managing information outside3

8/14/2019 Managing Information Outside3

1/35

1

Chapter 15Chapter 15

Managing InformationResources & Security


2/35

2

Learning Objectives

Recognize the difficulties in managinginformation resources.

Understand the role of the IS department and itsrelationships with end-users.

Discuss the role of the chief information officer.

Recognize information systems vulnerability andthe possible damage from malfunctions.


3/35

3

Learning Objectives (cont.)

Describe the major methods of defendinginformation systems.

Describe the security issues of the Web andelectronic commerce.

Distinguish between security auditing and

disaster recovery planning and understand theeconomics of security.

Describe the Euro 2002 issue.


4/35

4

Case: Cyber Crime

On Feb. 6, 2000 - the biggest EC sites were hit by

cyber crime.

Yahoo!, eBay, Amazon.com, E*Trade

The attacker(s) used a method called denial of

service (DOS).

By hammering a Web sites equipment with too

many requests for information, an attacker can

effectively clog a system.

The total damage worldwide was estimated at $5-10

billion (U.S.).

The alleged attacker, from the Philippines, was notprosecuted because he did not break any law in the


5/35

5

Lessons Learned from the Case

Information resources that include computers,networks, programs, and data are vulnerable tounforeseen attacks.

Many countries do not have sufficient laws to deal with

computer criminals.

Protection of networked systems can be a complexissue.

Attackers can zero on a single company, or can attackmany companies, without discrimination.

Attackers use different attack methods.

Although variations of the attack methods are known,

the defence against them is difficult and/or expensive.


6/35

6

Information Resources Management

Information resources management (IRM)encompasses all activities related to theplanning, organizing, acquiring, maintaining,

securing, and controlling of IT resources.

The management of information resources isdivided among the information servicesdepartment (ISD) and the end-users.

The name of the ISD depends on the IT role, its size,and so forth.

The director of IS is sometimes called the chiefinformation officer (CIO).

It is extremely important to have good relations-


7/35

7

End-User Computing

Let them sink or

swim.Dont do anythingletthe end-user beware.

Use the stick.

Establish policies andprocedures to controlend-user computing sothat corporate risks areminimized.

Use the carrot.

Create incentives toencourage certain end-user practices thatreduce organizationalrisks.

Offer support.Develop services to aidend-users in theircomputing activities.

Generally, the IS organization takes one of thefollowing four approaches toward end-user

computing:


8/35

8

Steering Committees

The corporate steering committee is agroup of managers and staff representingvarious organizational units. Thecommittees major tasks are:

Direction setting Staffing Rationing Communication

Structuring Evaluating


9/35

9

SLAs & Information Centers

Service Levelagreements (SLAs)are formal agreements

regarding the divisionof computingresponsibility amongend-users and the ISD.

Such divisions arebased on a small setof critical computingdecisions made byend-user

management.

Information centers(IC), also known as theusers service or help

center, concentrate onend-user support withPCs, client/serverapplications, and theInternet/intranet.

The IC is set up tohelp users get certainsystems built quickly.


10/35

10

The New IT Organization

Rockart et al. (1996) proposed the following eightimperatives for

ISDs the New IT organization:

Achieve two-way strategic alignment

Develop effective relations with linemanagement

Quickly develop and implement new systems

Build and manage infrastructures

Reskill the IT organization Manage vendor relationships

Build high performance

Redesign and manage the federal IT

organization


11/35

11

The Role of the CIO

The CIO is takingincreasing responsibilityfor defining strategic

future. The increased networked

environment may lead todisillusionment with IT.

The CIO needs tounderstand that theWeb-based era is moreabout fundamentalbusiness change than

technology.

The CIO needs to arguefor a greater measures ofcentral coordination.

The IT asset-acquisition

process must beimproved by the CIO.

The CIO is responsible fordeveloping new Web-based business models.

The CIO is becoming abusiness visionary.


12/35

12

Key Terminology

Backup

Decryption

Encryption

Exposure

Faulttolerance

IS controls

Integrity (of data)

Risk

Threats (or hazards)

Vulnerability


13/35

13

Security Threats


14/35

14

Cyber Crime

Crimes can be performed by outsiders whopenetrate a computer system (hackers) or byinsiders who are authorized to use thecomputer system but are misusing theirauthorization.

A cracker is a malicious hacker, who mayrepresent a serious problem for a corporation.

Two basic methods of attack are used indeliberate attacks on computer systems:

data tampering

programming fraud, e.g. Viruses


15/35


16/35

16

Defending Information Systems

Hundreds of potentialthreats exist.

Computing resourcesmay be situated in manylocations.

Many individuals controlinformation assets.

Computer networks canbe outside theorganization and difficultto protect.

Rapid technologicalchanges make some

controls obsolete as soonas they are installed.

Many computer crimesare undetected for a long

period of time.

People tend to violatesecurity proceduresbecause they areinconvenient.

Defending information systems is not a simple orinexpensive

task for the following reasons:


17/35

17

Defense Strategies

The following are the major objectives ofdefense strategies:

Prevention & deterrence Detection

Limitation

Recovery

Correction


18/35

18

Types of Defense Controls

The defense controls are divided into two majorcategories:

General controls

Protect the system regardless of the specificapplication.

Application controls Safeguards that are intended to protect specific

applications.


19/35

19

Types of Controls

General Controls

Physical controls

Access controls

Biometric controls

Data securitycontrols

Communications

(networks) controls

Administrativecontrols

ApplicationControls

Input controls

Processingcontrols

Output controls


20/35

20

Security Measures

An access control system guards againstunauthorized dial-in attempts.

The use of preassigned personal

identification number (PIN).

Modems. It is quite easy for attackers to penetratethem and for employees to leak secret corporateinformation to external networks.

