Management Information Systems

Chapter 10
The Digital Firm:
Security & Control
Kenneth C. Laudon
Jane P. Laudon
9
th
edition PEAS!"
Prenti#e $a%% &00'
(((.prenha%%.#om)%audon
1
Chapter !*+e#ti,es
After completing this chapter, you will be able to:
1. Explain why information systems need special protection from destruction, error, and
abuse.
2. Assess the business value of security and control.
3. Evaluate elements of an organizational and managerial framewor for security and
control.
!. Evaluate the most important tools and technologies for safeguarding information
resources.
". #dentify the challenges posed by information systems security and control and
management solutions.
-is#ussion .uestions/
1. $iscuss why wireless networs are more susceptible to security problems and how
businesses can protect them.
2. $iscuss the difference between general controls and application controls that
organizations should use in their information system design. %hich general controls are
users and managers responsible for&
3. $iscuss the difference between fault'tolerant computer systems and high'availability
computer systems.
!. $iscuss the threat employees pose to information system security.
". $iscuss three laws recently passed by the (.). government that created electronic records
management obligations for businesses.
2
Chapter 10 Se#urity and Contro%
As firms become more technologically oriented, they must become more aware of security and
control issues surrounding their information systems and protect the resources more stringently
than ever before. #t*s that simple.
10.1 System Vulnerability and Abuse
As our society and the world itself come to depend on computers and information systems more
and more, firms must put forth a better effort in maing their systems less vulnerable and more
reliable. +he systems must also be more secure when processing transactions and maintaining
data. +hese two issues, which we address in this chapter, are the biggest issues facing those
wanting to do business on or expand their operations to the #nternet. +he threats are real, but so
are the solutions.
0hy Systems Are 1u%nera*%e
#nformation systems are vulnerable to technical, organizational, and environmental threats from
internal and external sources. +he weaest lin in the chain is poor system management. #f
managers at all levels don*t mae security and reliability their number one priority, then the
threats to an information system can easily become real. +he figure below gives you an idea of
some of the threats to each component of a typical networ.
Internet Vulnerabilities
,#f electronic business is to prosper and truly move into the mainstream of commerce, everyone
involved - merchants, financial institutions, software vendors, and security suppliers such as
.eri)ign - has to mae security a top priority, starting right now. )ecurity is very hard to get
right under the best of circumstances and /ust about impossible when it isn*t the focus of
3
attention. #f the industry doesn*t get this right - and fast - it*s setting the stage for a
catastrophic loss of confidence., 01usiness %ee, 2arch 23, 24415
,A top (.). Air 6orce official has warned 2icrosoft to dramatically improve the security of its
software or ris losing the Air 6orce as a customer. 7eacting to rising criticism from the Air
6orce and others, 2icrosoft 8hairman 1ill 9ates in mid':anuary issued a directive maing
security the software giant*s ;o. 1 priority. 9ates directed <,444 programmers to spend 6ebruary
scouring the %indows operating system for openings hacers might exploit to steal data or shut
down systems., 0()A +oday, 2arch 14, 24425
%ith distributed computing used extensively in networ systems, you have more points of entry,
which can mae attacing the system easy. +he more people you have using the system, the more
potential for fraud and abuse of the information maintained in that system. +hat*s why you have
to mae it everybody*s business to protect the system. #t*s easy for people to say that they are
only one person and therefore they won*t mae much difference. 1ut it only taes one person to
disable a system or destroy data.
Wireless Security Challenges
#t*s a difficult balancing act when it comes to maing wireless systems easy to access and yet
difficult to penetrate. #nternet cafes, airports, hotels, and other hotspot access points need to
mae it easy for users to use the networ systems with the =42.11 standard. >et, because it is so
easy, hacers and cracers can easily access unsuspecting users* systems and steal data or use the
entry point as a way to spread malicious programs. +he hacers can use war driving techni?ues
to gain access to wireless networs not only in hotels and airports, but private businesses and
government centers.
