MANAGEMENT INFORMATION SYSTEM NOTES

UNIT- 5

Information Systems Security and Control: Vulnerability and Abuse, Anti–Virus Packages
and Systems Audit. Managing Global Information Systems.

Information security controls are measures taken to reduce information security risks such as
information systems breaches, data theft, and unauthorized changes to digital information or
systems. These security controls are intended to help protect the availability, confidentiality, and
integrity of data and networks, and are typically implemented after an information security risk
assessment.

The Information Security Triad: Confidentiality, Integrity, Availability (CIA)

Confidentiality

When protecting information, we want to be able to restrict access to those who are allowed to
see it; everyone else should be disallowed from learning anything about its contents. This is the
essence of confidentiality. For example, federal law requires that universities restrict access to
private student information. The university must be sure that only those who are authorized have
access to view the grade records.

Integrity

Integrity is the assurance that the information being accessed has not been altered and truly
represents what is intended. Just as a person with integrity means what he or she says and can be
trusted to consistently represent the truth, information integrity means information truly
represents its intended meaning. Information can lose its integrity through malicious intent, such
as when someone who is not authorized makes a change to intentionally misrepresent something.
An example of this would be when a hacker is hired to go into the university’s system and
change a grade.

Integrity can also be lost unintentionally, such as when a computer power surge corrupts a file or
someone authorized to make a change accidentally deletes a file or enters incorrect information.

Availability

Availability means that information can be accessed and modified by anyone authorized to do so
in an appropriate timeframe. Depending on the type of information, appropriate timeframe can
mean different things. For example, a stock trader needs information to be available
immediately, while a sales person may be happy to get sales numbers for the day in a report the
next morning.

Tools for Information Security

In order to ensure the confidentiality, integrity, and availability of information, organizations can
choose from a variety of tools

Authentication

The most common way to identify someone is through their physical appearance, but how do we
identify someone sitting behind a computer screen or at the ATM? Tools for authentication are
used to ensure that the person accessing the information is, indeed, who they present themselves
to be.

Access Control

Once a user has been authenticated, the next step is to ensure that they can only access the
information resources that are appropriate. This is done through the use of access control. Access
control determines which users are authorized to read, modify, add, and/or delete information.
Several different access control models exist. Here we will discuss two:

The access control list (ACL) and role-based access control (RBAC).

ACL: It is a computer security or it is a list of permission associated with a System resource. An

ACL specifies which user or System Processes are granted access to objects.

RBAC: Role- Based access Controls (RBAC) is a Method of regulating access to computer or
Network resources based on the roles of individual users within organizations.

Types of information security controls include security policies, procedures, plans, devices and
software intended to strengthen cyber security. There are three categories of information security
controls:
  Preventive security controls, designed to prevent cyber security incidents
 Detective security controls, aimed at detecting a cyber security breach attempt (“event”)
or successful breach (“incident”) while it is in progress, and alerting cyber security
personnel
 Corrective security controls, used after a cyber security incident to help minimize data
loss and damage to the system or network, and restore critical business systems and
processes as quickly as possible (“resilience”)

Security controls come in the form of:

 Access controls including restrictions on physical access such as security guards at

building entrances, locks, and perimeter fences
 Procedural controls such as security awareness education, security framework
compliance training, and incident response plans and procedures
 Technical controls such as multi-factor user authentication at login (login) and logical
access controls, antivirus software, firewalls
 Compliance controls such as privacy laws and cyber security frameworks and
standards.

Vulnerability and Abuse:

Before computer automation, data about individuals or organizations were maintained and
secured as paper records dispersed in separate business or organizational units. Information
systems concentrate data in computer files that can potentially be accessed by large numbers of
people and by groups outside of the organization.

When large amounts of data are stored in electronic form they are vulnerable to many more kinds
of threats than when they exist in manual form. Through communications networks, information
systems in different locations can be interconnected. The potential for unauthorized access,
abuse, or fraud is not limited to a single location but can occur at any access point in the
network.

