Lauden Chapter 8

Lauden Chapter 8 Securing Information Systems
Chapter 8 Securing Information Systems

INTERACTIVE SESSION: MANAGEMENT
WHEN ANTIVIRUS SOFTWARE CRIPPLES YOUR COMPUTERS
1. What management, organization, and technology factors were responsible for McAfee’s software
problem?
2. What was the business impact of this software problem, both for McAfee and for its customers?
3. If you were a McAfee enterprise customer, would you consider McAfee’s response to the problem be
acceptable? Why or why not?
4. What should McAfee do in the future to avoid similar problems?
1. What management, organization, and technology factors were responsible for McAfee’s software
problem?
Answer
Many factors were responsible for McAfee's software issues. Management, organization, and
technology all played a part in some way.
Management:
• A reason for McAfee's software issues was because there was a push to release faster antivirus
updates.
• Management of other companies didn't properly assess the effectiveness of these updates because
they believed that McAfee would correctly do the job it is supposed to do.
• Also, another thing is that customers felt that McAfee's management did a poor job in dealing with the
situation.
Organization:
• When problems with the software came to the attention of the organization, McAfee at first had no
idea what could have caused this problem.
• McAfee should have done more thorough testing and kept detailed reports on the efficiency of their
products.
Technology:
• The cause of the software issue was that McAfee's update failed to deal with the 'W32/wecorl.a' virus.
• The virus disguised itself as a Windows file named 'svchost.exe', which is necessary for the computer
to run smoothly and handle multiple processes at once.
• When the software recognized the virus as the Windows file, it automatically deleted the file and
didn't give any warnings to the user.
2. What was the business impact of this software problem, both for McAfee and for its customers?
Answer
Explanation: McAfee's software problem had a lot of negative business impact for both the company
and its customers.
Business impact for McAfee:
• McAfee's reputation essentially went down the drain due to their inability to properly handle the
problem.
• Customers felt that McAfee didn't respond quickly enough and that they weren't genuine when
dealing with the general public.
• Management tried to make the situation not seem as big as it really was by stating that only a few of
their customers were negatively affected when in reality this was not the case.
• McAfee lost the trust of a lot of their customers, which is essential for a strong business-customer
relationship.
Business impact for customers:
• Many users were unable to use their computers due to the software issues from McAfee's product.
• McAfee's software unknowingly deleted a vital Windows file needed to run most programs on the
operating system.
• The only way to fix the issue is through USB drives but the vital Windows file was needed for the
capability to detect USB drives.
• Many users couldn't operate their computers until McAfee came up with a solution to this problem.
• Companies who used McAfee's product would obviously take a big hit due to the necessity of
computers to run everyday business operations.
• These companies most likely took considerable financial hits as well as loss in customers.
3. If you were a McAfee enterprise customer, would you consider McAfee’s response to the problem
be acceptable? Why or why not?
Answer:
From a customer's perspective, there are ways that McAfee's response to the problem can be seen as
both acceptable and not acceptable.
Why McAfee's response was acceptable:
• McAfee did a reasonable job in figuring out the exact cause of the problem.
• The cause was that their software unknowingly deleted a necessary Windows file that was needed to
run most operations on the operating system.
• A positive way that McAfee responded was publishing an FAQ sheet that detailed the problem, why it
occurred, and the type of customers that were affected by it.
• McAfee also released "SupeiDAT Remediation Tool," that would help fix the computers that were
affected by the software issue.
Why McAfee's response was not acceptable:
• The main reason that customers saw McAfee's response as unacceptable was because they essentially
lied about the initial effect the software problems had on their customers.
• They told the general public that the software problems affected a small amount of their customers
when in actuality the number was far greater.
• This sparked outrage among customers and resulted in the loss of trust of McAfee.
• McAfee's reputation was hurt very badly and the negative effects still cost the company today.
4. What should McAfee do in the future to avoid similar problems?
Answer:
A lot can be done by McAfee in order prevent situations like this from reoccurring. This software issue
provided many lessons that the company should take into account.
Ways to prevent future problems:
• One obvious thing that McAfee can do to prevent situations like this is to have better test systems to
ensure thorough and efficient testing scenarios.
• The company employed poor quality assurance testing techniques that proved to be very costly.