Ma%i#ious Soft(are/ 1iruses2 0orms2 3ro+an $orses2 and Spy(are
@ave you ever piced up a cold or the flu from another human& Arobably. >ou then spread it to
two or three other people through touch or association. +hose people spread it to two or three
more people each. Aretty soon it seems that everyone on campus or at wor is sic. +hat is how
computer viruses are spread. >ou copy a file from an infected source, use the file, and maybe
send it to friends or associates. +he virus is now on your computer and spreads to files other than
the original. >ou then send the same or even a different file to a few friends and their computers
are infected.
A different type of malware called worms can also destroy data on computers or clog networ
systems with software'generated electronic transmissions. %orms are similar to viruses in that
they can create additional file copies on a computer and generate emails to other computers with
the infected file attached. %orms differ from viruses because they don*t need human intervention
to spread from one computer to another.
+ro/an horses cause problems because they force a computer system to perform unexpected
operations, often to the detriment of the system and the user. +his type of malware is usually
mased in email messages although it can be stored on %eb sites. +his table gives you examples
of malicious code that are spread through vulnerable #nternet'connected systems.
!
;ot all spyware is damaging to a computer system. #t is a popular method for some %eb sites to
monitor how users navigate through a site, providing critical information that the %eb designers
and developers can use to improve the site. (nfortunately, some spyware is becoming a popular
way for hacers to install malicious code on computers and allows hacers to infiltrate the
unsuspecting computer.
%hether you use a stand'alone A8 or your computer is attached to a networ, you*re /ust asing
for trouble if you don*t have antivirus software. +his type of software checs every incoming
file for viruses. ;ot if, but when, you receive an infected file, the software alerts you to its
presence. >ou can choose to delete the file or ,clean, it. 2ae sure you update your antivirus
software every 34 to 34 days, because new viruses are constantly being written and passed
around. )ome antivirus software companies now mae it very easy to eep your antivirus
software current through online updates. 2cAfee.com will detect when you are online and notify
you when new updates are available. %ith a few mouse clics, you download the software to
protect against the newest viruses.
Web-enabled and e-mail-enabled cell phones are now being targeted as a way to spread viruses.
As cellular phones morph into computerlie ,smartphones, able to surf the %eb, send e'
mail and download software, they*re prone to the same tribulations that have waylaid
computers over the past decade. ,%e should thin of cell phones as /ust another set of
computers on the #nternet,, said )tephen +rilling, director of research at antivirus
software maer )ymantec 8orp. ,#f they*re connected to the #nternet they can be used to
"
transmit threats and attac targets, /ust as any computer can. #t*s technically possible right
now.,, Associated Aress, April 1, 2442
#f you connect to the #nternet with a cable modem or $)B you are much more vulnerable to
hacers on your home A8 than if you connect with a dial'up modem. +hat*s because you are
always connected, with a permanent #A address, which maes it easier for hacers to find you.
+he only smart thing to do is eep your software up'to'date and include firewall protection.
$a#4ers and Cy*er,anda%ism
Hackers, those who intentionally create havoc or do damage to a computer system, have been
around for a long time. 2any companies don*t report hacers* attempts to enter their systems
because they don*t want people to realize their systems are vulnerable. +hat maes gathering real
statistics about hacing attempts and successes hard. (nauthorized access is a huge problem,
though.
)ome hacers penetrate systems /ust to see if they can. +hey use special computer systems that
continually chec for password files that can be copied. Cr they loo for areas of the system that
have been ,left open,, so to spea, where they can enter the system. )ometimes they don*t do any
damage, but far too often they destroy files, erase data, or steal data for their own use through the
use of +ro/an horse software. Cther hacers attac systems because they don*t lie the company.
Aassword theft is the easiest way for hacers to gain access to a system. ;o, they don*t come into
your office at night and loo at the piece of paper in your des drawer that has your password
written on it. +hey generally use specially written software programs that can build various
passwords to see if any of them will wor. +hat*s why you should use odd combinations of
letters and numbers not easily associated with your name to create your password. +he longer the
password, the harder it is to replicate.