Encryption is used extensively in EC for protecting

payments and privacy.

Troubleshooting packages such as cable testercanfind almost any fault that can occur with LAN


21/35

21

Security Measures (cont.)

Payload securityinvolves encryption or othermanipulation of data being sent over networks.

Commercial Products. Hundreds of commercial

security products exist on the market.

Intrusion Detecting. It is worthwhile to place anintrusion detecting device near the entrance pointof the Internet to the intranet.

A Firewall is commonly used as a barrier betweenthe secure corporate intranet, or other internalnetworks, and the Internet.


22/35

22

IT Auditing

In the information system environment,auditing can be viewed as an additional layer

of controls or safeguards. It involves a periodical examination and checkoffinancial and accounting records andprocedures.

Two types of auditors (and audits):

Internal

An internal auditoris usually a corporateemployee who is not a member of the ISD.

External

An external auditoris a corporate outsider.


23/35

23

IT Auditing (cont.)

Auditors attempt to answer questions such as:

Are there sufficient controls in the system?

Which areas are not covered by controls?

Which controls are not necessary? Are the controls implemented properly?

Are the controls effective; do they check the outputof the system?

Is there a clear separation of duties of employees?

Are there procedures to ensure compliance with thecontrols?

Are there procedures to ensure reporting andcorrective actions in case of violations of controls?


24/35

24

How is Auditing Executed?

IT auditing procedures can be classified intothree categories:

Auditing around the computer- verifying

processing by checking for known outputs usingspecific inputs.

Auditing through the computer - inputs, outputs,and processing are checked.

Auditing with the computer- using acombination of client data, auditor software, andclient and auditor hardware.


25/35

25

Disaster Recovery Plan

A disaster recovery plan is essential to any securitysystem.

Here are some key thoughts about disasterrecovery by Knoll (1986):

The purpose of a recovery plan is to keep thebusiness running after a disaster occurs.

Recovery planning is part ofasset protection.

Planning should focus first on recovery from a total

loss of all capabilities. Proof of capability usually involves some kind of

what-if analysis that shows that the recovery plan iscurrent.

All critical applications must be identified and their

recovery procedures addressed in the plan.


26/35

26

Backup Location

In the event of a major disaster, it is oftennecessary to move a centralized computingfacility to a far-away backup location.

External hot-site vendors provide access to afully configured backup data center.

E.g., When an earthquake hit San Francisco in 1989,

Charles Schwab & Co. was ready. Within a few minutes, the companys disaster plan

was activated.

Programmers, engineers, and backup computertapes were flown to New Jersey, where Comdisco

Disaster Recovery Service provided a hot site.


27/35

27

Case: Disaster Planning at Reuters

Problem:

Reuters is a multinational information-deliverycorporation.

If Reuters information system were to fail outright, it

would take more than 15 brokerage houses with it. Thecosts, not to mention the legal ramifications, would betremendous.

Solution:

Reuters implemented an Internet disaster recovery plan

with SunGard Corp. The company now operates 3 redundant Web sites in

different locations from coast to coast.

If all 3 were to fail, a hot site would be used to ensurecontinuous operation.


28/35

28

Risk Management


29/35

29

Risk-Management (cont.)

A risk-managementapproach helps identifythreats and selects cost-effective securitymeasures.

Risk-management analysis can be enhancedby the use of DSS software packages.

Calculations can be used to compare the

expected loss with the cost of preventing it.

A business continuity planoutlines the processin which businesses should recover from amajor disaster.


30/35

30

IT Security in the 21st Century

Increasing the Reliability of Systems.

The objective relating to reliability is to usefault tolerance to keep the informationsystems working, even if some parts fail.

Intelligent Systems for Early Detection.

Detecting intrusion in its beginning isextremely important, especially for classifiedinformation and financial data.

Intelligent Systems in Auditing.

Intelligent systems are used to enhance the

task of IS auditing.


31/35

31

IT Security in the 21st Century (cont.)

Artificial Intelligence in Biometrics.

Expert systems, neural computing, voicerecognition, and fuzzy logic can be used toenhance the capabilities of several biometric

systems.

Expert Systems for Diagnosis, Prognosis, andDisaster Planning.Expert systems can be used todiagnose troubles in computer systems and to

suggest solutions.

Smart Cards.Smart card technology can be usedto protect PCs on LANs.

Fighting Hackers. Several new products are


32/35

32

Case: The Euro Conversion

Some major IT issues involved in the Euro conversionare;

Time and cost estimates are difficult.

The decision on a conversion date was delegatedto individual companies, and it varies.

Legal requirements force organizations to keepaccounting data in their original form. This willcreate problems for comparisons over time.

It is necessary to convert the code and the existingapplications that involve currencies.

It is necessary to change all the data and data files

in the organizations databases.


33/35

33

Case: The Euro Conversion (cont.)

In order to execute the conversion properly a CIOmust

Coordinate the execution with the business side of the

enterprise, creating a joint team with members of theISD & other functional units.

Outsourcing some of the tasks is advisable.

Business impact analysis should be done first.

Both business and IT strategies for the conversion mustbe done, coordinated, and assessed periodically.

A proper project management process must beconducted.


34/35

34

Managerial Issues

To whom should theISD report?

Who needs a CIO?

End-users are

friends, not enemies,of the IS department.

Ethical Issues.


35/35

35

Managerial Issues (cont.)

Responsibilities forsecurity should beassigned in all areas.

Security awarenessprograms areimportant for anyorganization,especially if it isheavily dependenton IT.

Auditing informationsystems should beinstitutionalized into

the organizationalculture.

Organizing the ISD ina multinationalcorporation is acomplex issue.

managing information outside3

Documents