 When data are stored in digital form, they are more vulnerable than when they exist in
manual form. Security refers to the policies, procedures, and technical measures used to
prevent unauthorized access, alteration, theft, or physical damage to information systems
 Controls consist of all the methods, policies, and organizational procedures that ensure
the safety of the organization's assets; the accuracy and reliability of its accounting
records; and operational adherence to management standards.
 Threats to computerized information systems include hardware and software failure; user
errors; physical disasters such as fire or power failure; theft of data, services, and
equipment; unauthorized use of data; and telecommunications disruptions.
 On-line systems and telecommunications are especially vulnerable because data and files
can be immediately and directly accessed through computer terminals or at points in the
telecommunications network.
Contemporary security challenges and vulnerabilities: The architecture of a Web-based
application typically includes a Web client, a server, and corporate information systems linked to
databases. Each of these components presents security challenges and vulnerabilities. Floods,
fires, power failures, and other electrical problems can cause disruptions at any point in the
network.

The Internet poses additional problems because it was explicitly designed to be easily accessed
by people on different computer systems. Information traveling over unsecured media can be
intercepted and misused. Fixed IP addresses serve as fixed targets for hackers, and Internet
software has become a means for introducing viruses and malicious software to otherwise secure
networks.

Wi-Fi security challenges: Many Wi-Fi networks can be penetrated easily by intruders using
sniffer programs to obtain an address to access the resources of a network without authorization.
Malicious software, or malware, includes threats such as computer viruses and worms, and
Trojan horses. A computer virus is rogue software that attaches itself to other programs or data
files in order to be executed, and may be highly destructive to files, computer memory, and hard
drives. Viruses are typically designed to spread from computer to computer through e-mail
attachments or copied files.

Worldwide damage from digital attacks: This chart shows estimates of the average annual
worldwide damage from hacking, malware, and spam since 1999. These data are based on
figures from mi2G and the authors.
In computer crime, the computer can be either the target of or the instrument of a crime. The
most economically damaging kinds of computer crime are DOS attacks, introducing viruses,
theft of services, and disruption of computer systems.
Internet vulnerabilities

Large public networks such as the Internet are more vulnerable than internal networks because
they are virtually open to anyone. The Internet is so huge that when abuses do occur, they can
have an enormously widespread impact. When the Internet becomes part of the corporate
network, the organization’s information systems are even more vulnerable to actions from
outsiders.

Malicious Software: Viruses, Worms, Trojan Horses, and Spyware

Malicious software programs referred to as malware include a variety of threats such as
computer viruses, worms, and Trojan horses. A computer virus is a rogue software program that
attaches itself to other software programs or data files in order to be executed, usually without
user knowledge or permission.

Anti–Virus Packages:

Antivirus is a kind of software used to prevent, scan, detect and delete viruses from a computer.
Once installed, most antivirus software runs automatically in the background to provide real-time
protection against virus attacks.

Comprehensive virus protection programs help protect your files and hardware from malware
such as worms, Trojan horses and spyware, and may also offer additional protection such as
customizable firewalls and website blocking.

Antivirus programs and computer protection software are designed to evaluate data such as web
pages, files, software and applications to help find and eradicate malware as quickly as possible.

Most provide real-time protection, which can protect your devices from incoming threats; scan
your entire computer regularly for known threats and provide automatic updates; and identify,
block and delete malicious codes and software.

Malware:
Malware, short for “malicious software,” is a blanket term that refers to a wide variety of
software programs designed to do damage or do other unwanted actions to a computer; server or
computer network Common examples include viruses, spyware and trojan horses. Malware can
slow down or crash your device or delete files.

Spyware:
Spyware is a type of malware that attaches itself and hides on a computer’s operating system
without your permission to make unwanted changes to your user experience. It can be used to
spy on your online activity and may generate unwanted advertisements or make your browser
display certain website sites or search results.
Phishing:
Phishing attacks use email or fraudulent websites to try to trick you into providing personal or
financial information to compromise an account or steal money by posing as a trustworthy entity.
They may claim there’s a problem with payment information or that they’ve noticed activity on
an account and ask you to click on a link or attachment and provide personal information.