Spoofng and Snifng
+hese are two other methods hacers and criminals can use to gain improper or illegal access to
computer systems. Spoofing is becoming a common way to steal financial information through
fae %eb sites. +he spoofed site is almost a mirror image of the real site and unless the
unsuspecting user examines the spoof closely, heDshe may inadvertently give out important
personal and financial information.
Sniffing is a popular way to ,grab, information as it passes over transmission lines whether they
are hard'wired or wireless. #t is almost impossible to detect and encryption is about the only way
to safeguard against it.
Denial of Service Attacks
As companies and organizations expand their business to %eb sites, they are opening another
point of vulnerability through denial of service attacks. And it seems no %eb site is safeE
,@acers attaced the %hite @ouse %eb site 6riday, resulting in massive slowdowns, said the
1ush administration and a company that monitors the #nternet. +he perpetrators sent an
enormous amount of data toward the %hite @ouse site, leaving it completely bloced or difficult
3
to access for about six hours. +he %hite @ouse said no information on the site was altered or
destroyed. +he connection between the %hite @ouse*s #nternet service provider and
www.whitehouse.gov became clogged with data in what is commonly called a ,denial of service
attac,, said :immy Crr of the %hite @ouse media affairs office., 0()A+oday, 2ay <, 24415
Computer Crime and Cy*erterrorism
)ome of the crimes we have /ust described are the most popular. 8omputer crime is a growing
national and international threat to the continued development of e'business and e'commerce.
%hen the #nternet was first created in the late 1F34s, the designers intentionally built it to be
open and easily accessible. Bittle did they now that !4 years later, that structure would be the
very cause of so much crime and vandalism. +able 14'2 lists the best nown examples of
computer crime.
Identity Theft
+he fastest growing crime off or on the #nternet is identity theft. Even though identity theft is
most liely to occur in an offline environment, once your personal information has been stolen
its easy to use it in an online environment. ,+he biggest ris for identity fraud is from the old'
fashioned theft of your wallet or paper records from your trash. And from people who now you.
Aeople who are close to you can set up nown accounts and have the information sent to a new
address. )o the fraud goes on longer and is harder to discover,, says :ames .an $ye of :avelin
)trategy in Aleasanton, 8alifornia. 0()A+oday Cnline, :an 23, 244"5
+here are many precautions an online user can tae to help prevent identity theft. Cne way is to
scrutinize emails or phone calls that as for your personal information or financial account
information. ;o legitimate financial institution will ever send an email re?uesting you to supply
<
your account information. +hat is the number one indicator that the email is a phishing email.
>ou should ignore and delete the email immediately.
>ou can also re?uest free credit reports from the three ma/or credit bureaus once a year to
monitor the information about your credit card and financial activities.
Cyberterroris and Cyber!arfare
As terrorism continues to increase the possibility of physical attacs anywhere in the world,
computer systems can be targeted as often as buildings, cars, or trains. 9overnments realize this
and are investigating ways of preventing system attacs or minimizing the damage caused to the
vast number of networs that are vulnerable.
Interna% 3hreats/ Emp%oyees
#t is surprising to learn that most computer crime against companies is committed by current or
former employees. +hey now the system best, are entrusted with huge amounts of data, and
have the easiest access. 2anagers and executives need to be aware of potential internal threats to
their systems and put special measures in place to safeguard systems and data. +hey also need to
impress upon all employees how important security is throughout the system right down to the
last person.
)afeguarding individual passwords from social engineering maliciousness is the responsibility
of everyone in the organization. An effective way of limiting access to data is to establish
computer'generated logs that show every employee who logged on, what they did, what part of
the system they accessed, and whether any data were used or updated. Bogs are easily created by
system software programs and should be periodically reviewed by the information technology
staff and department managers. #f nothing else, it gives them an idea of what their employees are
doing.
