.
Intelligent Systems in Auditing.
Intelligent systems are used to enhance the
task of IS auditing.
-
8/14/2019 Managing Information Outside3
31/35
31
IT Security in the 21st Century (cont.)
Artificial Intelligence in Biometrics.
Expert systems, neural computing, voicerecognition, and fuzzy logic can be used toenhance the capabilities of several biometric
systems.
Expert Systems for Diagnosis, Prognosis, andDisaster Planning.Expert systems can be used todiagnose troubles in computer systems and to
suggest solutions.
Smart Cards.Smart card technology can be usedto protect PCs on LANs.
Fighting Hackers. Several new products are
-
8/14/2019 Managing Information Outside3
32/35
32
Case: The Euro Conversion
Some major IT issues involved in the Euro conversionare;
Time and cost estimates are difficult.
The decision on a conversion date was delegatedto individual companies, and it varies.
Legal requirements force organizations to keepaccounting data in their original form. This willcreate problems for comparisons over time.
It is necessary to convert the code and the existingapplications that involve currencies.
It is necessary to change all the data and data files
in the organizations databases.
-
8/14/2019 Managing Information Outside3
33/35
33
Case: The Euro Conversion (cont.)
In order to execute the conversion properly a CIOmust
Coordinate the execution with the business side of the
enterprise, creating a joint team with members of theISD & other functional units.
Outsourcing some of the tasks is advisable.
Business impact analysis should be done first.
Both business and IT strategies for the conversion mustbe done, coordinated, and assessed periodically.
A proper project management process must beconducted.
-
8/14/2019 Managing Information Outside3
34/35
34
Managerial Issues
To whom should theISD report?
Who needs a CIO?
End-users are
friends, not enemies,of the IS department.
Ethical Issues.
-
8/14/2019 Managing Information Outside3
35/35
35
Managerial Issues (cont.)
Responsibilities forsecurity should beassigned in all areas.
Security awarenessprograms areimportant for anyorganization,especially if it isheavily dependenton IT.
Auditing informationsystems should beinstitutionalized into
the organizationalculture.
Organizing the ISD ina multinationalcorporation is acomplex issue.