• The company needs to have a stricter testing environment which should include various operating
systems and test systems on which their products can be performed.
• Another thing that McAfee can do is allow the software to double check the files that it mistakes for
viruses.
• This means that the user should be warned that the software will quarantine or get rid of a certain file
rather than the file being completely and automatically erased from the computer.
• Warning messages would have prevented the necessary 'svchost.exe' file from being deleted.
INTERACTIVE SESSION: TECHNOLOGY

HOW SECURE IS THE CLOUD?
1. What security and control problems are described in this case?
2. What people, organization, and technology factors contribute to these problems?
3. How secure is cloud computing? Explain your answer.
4. If you were in charge of your company’s information systems department, what issues would you
want to clarify with prospective vendors?
5. Would you entrust your corporate systems to a cloud computing provider? Why or why not?
1. What security and control problems are described in this case?
Answer
This case discusses the issues with cloud computing. The security and control problems raise a lot of
concerns for businesses.
Security and control problems described in this case:
• Cloud computing providers do not offer much transparency to their customers.
• The main reason behind the lack of transparency is because cloud computing is highly distributed
among numerous corporate clients.
• The cloud applications are found in virtual libraries that are located in remote data centers and server
farms.
• The providers usually send out work to many data centers all over the world, which leads to the user
not knowing the exact whereabouts of their data.
• It is also very hard to deal with unauthorized activity within the cloud network, so it is very harmful
especially if company data is not encrypted.
2. What people, organization, and technology factors contribute to these problems?
Answer:
The security and control problems of cloud computing are a result from many factors caused by people;
organization, and technology.
People:
• Security and control problems arise because users usually fail to understand the product they are
dealing with and the services that come with it.
• The users of cloud computing are not gaining enough knowledge when it comes to the amount of
security given by the provider.
• Also; the cloud computing providers fail to specify the type of security service comes with their
product.
• They may also confuse the user when it comes to exactly how they protect user data.
Organization:
• Some companies design their infrastructure in a way that a power outage would make all data on the
network unavailable for a period of time.
• Also; large cloud computing providers do not want to allow inspections of their data centers because
such inspections require another company's auditors to handle the data.
• This causes a problem in that the user wouldn't be sure whether or not a provider is following
regulations.
Technology:
• Some companies are facing security and control problems because data is not being encrypted.
• Cloud computing providers usually encryption such as Secure Sockets Layers (SSL).
• SSL makes the data safe while it is being transmitted.
• If a cloud computing provider has very weak encryption methods; a company may be subject to theft
from hackers and intruders.
3. How secure is cloud computing? Explain your answer.
Answer
Cloud computing security rests solely on the type of provider that is providing the service.
NetSuite:
• NetSuite secures user data through the use of the encryption technique known as Secure Sockets
Layer (SSL).
• The provider also pays close attention to their own security practices like access controls.
Terremark Worldwide:
• This provider gives their customers the option to choose where the work of cloud computing
occurs.
• Companies have the option to choose what facility houses their data depending on location.
Amazon EC2 and Microsoft Azure:
• These providers tell companies that they are not held liable for data losses, fines, or other legal
penalties.
• To alleviate the issue of security; the providers offer their customers demonstrations for how to
properly use cloud computing.
Salesforce.com:
• This provider of cloud computing is lawfully bound to disclose how it manages information and data.
• Salesforce.com makes it possible for their customers to know where the data is located and they are
even given reports on the data centers that house the data.
• In order to prevent the loss of data, this provider copies their database to a whole other location and
synchronizes the data right away.
• This ensures that one database is running if the other is malfunctioning.
4. If you were in charge of your company’s information systems department, what issues would you
want to clarify with prospective vendors?
Answer
There are several issues between customer and vendor that need to be addressed before making a
decision on a cloud computing provider
Issues:
• Reputability
• Security
• Organization
• Ease of use
Reputability:
• The vendor should have a good reputation and a high level of experience in cloud computing.
• This would include a history of great service as well as positive customer feedback.
Security:
• The company wants to make sure their data is being protected.
• This would mean that the vendor should provide a report that details the techniques they use to
ensure protection as well as the effectiveness of the techniques.
• Most encryption is done through Secure Sockets Layers which protects that data as it is being
transmitted.
Organization:
• The organization of the cloud network should be discussed.