Soft(are 1u%nera*i%ity
>ou too can be a millionaireG Cn the A18 television show ,%ho %ants to be a 2illionaire,, one
contestant won the million dollars by nowing which insect represented a computer ,bug., +he
term bug, used to describe a defect in a software program, has been around since the 1F!4s and
1F"4s. 1ac then, computers were powered by vacuum tubes - hundreds and thousands of
them. 9race @opper, an early computer pioneer, was troubleshooting a computer that had ?uit
running. %hen her team opened the bac of the computer to see what was wrong, they found a
moth had landed on one of the tubes and burnt it out. )he coined the term ,bug, to describe a
problem with computers.
%ith millions of lines of code, it*s impossible to have a completely error'free program. 2ost
software manufacturers now their products contain bugs when they release them to the
maretplace. +hey provide free updates, patches, and fixes on their %eb sites. +hat*s why it*s a
good idea not to buy the original version of a new software program but to wait until some of the
ma/or bugs have been found and corrected.
=
1ecause bugs are so easy to create, most unintentionally, you can reduce the number of them in
your programs by using the tools discussed in other chapters to design good programs. 2any
bugs originate in poorly defined and designed programs and eep infiltrating all parts of the
program.
As governments, businesses and other organizations become more reliant on technology,
the conse?uences of software failures are rarely trivial. Entire businesses - and even
lives - are at stae. 2any experts believe the situation will only worsen as software
automates new tass and more systems interconnect with and rely on other computers.
+echnical challenges may be surmounted, but managing people never gets easier. ,+he
limit we*re hitting is the human limit, not the limit of software,, says :oshua 9reenbaum,
principal analyst at Enterprise Applications 8onsulting in 1ereley.
The Windows on Technology: The Rush to atch !see p. "#$ of the te%t& describes the
difficulties companies have trying to keep their systems secure and up-to-date with all of
the latest security patches. 't(s a never-ending) no-win) situation.
*ottom +ine: 'nformation systems security is everyone(s business. ,se antivirus software
on your computer and update it often. The -it won(t happen to me- attitude is trouble.
'nstituting measures to decrease the bugs and defects in software and data entry can solve
many system .uality problems.
10.& 5usiness 1a%ue of Se#urity and Contro%
,#n 1F<<, H1= billion of currency was traded every day. +oday, it*s H1." trillion - almost a
hundredfold increase in less than 2" years. +he marets are all lined by computer networs and
run on instant information. An event in one part of the world will cause reactions upon reactions
everywhere else, and no one can understand or predict those reactions., 0()A +oday, Apr 2",
24415
As this ?uote from ()A +oday points out, transactions worth billions and trillions of dollars are
carried out on networs every day. +hin of the impact if the networs experience downtime for
even a few minutes.
#n 244" 8hoiceAoint, a data broerage company, revealed that they had inadvertently sold
personal and financial information to more than "4 companies that were fronts for identity
thieves. +his incident underscores the difficulties with protecting data and information on
millions of unsuspecting consumers and legitimate businesses. +he problem of how to protect the
data may very well be decided by the courts.
,A 8alifornia woman has filed the first lawsuit against 8hoiceAoint for fraud and
negligence in the wae of the company*s recent disclosure that it sold personal
information about more than 1!4,444 people to identity thieves. +he case could set
a precedent that would help establish better standards for how data broers secure
F
and sell consumers* private information and lead to regulations that would hold
them accountable for lax data protection. ,7egarding privacy, we*re still pretty
early in the process to some degree,, he IAeter 1inow, partner of law firm,
9lancy, 1inow and 9oldbergJ said. ,+he laws are still developing. 1ut since
8hoiceAoint is obviously profiting off of this, it has a responsibility to maintain the
information in a proper fashion. %hen you have a criminal operation that went on
for over a year, it*s pretty indicative that there were not ade?uate steps in place to
protect 0the data5., www.wired.com, 6eb 2!, 244".
