Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Save to My Library
Look up keyword
Like this
97Activity
0 of .
Results for:
No results containing your search query
P. 1
MIS - Chapter 15 - Managing Information Resources and Security

MIS - Chapter 15 - Managing Information Resources and Security

Ratings:

4.0

(1)
|Views: 8,180 |Likes:
Published by api-3807238

More info:

Published by: api-3807238 on Oct 17, 2008
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

03/18/2014

pdf

text

original

15
PART V
Implementing and Managing
IT

13. Information Technology Economics
14. Building Information Systems
15. Managing Information Resources and Security
16. Impacts of IT on Organizations, Individuals, and

Society (online)
\ue000
679
CHAPTER
Managing Information
Resources and Security
Cybercrime in the New
Millennium
15.1
The IS Department and End
Users
15.2
The CIO in Managing the IS
Department
15.3
IS Vulnerability and Computer
Crimes
15.4

Protecting Information
Resources: From National to
Organizational Efforts

15.5
Securing the Web, Intranets,
and Wireless Networks
15.6
Business Continuity and
Disaster Management
15.7
Implementing Security:
Auditing and Risk Analysis
Minicases: (1) Home Depot /
(2) Managing Security
LEARNING OBJECTIVES
After studying this chapter, you will be able to:
\u00b3Recognize the dif\ufb01culties in managing informa-
tion resources.
\u00b7Understand the role of the IS department and
its relationships with end users.
\u00bbDiscuss the role of the chief information of\ufb01cer.
\u00bfRecognize information systems\u2019 vulnerability,
attack methods, and the possible damage from
malfunctions.
\u00b4Describe the major methods of defending infor-
mation systems.
\u00b2Describe the security issues of the Web and
electronic commerce.
\u00b6Describe business continuity and disaster recov-
ery planning.
\u00baUnderstand the economics of security and risk
management.
680
CYBERCRIME IN THE NEW MILLENNIUM

On January 1, 2000, the world was relieved to know that the damage to infor- mation systems due to the YK2 problem was minimal. However, only about six weeks into the new millennium, computer systems around the world were at- tacked, unexpectedly, by criminals.

On February 6, 2000, the biggest e-commerce sites were falling like domi- nos. First was Yahoo, which was forced to close down for three hours. Next were eBay, Amazon.com, E*Trade, and several other major EC and Internet sites that had gone dark.

The attacker(s) used a method called denial of service (DoS). By hammering a Web site\u2019s equipment with too many requests for information, an attacker can effectively clog a system, slowing performance or even crashing a site. All one needs to do is to get the DoS software (available for free in many hacking sites), break into unrelated unprotected computers and plant some software there, se- lect a target site, and instruct the unprotected computers to repeatedly send re- quests for information to the target site. It is like constantly dialing a telephone number so that no one else can get through. It takes time for the attacked site to identify the sending computers and to block e-mails from them. Thus, the attacked site may be out-of-service for a few hours.

The magnitude of the damage was so large that on February 9, the U.S. Attorney General pledged to track down the criminals and ensure that the Internet remains secure. This assurance did not last too long, as can be seen from the following story told by Professor Turban:

When I opened my e-mail on May 4, 2000, I noticed immediately that the number of messages was larger than usual. A closer observation revealed that about 20 mes- sages were titled I LOVE YOU, and most of them came from faculty, secretaries, and administrators at City University of Hong Kong. It was not my birthday and there was no reason to believe that so many people would send me love messages the same day. My initial thought was to open one message to \ufb01nd out what\u2019s going on. But, on second thought I remembered the \u201cMelissa\u201d virus and the instructions not to open any attachment of a strange e-mail. I picked up the telephone and called one of the senders, who told me not to open the attachment since it contained a deadly virus.

Although Professor Turban\u2019s system escaped the virus, thousands of users worldwide opened the \u201clove\u201d attachment and released the bug. It is interesting to note that the alleged attacker, from the Philippines, was not prosecuted be- cause he did not break any law in the Philippines. The damage, according to Zetter and Miastkowski (2000), was estimated at $8.7 billion worldwide.

Sources:Compiled from news items during May 3\u201311, 2000, and from Zetter and Miastkowski (2000).
\u27a5LESSONS LEARNED FROM THIS CASE

Since May 2000 there have been more than a dozen major virus attacks, and hundreds of small ones, causing damages to organizations and individuals. (see Richardson, 2003).

Clearly, information resources, including computers, networks, programs,
and data, are vulnerable to unforeseen attacks. Attackers can zero in on a single
15.1THE IS DEPARTMENT AND END USERS
681

company, or can attack many companies and individuals without discrimination, using various attack methods. Although variations of the attack methods are known, the defense against them is dif\ufb01cult and/or expensive. As the story of the \u201clove\u201d virus demonstrated, many countries do not have suf\ufb01cient laws to deal with computer criminals. For all of these reasons, protection of networked systems can be a complex issue.

The actions of people or of nature can cause an information system to func- tion in a way different from what was planned. It is important, therefore, to know how to ensure the continued operation of an IS and to know what to do if the system breaks down. These and similar issues are of concern to the man- agement of information resources, the subject of this chapter.

In this chapter we look at how the IS department and end users work to- gether; the role of the chief information of\ufb01cer; the issue of information secu- rity and control in general and of Web systems in particular. Finally, we deal with plans of business continuity after a disaster, and the costs of preventing computer hazards.

15.1THEIS DEPARTMENT ANDENDUSERS

Throughout this book, we have seen that information systems are used to increase productivity and help achieve quality, timeliness, and satisfaction for both employees and customers. Most large, many medium, and even some small organizations around the world are strongly dependent on IT. Their informa- tion systems have considerable strategic importance.

IT resources are very diversi\ufb01ed; they include personnel assets, technology assets, and IT relationship assets. The management of information resources is divided between the information services department (ISD) and the end users.Infor-

mation resources management (IRM)encompasses all activities related to the

planning, organizing, acquiring, maintaining, securing, and controlling of IT resources. The division of responsibility depends on many factors, beginning with the amount of IT assets and nature of duties involved in IRM, and ending with outsourcing policies. Decisions about the roles of each party are made during the IS planning (Chapter 9). (For some insights, see Sambamurthy et al., 2001.)

A major decision that must be made by senior management is where the ISD is to report in the organizational hierarchy. Partly for historical reasons, a common place to \ufb01nd the ISD is in the accounting or \ufb01nance department. In such situations, the ISD normally reports to the controller or the chief \ufb01nan- cial of\ufb01cer. The ISD might also report to one of the following: (1) a vice presi- dent of technology, (2) an executive vice president (e.g., for administration), or (4) the CEO.

THE IS DIRECTOR AS A \u201cCHIEF.\u201dTo show the importance of the IS area, some

organizations call the director of IS a chief information of\ufb01cer (CIO), a title similar to chief \ufb01nancial of\ufb01cer (CFO) and chief operating of\ufb01cer (COO). Typi- cally, only important or senior vice presidents receive this title. Other common titles are: vice president for IS, vice president for information technology, or director of

information systems.Unfortunately, as Becker (2003) reports, some companies
provide the title CIO, but do not accord the position the importance other
The IS Department
in the Organization

Activity (97)

You've already reviewed this. Edit your review.
1 hundred reads
1 thousand reads
Eleen Wong liked this
Patkwa liked this
Polly Truong liked this
Ratol Harvinder liked this
Nuri Hussen liked this

You're Reading a Free Preview

Download
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->