• A company would want to choose a provider that organizes their data in an effective way.
• This would possibly mean creating a duplicate database center just in case the main database center
malfunctions.
Ease of use:
• The company wants to choose a cloud computing provider that offers user-friendly products.
• If employees struggle to adapt to the cloud environment, the company will waste time which will
result in a decrease in overall production and customer service.
• The company would also have to train their employees to use the system.
5. Would you entrust your corporate systems to a cloud computing provider? Why or why not?
Answer
There are many reasons why a company should and should not entrust their systems to a cloud
computing provider
Why:
• Cloud computing provides a company with an organized infrastructure for its data.
• If a company has a lot of data, cloud computing will save the company money by storing the data in its
database centers.
• If a provider is following proper security regulations then the company shouldn't have to worry about
data being lost or available to the wrong people or company.
• For large companies, cloud computing may prove to cost less in terms of IT infrastructure and
implementation.
Why not:
• Small companies that do not have a lot of data may not benefit from cloud computing.
• They would ultimately be wasting money using cloud computing rather than implementing a system
that the company could have designed.
• If a provider has security flaws within the cloud computing system then the company's data is
vulnerable to attacks from intruders.
• If something goes wrong with the system, such as a power outage, the company data will be
unavailable until the cloud computing provider handles the situation.
• This could take anywhere from minutes to days which a company simply cannot afford.
Are We Ready for Cyberwarfare?
CASE STUDY
1. Is cyberwarfare a serious problem? Why or why not?
2. Assess the management, organization, and technology factors that have created this problem.
3. What solutions have been proposed? Do you think they will be effective? Why or why not?
4. Are there other solutions for this problem that should be pursued? What are they?
1. Is cyberwarfare a serious problem? Why or why not?
Answer
Cyberwarfare is not a light topic that should be ignored. There are several aspects of Cyberwarfare that
raise serious concerns but there are also reasons why it is not as serious as it made out to be.
Why Cyberwarfare is a serious problem:
• Cyberwarfare can be very damaging to the economic, political, and social aspects of a country.
• Cybercriminals have already hacked their way into many government Web sites and networks.
• Intruders can gain key information to government projects and sell this information to people with
bad intentions.
• The U.S. already has detected many intrusions originating from different countries, although these
countries decline to acknowledge their involvement.
• Security experts and government officials are really concerned if cybercriminals are able to attack vital
resources such as the country's electric grid and financial system.
• An attack on these resources can cripple the U.S. and ultimately cause an economic meltdown and
chaos amongst its citizens.
Why Cyberwarfare is not a serious problem:
• Although there have been intrusions on government Web sites and networks, there has yet to be an
actual attack on the country's critical resources.
• Government agencies such as the National Security Agency and the Pentagon are making attempts to
create an organization dedicated to fight Cyberwarfare called Cybercom.
• To an extent, this alleviates any concerns that the general public may have because the government is
making it known that they are doing their best in fighting cyberattacks.
• There have also been claims from intelligence officials that the country's Cyberwarfare capabilities
have greatly increased in regards to sophistication in the past several years.
• As long as the government keeps cybersecurity as a top priority then it can be seen why Cyberwarfare
threats won't raise much concern to the general public.
2. Assess the management, organization, and technology factors that have created this problem.
Answer
There are management, organization, and technology factors that are responsible for Cyberwarfare.
Many of these issues are actively being addressed by government agencies in attempts to combat
Cyberwarfare threats.
Management:
• Management factors include the fact that hackers and intruders have the ability to contend with
traditional superpowers for a small amount of the costs of certain types of warfare.
• Cybercriminals can access confidential information about government projects and benefit financially
as long as they find the right customer.
• Also; cybercriminals will not run out of companies or agencies to attack because the use of the
Internet for technobgical infrastructure has increasingly become popular.
Organization:
• A big factor is that the U.S. organization of cybersecurity is loose in structure and not defined.
• There is no clear agency that is responsible for fighting Cyberwarfare, rather many organizations are
essentially working together.
• The National Security Agency and the Pentagon are working together to form a headquarters called
Cybercom, which will be dedicated to the country's cybersecurity efforts.
• Once a single headquarters or agency is established the country will have a well-structured
organization to deal with Cyberwarfare.