Lega% and egu%atory e6uirements for E%e#troni# e#ords Management
1ecause so much of our personal and financial information is now maintained electronically, the
(.). government is beginning to pass laws mandating how the data will be protected from
unauthorized or illegal misuse. 8ongress has passed several measures outlining the re?uirements
for electronic records managementE
@#AAAE protects medical and health care data
9ramm'Beach'1liley ActE protects financial data
)arbanes'Cxley ActE protects investors from fraudulent corporate practices
E%e#troni# E,iden#e and Computer 7orensi#s
)everal things are happening in the corporate world that are changing the re?uirements for how
companies handle their electronic documentsE 15 8ompanies are communicating more and more
with email and other forms of electronic transmissions, and 25 8ourts are allowing all forms of
communication to be held as evidence. +herefore businesses must develop methods of capturing,
storing, and presenting any and all electronic communications including email, instant
messaging, and e'commerce transactions.
*ottom +ine: Regardless of where or how electronic transmissions were generated or
received) businesses are now responsible for making sure they are monitored) stored) and
available for scrutiny. These new re.uirements significantly change the way businesses
view their information resources.
14
10.8 Esta*%ishing a Management 7rame(or4 for
Se#urity and Contro%
@ow do you help prevent some of the problems we*ve discussed& Cne of the best ways is to
institute controls into your information system the same way you might in any other systemK
through methods, policies, and procedures.
+hin about what a typical company does when it builds a new office building. 6rom the
beginning of the design phase until the building is occupied, the company decides how the
physical security of the building and its occupants will be handled. #t builds locs into the doors,
maybe even designs a single entry control point. #t builds a special wing for the executive offices
that has extra thic bulletproof glass. +here are fences around the perimeter of the building that
control the loading docs.
+hese are /ust a few examples to get you to thin about the fact that the company designs the
security into the building from the beginning. #t doesn*t wait until everything is built. >ou should
do the same thing with an information system. #t*s no different from any other system that
re?uires planning and well'thought'out policies and procedures before construction begins.
3ypes of Information Systems Contro%s
Bet*s loo at the two distinct types of controlsE general controls, which focus on the design,
security and use of computer programs and data files, and application controls, which are
concerned with the actual application programs.
"eneral Controls
/eneral controls in information systems consist of the systems software and manual procedures
used to control the design, security and use of the programs and the data files in the overall
system. >ou can compare the general controls to the overall security system of a building, which
may consist of outside door locs, fencing around the building, and employee passes. 9eneral
controls wouldn*t be concerned with what happens in one particular area of the building.
+able 14'3 describes the types of general controls, including administrative controls, used in
information systems
11
Application Controls
%e*ve taled about controls for the general use of an information system. Application controls
are specific controls within each computer application used in the system.
#n 8hapter 1 we used a diagram of a basic information system with input, processing, and output.
7emember this figure&
12
Each activity in the system needs controls to ensure the integrity of the data input 0input
controls5, how it*s processed 0processing controls5 , and how it*s stored and used 0output
controls5. +able 14'! describes the application controls available for each of these processes.
13
is4 Assessment
8ompanies and government systems constantly use risk assessment to determine wea lins in
their physical building security. >ou can use the same methodology to assess the ris in your
information system. (se ris assessment to set up cost comparisons for developing and
maintaining security against the loss potential. #t*s done all the time in other systems, so use it for
your information system as well.
Se#urity Po%i#y
8ompanies spend a lot of money on physical security such as locs on doors or fences around
supply depots. +hey need to do the same thing for their information systems. 1ecause of the
increasing liability for security breaches, many companies are now establishing a chief security
officer position to help ensure the firm maximizes the protection of information resources. )ome
tools available to the 8)C areE
)ecurity policyE principle document that determines security goals and how they
will be achieved
Acceptable use policyE outlines acceptable and unacceptable uses of hardware and
telecommunications e?uipment
Authorization policyE determines what access users may have to information
resources
Authorization management systemsE manages access to each part of the
information system.
6igure 14'" shows how the authorization management system would limit access for two
different users.
1!
