0% found this document useful (0 votes)

139 views

Information Systems Security

The document discusses analyzing vulnerabilities and threats to information systems. It describes the information security system life cycle of analyzing vulnerabilities, designing security measures, implementing systems, and ongoing evaluation. Both quantitative and qualitative approaches to risk assessment are covered. Active threats like input manipulation, program alteration, and data theft are identified. Passive threats which do not involve direct interaction are also discussed. The roles of different individuals like users, intruders, and information systems personnel in posing threats are outlined.

Uploaded by

Hehe

Available Formats

Download as PPT, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

139 views

Information Systems Security

Uploaded by

Hehe

Available Formats

Download as PPT, PDF, TXT or read online on Scribd

You are on page 1/ 43

Information Systems Security

Chapter 5

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 51
Learning Objective 1

Describe general approaches to

analyzing vulnerabilities and
threats in information systems.

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 52
Overview

The information security system is the

subsystem of the organization that
controls the special risks associated
with computer-based information systems.

The information security system has

the basic elements of any information
system, such as hardware, databases,
procedures, and reports.
2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 53
The Information Security
System Life Cycle

Life-cycle Phase Objective

Analyze system vulnerabilities
Systems analysis in terms of relevant threats and
their associated loss exposure.
Design security measures and
Systems design contingency plans to control
the identified loss exposures.

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 54
The Information Security
System Life Cycle

Life-cycle Phase Objective

Systems Implement the security
implementation measures as designed.
Operate the system and
Systems operation,
assess its effectiveness and
evaluation,
efficiency. Make changes
and control
as circumstances require.

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 55
The Information Security
System in the Organization

The information security system must be

managed by a chief security officer (CSO).

This individual should report directly

to the board of directors in order to
maintain complete independence.

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 56
Analyzing Vulnerabilities
and Threats

Quantitative approach
to risk assessment

Qualitative approach

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 57
Analyzing Vulnerabilities
and Threats

Cost of an individual loss

Likelihood of its occurrence

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 58
Analyzing Vulnerabilities
and Threats

Identifying the relevant costs per loss and

the associated likelihoods can be difficult.

Estimating the likelihood of a given

failure requires predicting the future,
which is very difficult.

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 59
Analyzing Vulnerabilities
and Threats

The systems vulnerabilities and

threats are subjectively ranked in
order of their contribution to the
companys total loss exposure.

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 5 10
Analyzing Vulnerabilities
and Threats

business interruption
loss of software
loss of data
loss of hardware
loss of facilities
loss of service and personnel

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 5 11
Learning Objective 2

Identify active and passive

threats to information systems.

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 5 12
Vulnerabilities and Threats

What is a vulnerability?
A vulnerability is a
weakness in a system.
What is a threat?
A threat is a potential
exploitation of a vulnerability.

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 5 13
Vulnerabilities and Threats

Active threats

Passive threats

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 5 14
Individuals Posing a Threat
to the Information System

Groups of individuals that could

be involved in an information
systems attack:

Information systems personnel

Users Intruders

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 5 15
Individuals Posing a Threat
to the Information System

computer maintenance persons

programmers
network operators
information systems administrative
personnel
data control clerks

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 5 16
Individuals Posing a Threat
to the Information System

Users are composed of heterogeneous

groups of people. Their functional
area does not lie in data processing.

An intruder is anyone who accesses

equipment, electronic data, or files
without proper authorization.

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 5 17
Individuals Posing a Threat
to the Information System
A hacker is an intruder who attacks
a system for fun and challenge.
What are other types of intruders?
unnoticed intruders
wiretappers
piggybackers
impersonating intruders
eavesdroppers
2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 5 18
Active Threats to
Information Systems

Input manipulation Sabotage

Program alteration
Misappropriation
or theft of
Direct file alteration
information
resources
Data theft

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 5 19
Active Threats to
Information Systems

In most cases of computer fraud,

manipulation of input
is the method used.

Program alteration is perhaps

the least common method used
to commit computer fraud.

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 5 20
Active Threats to
Information Systems

A direct file alteration occurs when individuals

find ways to bypass the normal process
for inputting data into computer programs.

Data theft is a serious problem in business today.

What are some methods of computer sabotage?

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 5 21
Active Threats to
Information Systems

Logic bomb

Trojan horse

Virus program

Denial of service attack

Defacing the companys Web site

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 5 22
Active Threats to
Information Systems

What is a worm?

It is a type of virus that spreads

itself over a computer network.

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 5 23
Active Threats to
Information Systems

One type of misappropriation

of computer resources exists
when employees use company
computers resources for
their own business.