Technology:
• Cybercriminals are using sophisticated software to hack their way into government Web sites and
networks.
• There are many ways that Cyberwarfare can occur such as the use of botnets, which are huge
networks of computers that are controlled through the use of malware. • Botnets can launch large-scale
distributed denial-of-service (DDoS) attacks on government networks and servers. • Intruders can also
access government networks and servers from a remote location and obtain or erase important
information from their machines.
3. What solutions have been proposed? Do you think they will be effective? Why or why not?
Answer
Many solutions have been proposed with the intent to fight and prevent cyberattacks. Some may be
effective in reaching that goal while there is reason to believe that they may not be quite effective.
Effective solutions:
• The U.S. government started a program called "Perfect Citizen" in an effort to identify cyberattacks on
private companies that have a critical infrastructure.
• This program tends to focus on older computer systems, because they would be the most recent ones
to use the Internet as the main piece to their technological infrastructure and therefore more easily
targeted by cybercriminals.
• An order has been set forth in 2009 for the creation of a government cybersecurity headquarters
called Cybercom.
• The goal of Cybercom, as of 2010, is to protect military and Pentagon networks and servers from
cyberattacks and intrusions.
• Cybercom is an effective solution in that the country has a single organization dedicated to prevent
and fight cyberattacks.
Ineffective solutions:
• The current requirements of the Federal Information Security Management Act may be useless for
government agencies when the idea is taken into consideration that the technologies of cyberwarfare
are developing at a much sophisticated rate.
• The requirements that federal agencies would have to meet in order to receive passing marks would
have to be revised in order to match the advancements in cyberwarfare technobgy.
• Currently, domestic agencies are not allowed to perform computer operations while entering
prohibited networks within the U.S. which makes it impossible for the agencies to investigate
cyberattacks that originated on American servers.
• The law has to be amended so that domestic agencies are given the ability to bypass these prohibited
networks in order to investigate and properly fight against potential cybercriminals.
4. Are there other solutions for this problem that should be pursued? What are they?
Answer
It is very reasonable to pursue other solutions for the cyberwarfare problem although the U.S.
government is doing its best to counter these threats.
Other solutions that should be pursued:
• Countries can come together to form a union in an attempt to help each other fight and prevent
cyberattacks.
• There can be a creation of a treaty for the sole purpose of finding the root of potential cyberattacks
between countries.
• If Country A found that a cyberattack against them originated from a server from Country B, Country A
would be able to gain access to Country B's government networks and vice versa.
This would potentially forge strong alliances between countries in other aspects such as politics and
economics, while fighting the threats of cyberwarfare.
• Since practically all of the U.S.'s offensive capabilities for cyberwarfare are unknown, the general
public can only know what they are being told by intelligence officials and former military.
• Apparently the country's offensive capabilities have greatly improved over the last several years, so
some have suggested that the country's offensive capabilities can serve as a defense against
cyberwarfare.
Review Questions:
1. Why are information systems vulnerable to destruction, error, and abuse?
• List and describe the most common threats against contemporary information systems.
• Define malware and distinguish among a virus, a worm, and a Trojan horse.
• Define a hacker and explain how hackers create security problems and damage systems.
• Define computer crime. Provide two examples of crime in which computers are targets and two
examples in which computers are used as instruments of crime.
• Define identity theft and phishing and explain why identity theft is such a big problem today.
• Describe the security and system reliability problems created by employees.
• Explain how software defects affect system reliability and security.
2. What is the business value of security and control?
• Explain how security and control provide value for businesses.
• Describe the relationship between security and control and recent U.S. government regulatory
requirements and computer forensics.
3. What are the components of an organizational framework for security and control?
• Define general controls and describe each type of general control.
• Define application controls and describe each type of application control.
• Describe the function of risk assessment and explain how it is conducted for information systems.
• Define and describe the following: security policy, acceptable use policy, and identity management.
• Explain how MIS auditing promotes security and control.
4. What are the most important tools and technologies for safeguarding information resources?
• Name and describe three authentication methods.
• Describe the roles of firewalls, intrusion detection systems, and antivirus software in promoting
security.
• Explain how encryption protects information.
• Describe the role of encryption and digital certificates in a public key infrastructure.
• Distinguish between fault-tolerant and high-availability computing, and between disaster recovery
planning and business continuity planning.