Ensuring 5usiness Continuity
2any companies create fault-tolerant computer systems that are used as bac'ups to help eep
operations running if the main system should go out. +hese bac'up systems add to the overall
cost of the system - but thin about the losses if the system experiences a significant period of
downtime. Add the cost of lost productivity by employees to lost transactions and unhappy
customersK you do the math. :ust imagine what would happen if an airline reservation system 0a
typical online transaction processing system5 went down. @ave you ever called a company to
place an order for a new dress and it couldn*t tae your order because the computer was down&
2aybe you called bac later, and maybe you didn*t.
2ae sure you understand the difference between fault'tolerant computer systems and high-
availability computingE
6ault'tolerant computer systems promise continuous availability and eliminate
recovery time altogether.
@igh'availability computer systems help firms recover ?uicly from a crash.
@igh'availability computer systems use the following tools to ensure digital firms have
continuous computing capacity availableE
load balancing
redundant servers
mirroring
clustering
1"
storage area networs
disaster recovery plan
recovery-oriented computing
#usiness Continuity and Disaster $ecovery %lanning
Aerhaps the most important element of a successful system is a disaster recovery plan. )ome
firms, not /ust in ;ew >or 8ity and %ashington $.8. but around the world, discovered the
necessity for a well'written and tested plan on )eptember 11, 2441. +hose firms that had
completed business continuity planning were able to carry on business, while those that hadn*t,
spent days and wees recovering from the terrorist attacs.
The Windows on 0anagement: 1eutsche *ank Ties *usiness 2ontinuity lanning to the
*usiness !see p. "34 of the te%t& discusses the importance the financial firm places on its
business continuity and disaster recovery plan.
Security &utsourcing
#f your company lacs the internal resources to ade?uately plan for disaster, you can use an
outside source such as managed security service providers. +hey may be better at the
necessary planning and offering appropriate hardware and software resources because they
specialize in such things.
3he o%e of Auditing in the Contro% Pro#ess
8ompanies audit their financial data using outside firms to mae sure there aren*t any
discrepancies in their accounting processes. Aerhaps they audit their supply systems on a
periodic basis to mae sure everything is on the up'and'up. +hey should also audit their
information systems. After all, information is as an important resource as any other in the
organization. 0'S audits verify that the system was developed according to specifications, that
the input, processing, and output systems are operating according to re?uirements, and that the
data is protected against theft, abuse, and misuse. #n essence, an 2#) audit checs all the
controls we*ve discussed in this chapter.
*ottom +ine: 2ontrols) general and application) must be designed into the system at the
beginning) not as an afterthought. /eneral controls are concerned with the system software
and manual procedures. 5pplication controls protect the data input) the data processing)
and the information output. The tools available for ensuring business continuity include
fault-tolerant systems and high-availability computing. *usiness continuity and disaster
recovery planning are more important than ever for businesses.
13
10.9 3e#hno%ogies and 3oo%s for Se#urity and Contro%
Bet*s loo at some of the ways a firm can help protect itself.
A##ess Contro%
+he headlines telling of hacers* exploits in the past year should be enough to convince every
company of the need to install firewalls, access controls, and other security measures. %ith the
installation of cable modems or $)B lines, home users must follow the same guidelines. +hese
new connections, which leave your personal computer ,always on,, are /ust as vulnerable to
attacs as corporate systems.
#n corporate systems, it*s important to ensure authentication methods are in place so that
unauthorized users can*t gain access to the system and its data. 1ecause most simple password
systems are too wea and mae the system too vulnerable, security experts are devising new
methods to control access.
*iometric authentication is becoming more popular as a method of protecting systems and data
as the technology is refined. %hile you may have seen the fingerprint or facial recognition
techni?ues only on sci'fi movies, rest assured it may be the next wave of security that*s installed
in your organization.
#f you allow employees to eep certain data on their machines that are not baced up to the
mainframe computer, you need to ensure that safeguards are installed on the individual A8s.