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 5 24
Learning Objective 3

Identify key aspects of an

information security system.

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 5 25
The Information System
Security System

Security measures focus on

preventing and detecting threats.

Contingency plans focus on

correcting the effects of threats.

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 5 26
The Control Environment

Management philosophy
and operating style

Organization structure

Board of directors
and its committees

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 5 27
The Control Environment

Management control activities

Internal audit function

Personnel policies and practices

External influences

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 5 28
Controls for Active Threats

Site-access controls

System-access controls

File-access controls

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 5 29
Controls for Active Threats

The objective of site-access controls

is to physically separate unauthorized
individuals from computer resources.

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 5 30
Controls for Active Threats

TV monitor Telephone Locked door

Locked door
(opened from
inside vault) LOBBY
Service
Locked door
window
(entrance)
Intercom Data
to vault archive
Magnet
Scanner detector INNER
VAULT

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 5 31
Controls for Active Threats

These controls authenticate users by using

such means as user IDs, passwords,
IP addresses, and hardware devices.

It is often desirable to withhold

administrative rights from
individual PC users.
2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 5 32
Controls for Active Threats

The most fundamental file-access control

is the establishment of authorization guidelines
and procedures for accessing and altering files.

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 5 33
Controls for Passive Threats

Fault-tolerant systems use redundant components.

If one part of the system fails, a redundant part

immediately takes over, and the system
continues operating with little or no interruption.

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 5 34
Controls for Passive Threats

Full backups

Incremental backups

Differential backups

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 5 35
Internet Security

Internet-related vulnerabilities may

arise from weaknesses in five areas.

1. the operating system or its configuration

2. the Web server or its configuration
3. the private network and its configuration
4. various server programs
5. general security procedures

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 5 36
Learning Objective 4

Discuss contingency planning

and other disaster risk
management practices.

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 5 37
Disaster Risk Management

Disaster risk management is essential

to ensure continuity of operations
in the event of a catastrophe.

Prevention Contingency
planning planning

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 5 38
Disaster Risk Management

Natural disaster 30%

Deliberate actions 45%
Human error 25%

A large percentage of disasters

can be mitigated or avoided.

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 5 39
Disaster Risk Management

A disaster recovery plan must be implemented

at the highest levels in the company.

The first step in developing a disaster recovery

plan should be obtaining the support of senior
management and setting up a planning committee.

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 5 40
Disaster Risk Management

The design of the plan should

include three major components.

What are these components?

Assess the companys critical needs.

List priorities for recovery.
Establish recovery strategies and procedures.

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 5 41
Disaster Risk Management

A complete set of recovery strategies

should take into account the following:
emergency response center
escalation procedures
alternate processing arrangements
personnel relocation and replacements plans
salvage plan
plan for testing and maintaining the system
2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 5 42
End of Chapter 5