• Identify and describe the security problems posed by cloud computing.
• Describe measures for improving software quality and reliability.
1. Why are information systems vulnerable to destruction, error, and abuse?

• List and describe the most common threats against contemporary information systems.
• Define malware and distinguish among a virus, a worm, and a Trojan horse.
• Define a hacker and explain how hackers create security problems and damage systems.
• Define computer crime. Provide two examples of crime in which computers are targets and two
examples in which computers are used as instruments of crime.
• Define identity theft and phishing and explain why identity theft is such a big problem today.
• Describe the security and system reliability problems created by employees.
• Explain how software defects affect system reliability and security.
Answer:
Information systems are vulnerable to destruction, error, and abuse because of a lot of factors mainly
caused by unauthorized users gaining access to company networks.
Common threats against contemporary information systems:
• Threats can occur on the client. Communications lines, corporate servers, and corporate systems level.
• On the client (user) level, threats involve unauthorized access and errors.
• Threats originating from communications lines may involve wire-tapping and sniffing, message
modifications, theft/fraud, and radiation.
• Threats on corporate servers may include hacking of the servers, planting of viruses and worms,
theft/fraud, and denial-of-service attacks.
• Threats on the corporate systems may include stolen, copied, and manipulated company data, and
crashes in hardware and software.
Malware:
• Malware is the name used when talking about malicious software.
• Malware may be represented in the form of a computer virus, a worm, or a Trojan horse.
Distinguishing among a virus, a worm, and a Trojan horse:
• A virus is a rogue software program that piggybacks onto software programs that are already on a
computer.
• It may also attach itself to data files.
• Viruses plant themselves without the user's knowledge and can either display messages and images
onto the screen or erase programs or data from the hard drive.
• Worms are computer programs that copy themselves to many computers on a network.
• They spread more quickly than viruses because they do not need to act as a result from human
actions.
• Trojan horses are software programs that appear to be nonthreatening but later do something that is
unexpected.
• They present a sneaky way for malware to enter a system and are not actually considered to be
viruses.
Hackers and how they create security problems and damage systems:
• Hackers are unauthorized users to a computer system who have bad intentions.
• They create security problems because they essentially find weak spots in the security features that
are used by Web sites and computer systems.
• They can also damage systems by stealing important and even confidential information.
• They may also perform cybervandalism, which can include deliberate disturbances or destruction of
Web sites or computer systems.
Computer crime is any activity done against a computer system or individual that is considered to be a
criminal offense. These crimes are done through the use of technology and computers as instruments.
Computers as targets:
• An example may be breaking into a computer system to gain access to confidential information.
• Another example would be accessing a protected computer to commit fraudulent acts.
Computers as instruments of a crime:
• An example may be using e-mail to express threats or harass an individual or company.
• Another example would be using a computer to obtain copy software or copyrighted intellectual
property.
• Copyrighted intellectual property includes published articles, textbooks, music files, and movies.
Identity theft and why it is a big problem today:
• Identity theft is when someone gains information about an individual and uses the information to act
as if they were that person.
• This involves the use of a person's social security number, credit card information, driver's license
number, or other pieces of personal information.
• It is a big problem because this information is being used to acquire merchandise and services
worldwide.
• According to Javelin Strategy and Research, losses from identity theft rose to S54 billion in 2009, and
over 11 million U.S. adults were victims of identity fraud (Javelin Strategy & Research, 2010).
• Clearly, many people in the U.S., and even the world, are affected by identity theft, and this just
creates unnecessary problems for innocent people.
Phishing:
• Phishing is a technique that is used to perform identity theft.
• This technique involves creating a fake Web site or sending e-mail that resembles a business to ask for
confidential and personal information from the victim.
Security and system reliability problems created by employees:
• Problems arise mostly because the user has a lack of knowledge.
• This may be that employees do not remember their password that is necessary for logging onto
computer systems.
• It can also be that employees let other employees use their passwords to access computer systems.
• Hackers may gain access to company information by appearing as a fellow employee through e-mail
and ask a legitimate employee to reveal their password.
How software defects affect system reliability and security:
• The biggest issue with software is hidden bugs.
• These bugs are usually caused by difficult coding from the software provider
• These bugs can slow clown or completely disrupt network performance.