A few Anti–Virus Packages

 Norton - Best Antivirus for Android + Windows

 McAfee - Top Choice for Mac and iOS
 Avast - Superb Anti-malware Software.
 Panda Dome - Flexible Prices & Deals. ...
 Vipre - Plans for Businesses and Home-Use
 TotalAV - Best User-friendly Antivirus Software
 BullGuard - Ideal for Gamers

Systems Audit:

The audit of systems involves the review and evaluation of controls and computer systems, as
well as their use, efficiency, and security in the company, which processes the information.
Thanks to the audit of systems as an alternative to control, follow-up, and review, the computer
process and technologies are used more efficiently and safely, guaranteeing adequate decision-
making?

The audit of systems involves the review and evaluation of controls and computer systems, as
well as their use, efficiency, and security in the company, which processes the information.
Thanks to the audit of systems as an alternative to control, follow-up, and review, the computer
process and technologies are used more efficiently and safely, guaranteeing adequate decision-
making?

 Verification of controls in the processing of information and installation of systems, in

order to evaluate their effectiveness and also present some recommendation and advice
 Verify and judge the information objectively
 Examination and evaluation of the processes in terms of computerization and data
processing. In addition, the number of resources invested, the profitability of each
process and its effectiveness and efficiency are evaluated

The analysis and evaluation carried out through the systems audit must be objective, critical,
systematic, and impartial. The final audit report should be a clear example of the reality of the
company in terms of processes and computerization, to make better decisions and improve the
business

Objectives of the systems audit are:

 Improve the cost-benefit ratio of information systems

 Increase the satisfaction and security of the users of these computerized systems
  Guarantee confidentiality and integrity through professional security and control systems
 Minimize the existence of risks, such as viruses or hackers, for example
 Optimize and streamline decision making
 Educate on the control of information systems, since it is a very changing and relatively
new sector, so it is necessary to educate users of these computerized processes.

Therefore, systems auditing is a way of monitoring and evaluating not only the computer
equipment itself. Its field of action also revolves around the control of the entry systems to this
equipment (think, for example, of access codes and codes), archives and security thereof, etc.

“Systematic, independent and documented process for obtaining audit evidence and evaluating it
objectively to determine the extent to which the audit criteria are fulfilled.”

Importance of system audit

A system audit is important as it allows a company to review the performance of its operational
systems.

By performing a system audit, companies can:

1. Evaluate the actual performance of their operations compared to what was planned
2. Validate that the objectives pursued by the organization remain relevant
3. Validate whether or not the company is achieving those objectives
4. Ensure that the systems used are reliable
5. Review system records to ensure systems operate based on specifications
6. Identify vulnerabilities and risks
7. Allow a company to define a mitigation plan to better achieve its objectives
8. Monitor its operational systems to ensure they meet the objectives on an ongoing basis

System audit process

1. Audit initiation
2. Audit preparation
3. Audit execution
4. Audit report
5. Audit closure and follow-up

Audit initiation: Audit initiation is the start of the system audit process. During the audit
initiation, the auditor and the client will determine the scope and frequency of the audit. When
deciding on the scope, importance is given to the client’s needs, requirements, objectives and
timeline.

Audit preparation: The audit preparation is when the auditor starts the review of the auditing
procedure of the system. In the preparation phase, the goal is to define an audit plan that
typically includes:

1. Scope of the audit

 2. Individuals involved in the audit process
3. System standards
4. Logistics of the audit
5. Duration of the audit process
6. Meeting schedules
7. Expected completion date

Audit execution: The audit execution is the actual process of performing the system audit.
During the audit execution process, the auditor will look at the specifics of the company systems,
how they operate, identify what is compliant and what may not be compliant, get clarification
from the client and so on.

Audit report: The final phase of the system audit process is the issuance of the audit report. The
auditor’s responsibility is to ensure a report is produced providing an independent evaluation of
the audited systems. The report should be factual and present any discrepancies found along with
objective evidence to that effect. The auditor will also provide his or her judgment as to the
company’s compliance with the system standards against which the audit was conducted.

Audit closure and follow-up

According to ISO 19011, an audit is closed when: “The audit is completed when all the planned
audit activities have been carried out, or otherwise agreed with the audit client.” Once all the
audit activities have been carried out, we have reached the end of the audit process.

Managing Global Information Systems:

The growth of inexpensive international communication and transportation has created a world
culture with stable expectations or norms. Political stability and a growing global knowledge
base that is widely shared also contribute to the world culture. There are four basic international
strategies: domestic exporter, multinational, franchiser, and transnational. There is a connection
between firm strategy and information systems design.