2ae sure you have controls in place for accessing individual data, bacing it up, and properly
protecting it against corruption. $o you even have a policy about whether employees can store
data on their individual terminals&
7ire(a%%s2 Intrusion -ete#tion Systems2 and Anti,irus Soft(are
+he four types of firewalls described in the text areE
acket filtering: data pacet header information is examined in isolation
6etwork address translation !65T&: conceals #A addresses and maes it more
difficult to penetrate systems
5pplication pro%y filter: sort of lie a fence through which a substitute message
passes.
Stateful inspection: the actual message comes through the firewall but must be
identified by the user as passable.
Intrusion Detection Systes
6irewalls can deter, but not completely prevent, networ penetration from outsiders and should
be viewed as one element in an overall security plan. #n addition to firewalls, digital firms
relying on networs use intrusion detection systems to help them protect their systems.
1<
#n 2arch 2442, %right Aatterson Air 6orce 1ase, Chio, reported over 2"4,444 unauthorized
attempted entries into its computer systems by hacers in a 2!'hour period. +he intrusion
detection systems it had in place allowed authorities to trac the hacer attempts and thwart
damage to its critical data and systems.
Antivirus Soft!are
%hile most computer users, especially home users, now they are supposed to have antivirus
software installed, they may be negligent in eeping it up'to'date. 1ecause new viruses are
unleashed almost every wee, antivirus software needs constant updating - at least once a
wee. 2any brand'name software programs have an automatic update feature that users should
tae advantage of.
Se#uring 0ire%ess "et(or4s
#t*s becoming more important for wi'fi users to protect their data and electronic transmissions as
wireless networs and their access points proliferate around the country. )ecurity is easily
penetrated because of the very nature of the spectrum transmission used in wi'fi. (nless users
tae stringent precautions to protect their computers, it*s relatively easy for hacers to obtain
access to files. )tronger encryption and authentications systems for wi'fi than the original %ired
E?uivalent Arivacy 0%EA5 is being installed in newer computer models. 1ut individual users still
carry the responsibility to mae sure passwords are changed from the original and encryption
systems are used to help protect data.
En#ryption and Pu*%i# Key Infrastru#ture
2ost people are reluctant to buy and sell on the #nternet because they*re afraid of theft, fraud,
and interception of transactions. +o help ease the mind and mae transactions secure, many
companies are using very sophisticated methods of protecting data as they travel across the
various transmission mediums.
%atch any %orld %ar ## movie and you*ll see episodes of the good guys intercepting coded
messages from the enemy. +he messages were scrambled and almost impossible to interpret. 1ut
the good guys always won out in the end and unscrambled the message in time to save the world.
;ow we use sophisticated software programs to encrypt or scramble transmissions before they
are sent. +he sender and recipient have special software programs they can use to encode and
decode the transaction on each end.
1=
+his figure shows you how encryption wors using public and private eys. +he eys are
created through complicated mathematical formulas. +he longer the ey, the harder it is to
decipher. +hat*s the whole point of encryption.
Encryption software programs incorporate authentication and message integrity in its program
to ensure senders and receivers are protected against many of the computer crimes committed on
networs and the #nternet.
(sually you can*t tell if a transmission is authentic when you receive it over the #nternet or
networ. 1igital signature software can create a method of verifying that the message,
document, or file has not been altered between the time it left the sender and you received it. +he
Electronic )ignatures in 9lobal and ;ational 8ommerce Act authorized the use of digital
signatures and promises to enhance electronic commerce and mae it easier to do business
digitally. >ou must be careful though as digital signatures can be forged or altered the same as an
old'fashioned hand'written signature can be forged.
Another way of providing authenticity to networ transmissions is by using a digital certificate.
:ust as your personal signature is connected to you, a digital certificate provides a way of
proving you are who you say you are. 9lobal)ign.com has lots of information about its digital
certificate product and other useful information about this technology. >ou can get a demo
certificate, find someone*s certificate, or get more information about how to use your own
certificate.