• Also, Symantec identified 384 browser vulnerabilities in 2009, some of which were critical (Symantec,
2010).
• To fix these bugs, patches must be used to address the problem while allowing the software to
operate properly.
• The problem with maintaining patches is that malware is created very so often and companies have
small response times.
• The demand of these patches may negatively affect the quality of the patches and possibly create
more software defects.
2. What is the business value of security and control?

• Explain how security and control provide value for businesses.
• Describe the relationship between security and control and recent U.S. government regulatory
requirements and computer forensics.
Answer
Explanation: Security and control provide a lot of business value for an organization. Without the two, a
business can crumble due to loss of information and data that is needed for the company's operations.
Business value of security:
• Security pertains to the measurements that a company takes in order to help prevent intrusions from
hackers or other unauthorized individuals.
• These measurements can be certain policies and procedures that will ultimately aim to eliminate the
threats of identity theft or possible damage to a company's system.
• Security makes sure that a business is running very smoothly and free of any possible external threats.
• Information can be kept confidential which would ensure great customer service and reliability.
Business value of control:
• Control pertains to the measurements that a company takes in order to keep their assets safe.
• These measurements can be certain policies and procedures that check the accuracy and reliability of
their information and data.
• If a company has poor control of their systems, the data they use for sales can be inaccurate, which
would cause other problems for the business.
• This would lead to decreased productivity and efficiency among the employees.
Security and control have also played a part in recent U.S. government regulatory requirements and
computer forensics.
Relationship between security and control and the U.S. government:
• The Health Insurance Portability and Accountability Act (HIPAA) makes certain that companies in the
health care industry comply with certain medical security and privacy rules when dealing with health
care billing and data.
• HIPAA requests that companies keep patient records for six years and make sure that they are
confidential.
• The Gramm-Leach-Bliley Act makes certain that companies providing financial services protect
customer data and keep them confidential.
• Such companies that comply with this act must keep the customer data in a secure medium and also
follow certain security procedures while transmitting the data.
• The Sarbanes-Oxley Act makes certain that publicly traded companies protect their investors. • The act
calls for these companies to make sure that they protect all financial information and that they are
accurate.
Relationship between security and control and computer forensics:
• In terms of computer forensics, there are certain legal requirements that firms must follow in order to
preserve electronic evidence
• Computer forensics is the collection and analysis of company data so that the data can be retrieved
and used as legal evidence.
• Computer forensics works by gathering data from various computers while ensuring evidential
integrity.
• It also safely stores and handles the recovered electronic data.
• It narrows down an abundant amount of electronic data in order to find specific information.
• Finally, computer forensics allows the gathered information to be presented to a court of law.
3. What are the components of an organizational framework for security and control?
• Define general controls and describe each type of general control.
• Define application controls and describe each type of application control.
• Describe the function of risk assessment and explain how it is conducted for information systems.
• Define and describe the following: security policy, acceptable use policy, and identity management.
• Explain how MIS auditing promotes security and control.
Answer
An organizational framework for security and control consists of many components. By addressing all
the components, a company can maintain successful security and control.
General controls:
• General controls are what dictate the design, security, and operation of computer programs.
• They also dictate the security of company-wide data files throughout the whole IT infrastructure.
• Software controls make sure that system software is being used properly and that the proper people
are accessing software on company computers.
• Hardware controls make sure that the computer hardware is protected in a physical manner.
• They also make sure that the equipment is backed up and maintained for optimal performance.
• Computer operations controls make sure that programmed procedures are correctly applied to
company data.
• Data security controls make sure that important company data files are protected from unauthorized
access, change, or destruction while they are in the company system.
• Implementation controls perform audits on the company's systems development process.
• Administrative controls establish rules and procedures to make sure that all controls are correctly
performed and enforced.
Application controls:
• The application controls are unique controls for each computerized application.
• These controls can include automated and manual procedures that make sure the company's data is
correctly handled by the application.
• Input controls make sure that the data is accurate and complete when it is entered into the company's
system.
• Processing controls keep the data accurate and complete while the system may be updated.
• Output controls make sure that the data being distributed and processed is accurate and complete.
Risk assessment and how it is conducted for information systems:
• Risk assessments help determine the extent of a risk to a company if certain activities or processes are
not correctly controlled.