2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 5 43

ch12 Accounting Systems Solution Manual
No ratings yet
ch12 Accounting Systems Solution Manual
8 pages
Turban Bi2e PP Ch02
No ratings yet
Turban Bi2e PP Ch02
48 pages
AIS - Romney - Ais13 - PPT - 01 PDF
No ratings yet
AIS - Romney - Ais13 - PPT - 01 PDF
31 pages
CH7 Lecture Slides
No ratings yet
CH7 Lecture Slides
30 pages
Aisch 03
No ratings yet
Aisch 03
47 pages
Unit 1-Fundamentals of DBMS
No ratings yet
Unit 1-Fundamentals of DBMS
53 pages
Accounting Information System Chap 2 Notes
No ratings yet
Accounting Information System Chap 2 Notes
7 pages
AEAIS Module 2 Overview of Transaction Processing and Enterprise Resource Planning Systems
No ratings yet
AEAIS Module 2 Overview of Transaction Processing and Enterprise Resource Planning Systems
28 pages
Get immediate PDF access to the full Solution Manual for Information Technology Auditing 3rd Edition by Hall.
100% (4)
Get immediate PDF access to the full Solution Manual for Information Technology Auditing 3rd Edition by Hall.
57 pages
Intro-InformationAssurance-Security - Part1
No ratings yet
Intro-InformationAssurance-Security - Part1
21 pages
Chapter 6. - OS Database Security) OL - Edited2
No ratings yet
Chapter 6. - OS Database Security) OL - Edited2
49 pages
AKN4509 Accounting Information Systems
No ratings yet
AKN4509 Accounting Information Systems
57 pages
10 IS Control For System Reliability Part 3 - Processing Integrity and Availability
No ratings yet
10 IS Control For System Reliability Part 3 - Processing Integrity and Availability
14 pages
ITB Data and Information
No ratings yet
ITB Data and Information
100 pages
Audit 1-1
No ratings yet
Audit 1-1
3 pages
Chapter 01
No ratings yet
Chapter 01
28 pages
Chapter 6 Management Information System
No ratings yet
Chapter 6 Management Information System
6 pages
Accounting Information Systems: Fourteenth Edition, Global Edition
No ratings yet
Accounting Information Systems: Fourteenth Edition, Global Edition
16 pages
Assets Classification
No ratings yet
Assets Classification
21 pages
Slide Chapter 4
No ratings yet
Slide Chapter 4
23 pages
Connecting and Communicating Online
100% (1)
Connecting and Communicating Online
37 pages
Chapter 12 Electronic Commerce Systems: Accounting Information Systems, 7e
100% (1)
Chapter 12 Electronic Commerce Systems: Accounting Information Systems, 7e
50 pages
Accounting Information Systems: An Overview
No ratings yet
Accounting Information Systems: An Overview
16 pages
MIS10 ch06
No ratings yet
MIS10 ch06
15 pages
Uses of Value Chain Analysis
No ratings yet
Uses of Value Chain Analysis
14 pages
Intruders: Tran Song Dat Phuc Department of Computer Science and Engineering Seoultech 2014
No ratings yet
Intruders: Tran Song Dat Phuc Department of Computer Science and Engineering Seoultech 2014
65 pages
Hapter 19: © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart
No ratings yet
Hapter 19: © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart
159 pages
Project Management: Kendall & Kendall Systems Analysis and Design, 9e
No ratings yet
Project Management: Kendall & Kendall Systems Analysis and Design, 9e
73 pages
Project Management: Kendall & Kendall Systems Analysis and Design, 9e
No ratings yet
Project Management: Kendall & Kendall Systems Analysis and Design, 9e
65 pages
Stair Reynolds Is Essentials PPT Chapter 2
No ratings yet
Stair Reynolds Is Essentials PPT Chapter 2
76 pages
Rais12 SM Ch11
100% (1)
Rais12 SM Ch11
24 pages
AIS Romney 2006 Slides 18 Introduction To Systems Development
No ratings yet
AIS Romney 2006 Slides 18 Introduction To Systems Development
153 pages
AIS Chapter 9
No ratings yet
AIS Chapter 9
12 pages
Solution Manual To Accompany: Contemporary Issues in Accounting 2e by Rankin Et Al
No ratings yet
Solution Manual To Accompany: Contemporary Issues in Accounting 2e by Rankin Et Al
8 pages
Romney Ch02
No ratings yet
Romney Ch02
112 pages
Operating System Chapter-1 Slides
No ratings yet
Operating System Chapter-1 Slides
43 pages
Lecture 2 Traditional Accounting Information Systems
No ratings yet
Lecture 2 Traditional Accounting Information Systems
12 pages
AIS17
No ratings yet
AIS17
48 pages
AIS ch09
No ratings yet
AIS ch09
151 pages
Gelinas 9e - CH 04 - Documenting Information Systems PDF
No ratings yet
Gelinas 9e - CH 04 - Documenting Information Systems PDF
44 pages
Enterprise Structure
No ratings yet
Enterprise Structure
17 pages
Designing Accurate Data Entry Procedures: Kendall & Kendall Systems Analysis and Design, 9e
No ratings yet