+wo methods companies are using to mae online transactions more secure are )ecure )ocet
Bayers and )ecure @ypertext +ransport Arotocol. +he next time you*re on an e'commerce or e'
business %eb site, loo in the address text box of your browser and notice if the address begins
with httpsE. #f so, the site incorporates one of these two security measures. ublic key
infrastructure !7'& is another method for providing secure authentication of online identity
and maes users more comfortable transacting business over networs.
Ensuring Soft(are e%ia*i%ity
Even though your system may appear to be woring normally, you should still verify that it is
woring according to the specifications. Walkthroughs are an excellent way to review system
specifications and mae sure they are correct. %althroughs are usually conducted before
1F
programming begins, although they can be done periodically throughout all phases of system
development.
Cnce a system has been coded, it is much harder and more expensive to debug it. %e*re
beginning to sound lie a broen record but it*s important that you understand and remember that
the more wor you do before the programming phase begins, the less trouble you*ll have later.
>ou can*t /ust start pounding the eyboard and hope everything turns out oay.
As organizations move more toward electronic business and e'commerce, they need to spend
more time in the testing phase and do it in realistic terms. As your digital firm is building a new
site, or even revamping an old one, you can*t afford to underestimate the amount of traffic the
site will generate, or overestimate it*s stability. +oys'7'(s, #nc., learned that lesson the hard way
in $ecember 1FFF. +heir site wasn*t tested enough, under realistic conditions, and proved to be a
complete failure. #t cost the company not /ust millions of dollars but millions of dissatisfied
customers who never came bac for a second try.
*ottom +ine: Some of the technologies and tools businesses can use for security and control
include access control) firewalls) intrusion detection systems) antivirus software)
encryption) and ensuring software reliability. Security is everyone(s concern throughout the
organi8ation.
10.: Management2 !pportunities2 Cha%%enges2 and
So%utions
Every user must be concerned about potential destruction of the information systems on which
they rely. %e can*t stress this point enough.
!pportunities
;atural disasters such as fires and earth?uaes can strie at any time. A spilled cup of coffee can
also do some damageG %aiting until disaster stries isn*t the best time to figure out how to
recover your systems. )mart organizations create a disaster recovery plan ahead of time andDor
use firms specializing in disaster recovery.
Management Cha%%enges
+here*s a reason why we explain all those methods and procedures and processes in future
chapters for building good, solid information systems. +hey ensure system ?uality so that the
product produced by the system is as good as it can be.
Designing Systes that are 'either &ver(controlled nor )nder(
controlled
>ou should be realistic about security and system controls. #f you institute five layers of entry
into your %eb site, people probably won*t use it that much. +hey*ll either ignore it or find a way
24
around your controls. >ou have to analyze the system and determine those areas that should
receive more security and controls and those that probably can use less. >ou probably don*t want
to go to the expense of checing absolutely every transaction that is entered into the system, so
you chec a sampling of the data. :ust mae sure the sampling is large enough to detect any
exceptions.
Ipleenting an *+ective Security %olicy
$oes your company devote enough resources to information systems security& #f your company
is lie the ma/ority, sadly the answer to that ?uestion will be no.
So%ution ;uide%ines
%hile there is no surefire way to protect systems and data from every threat, great and small,
businesses need to tae a more firm'wide approach to security. Every person in the organization,
from the 8EC down, needs to be involved in security. Crganizations must control access through
firewalls, transaction logs, access security, and output controls. )oftware programs that trac
,footprints, of people accessing the system can be a good way to detect intruders, what they did,
what files they accessed, and how they entered your system initially.
A few methods an organization can use to beef up security areE
%hat firm resources are the most critical to control and secure&
%hat level of system downtime is acceptable&
%hat is the minimum acceptable level of performance for software and systems&
@ow much is the business willing to invest to protect its information assets&
*ottom +ine: 0anagers can ensure information system security through methodologies)
ade.uate resource allocation) testing) controls) and heightened awareness on the part of
every employee to the potential threats and results of the lack of security.
21