Management challenges in developing global systems include:

1. Agreeing on common user requirements

2. Introducing changes in business processes
3. Coordinating applications development
4. Coordinating software releases Encouraging local users to support global systems

The first step in managing a global transition is identifying core systems; which includes
identifying critical core business processes, identifying centers of excellence for these processes,
and rank-ordering these centers. You then can decide which processes should be core
applications, centrally coordinated, designed, and implemented around the globe, and which
should be regional and local.
LOCAL, REGIONAL AND GLOBAL SYSTEMS

Agency and other coordination costs increase as the firm moves from local option systems
toward regional and global systems. However, transaction costs of participating in global
markets probably decrease as firms develop global systems. A sensible strategy is to reduce
agency costs by developing only a few core global systems that are vital for global operations,
leaving other systems in the hands of regional and local units.

Global systems contribute, overall, to:

1. Superior management and coordination

2. Improvement in production, operation, supply and distribution

3. Costs can be spread over a larger, global customer base, unleashing new economies of
scale at production facilities

4. The ability to optimize the use of corporate funds over a much larger capital base.

Developing An International Information Systems Architecture

International information systems architecture consists of the basic information systems required
by organizations to coordinate worldwide trade and other activities. The basic strategy to follow
when building an international system is to understand the global environment in which your
firm is operating. This means understanding the overall market forces, or business drivers, that
are pushing your industry toward global competition. A business driver is a force in the
environment to which businesses must respond and that influences the direction of the business.
The Global Environment: Business Drivers and Challenges

 The global business drivers can be divided into two groups: general cultural factors and
specific business factors. Easily recognized general cultural factors have driven
internationalization since World War II.
 The development of global communications has created a global village in a second
sense: A global culture created by television, the Internet, and other globally shared
media such as movies now permits different cultures and peoples to develop common
expectations about right and wrong, desirable and undesirable, heroic and cowardly.

 Responding to demand, global production and operations have emerged with precise
online coordination between far-flung production facilities and central headquarters
thousands of miles away. The new global markets and pressure toward global production
and operation have called forth whole new capabilities for global coordination.

 Finally, global markets, production, and administration create the conditions for
powerful, sustained global economies for scale. Not all industries are similarly affected
by these trends. Clearly, manufacturing has been much more affected than services that
still tend to be domestic and highly inefficient. However, the localism of services is
breaking down in telecommunications, entertainment, transportation, finance law, and
general business.
The Management Solution: Implementation

Agreeing on Common User Requirements

 Establishing a short list of the core business processes and core support systems will
begin a process of rational comparison across the many divisions of the company,
develop a common language for discussing the business, and naturally lead to an
understanding of common elements.
Introducing Changes in Business Processes
 Your success as a change agent will depend on your legitimacy, your authority, and your
ability to involve users in the change design process. Legitimacy is defined as the extent
to which your authority is accepted on grounds of competence, vision, or other qualities.
Coordinating Applications Development
 Choice of change strategy is critical for this problem. At the global level there is far too
much complexity to attempt a grand design strategy of change. It is far easier to
coordinate change by making small incremental steps toward a larger vision.
Coordinating Software Releases
 Firms can institute procedures to ensure that all operating units converts to new software
updates at the same time so that everyone's software is compatible.
Encouraging Local Users to Support Global Systems
 The key to this problem is to involve users in the creation of the design without giving up
control over the development of the project to parochial interests. The overall tactic for
dealing with resistant local units in transnational company is cooptation. Cooptation is
defined as bringing the opposition into the process of designing and implementing the
solution without giving up control over the direction and nature of the change.

Technology Issues and Opportunities for Global Value Chains

 One major challenge is finding some way to standardize a global computing platform
when there is so much variation from operating unit to operating unit and from country to
country.
Computing Platforms and Systems Integration
 The goal is to develop global, distributed, and integrated systems to support digital
business processes spanning national boundaries. Briefly, these are the same problems
faced by any large domestic systems development effort. However, the problems are
magnified in an international environment.
Connectivity
 Truly integrated global systems must have connectivity - the ability to link together the
systems and people of global firm into a single integrated network just like the phone
system but capable of voice, data, and image transmissions.

********