Designing Accurate Data Entry Procedures: Kendall & Kendall Systems Analysis and Design, 9e
19 pages
File PDF
No ratings yet
File PDF
174 pages
Accounting Theory
No ratings yet
Accounting Theory
9 pages
AIS Romney 2006 Slides 20 System Design
No ratings yet
AIS Romney 2006 Slides 20 System Design
173 pages
CH 02
No ratings yet
CH 02
143 pages
AIS Romney 2006 Slides 15 Database Design Using The REA
No ratings yet
AIS Romney 2006 Slides 15 Database Design Using The REA
138 pages
Chapter 4 - Operating System and Security
No ratings yet
Chapter 4 - Operating System and Security
18 pages
Topic 3 - System Analysis
No ratings yet
Topic 3 - System Analysis
39 pages
Data Model
No ratings yet
Data Model
12 pages
Romney Ais13 PPT 05
No ratings yet
Romney Ais13 PPT 05
20 pages
Transaction Processing and Financial Reporting Systems Overview
No ratings yet
Transaction Processing and Financial Reporting Systems Overview
12 pages
Relational Databases and SQL: Accounting Information Systems, 9e
No ratings yet
Relational Databases and SQL: Accounting Information Systems, 9e
46 pages
AIS Chapter 3 Relational Data Base
No ratings yet
AIS Chapter 3 Relational Data Base
50 pages
Romney Ais13 PPT 11
No ratings yet
Romney Ais13 PPT 11
18 pages
Information Security: 2013 Pearson Education, Inc. Publishing As Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
100% (1)
Information Security: 2013 Pearson Education, Inc. Publishing As Prentice Hall, AIS, 11/e, by Bodnar/Hopwood
39 pages
Week 11 SECURITY AND CONTROL
No ratings yet
Week 11 SECURITY AND CONTROL
53 pages
Information Security Analysis and Audit
No ratings yet
Information Security Analysis and Audit
90 pages
Romney CHAPTER05-1 Computer Fraud
No ratings yet
Romney CHAPTER05-1 Computer Fraud
50 pages
Management Information Systems, 10/E: Raymond Mcleod Jr. and George P. Schell
No ratings yet
Management Information Systems, 10/E: Raymond Mcleod Jr. and George P. Schell
31 pages
Bangsamoro Basic Law - 2017 Final Draft (Edited)
No ratings yet
Bangsamoro Basic Law - 2017 Final Draft (Edited)
77 pages
Quick Response Fund
No ratings yet
Quick Response Fund
3 pages
Remote Sensing and GIS Interview Questions and Answers
No ratings yet
Remote Sensing and GIS Interview Questions and Answers
11 pages
Snow Snow Snow Crossword
0% (1)
Snow Snow Snow Crossword
2 pages
1 PB
No ratings yet
1 PB
8 pages
Corlears Hook Dog Run
No ratings yet
Corlears Hook Dog Run
27 pages
ĐỀ 41-60
No ratings yet
ĐỀ 41-60
65 pages
Seismic Design of Buried and Offshore Pipelines
No ratings yet
Seismic Design of Buried and Offshore Pipelines
384 pages
Pollution and Environmental Health
No ratings yet
Pollution and Environmental Health
26 pages
Lab8 IAA202
No ratings yet
Lab8 IAA202
7 pages
Rulebook Anachrony Follower 0922
No ratings yet
Rulebook Anachrony Follower 0922
19 pages
A Better Future?: Consequences of Migration
No ratings yet
A Better Future?: Consequences of Migration
2 pages
Latbsdc Criteria
No ratings yet
Latbsdc Criteria
53 pages
Nature of Disaster
No ratings yet
Nature of Disaster
45 pages
EAP Dated 30.11.2019
No ratings yet
EAP Dated 30.11.2019
109 pages
Vishnu GP: Professional Summary
No ratings yet
Vishnu GP: Professional Summary
2 pages
Automatic Sprinkler System Guide
100% (2)
Automatic Sprinkler System Guide
4 pages
Key Terms and Concepts Used in Disaster Management: Puleh Steven Sean Dep't of Health Sciences
No ratings yet
Key Terms and Concepts Used in Disaster Management: Puleh Steven Sean Dep't of Health Sciences
38 pages
Synopsis MKAQ
No ratings yet
Synopsis MKAQ
3 pages
January 2008 APWA Reporter
100% (2)
January 2008 APWA Reporter
64 pages
Sar Manual
100% (1)
Sar Manual
62 pages
Lifechanyuan's Ark: Tongxin Celestial
No ratings yet
Lifechanyuan's Ark: Tongxin Celestial
9 pages
Ton Duc Thang University Faculty of Foreign Languages Section of Language Skills WRITING 1 - 001150
No ratings yet
Ton Duc Thang University Faculty of Foreign Languages Section of Language Skills WRITING 1 - 001150
3 pages
JMP88
No ratings yet
JMP88
2 pages
Bleve: Boiling Liquid Expanding Vapor Explosion
100% (4)
Bleve: Boiling Liquid Expanding Vapor Explosion
54 pages
E I A Report
No ratings yet
E I A Report
213 pages
Flood Relief and ER Response Plan FINAL Nov 2010
100% (1)
Flood Relief and ER Response Plan FINAL Nov 2010
136 pages
Obama Speech Text On BP Oil Spill June 15, 2010
No ratings yet
Obama Speech Text On BP Oil Spill June 15, 2010
6 pages
Fire Prevention and Evacuation Drill Presentation
No ratings yet
Fire Prevention and Evacuation Drill Presentation
12 pages
Corporate Level Strategy
100% (1)
Corporate Level Strategy
47 pages