• For information systems, a risk assessment would involve determining the total value of the
company's information assets, their potential areas of vulnerability, the likelihood that the problem
reoccurs, and the possible damage that may result.
Security policy:
• Security policies are made up of statements that rank the risks of an information system, identify
possible security goals, and determine what needs to be done to meet these goals.
• Overall, it assesses how the company's information resources should be used and employee
restrictions to these resources.
Acceptable use policy:

• Acceptable use policies determine how the company's information resources and computer
equipment should be used.
• It would also clearly state how the company regards privacy, user responsibility, and the Internet.
Identity management:
• Identity management is comprised of the business processes and business tools for determining the
valid users of a computer system.
• It also aims to control the access that each valid user is given to specific system resources.
• The policies of identity management determine and authorize different categories of system users,
clearly state what systems each valid user can access, and the processes for determining the
authenticity of users and keeping their identities confidential.
MIS auditing and how it promotes security and control:
• An MIS audit will help the company assess its current security environment and help them determine
if anything needs to be cbne in order to improve and protect it.
• MIS auditing promotes security and control because it reviews all aspects of an information system's
security environment.
• It carefully assesses the technologies, procedures, documentation, training, and personnel.
• A well performed MIS audit will include the simulation of an attack on the information system in order
to assess the response times of the technology, information systems staff, and company employees.
• The company can determine from the MIS audit where there are flaws in their system and
environment, and work to address these issues to create a near impenetrable security environment.
4. What are the most important tools and technologies for safeguarding information resources?
• Name and describe three authentication methods.
• Describe the roles of firewalls, intrusion detection systems, and antivirus software in promoting
security.
• Explain how encryption protects information.
• Describe the role of encryption and digital certificates in a public key infrastructure.
• Distinguish between fault-tolerant and high-availability computing, and between disaster recovery
planning and business continuity planning.
• Identify and describe the security problems posed by cloud computing.
• Describe measures for improving software quality and reliability.
Answer
Keeping information resources safe can be very valuable for a business. There are many tools and
technologies that aim to do this, and they can ultimately prevent the downfall of a company.
Three authentication methods:
• Authentication knows that an individual is who they claim to be.
• One way to successfully authenticate a person's identity is through the use of passwords.
• Passwords are usually only known to an authorized user so inputting a correct password usually is a
signal that it is the person to whom the password belongs.
• Another method is through a token, which is a small gadget that correctly proves the identity of
a user.
• Tokens are able to fit on key rings and they can also show passcodes that are frequent to change.
• Another authentication method is through biometrics, which reads and interprets an individual's
traits.
• Biometric authentication may involve scanning a person's fingerprints, irises, and voices, which if
correctly determined to be true, will allow that person to access whatever it is they are trying to access.
Promoting security with firewalls:
• A firewall aims to control the flow of network traffic coming in and going out.
• It will ultimately be able to deter hackers and other unauthorized users from accessing a company's
network.
• Firewalls look for names, IP addresses, applications, and other unique features of incoming traffic in
order to determine if it should be allowed into the network.
• Using firewalls will keep unwanted traffic from entering a company's network and prevent the
network from slowing down.
Promoting security with intrusion detection systems:
• Intrusion detection systems work by placing monitoring tools at an information system's weak points.
• The intrusion detection system will be able to detect intruders and prevent them from advancing any
further into the information system.
• The intrusion detection system will raise an alarm for any type of suspicious event.
• Scanning software can also be used to determine any patterns in computer attacks and will allow the
company to improve their system and policies in order to prevent the likely causes of these attacks
Promoting security with antivirus software:
• Antivirus software determines if a computer system or drive is infected by a virus.
• Security is promoted especially because of the way that the antivirus software handles a computer
virus.
• The software will eliminate the virus as long as it is recognized.
• The antivirus software must be updated frequently in order to ensure the protection from new viruses
that may have been created in between software updates.
How encryption protects information:
• Encryption protects data and other digital information by turning the data into cipher text that
individuals cannot read unless they are the sender and the intended receiver.
• Encryption involves using an encryption key, or secret numerical code, that will change the data to
cipher text.
• The data will be able to be physically read once the receiver decrypts it.
Role of encryption and digital certificates in a public key infrastructure:
• Digital certificates are data files that help establish the identity of users.
• They also establish the identity of electronic assets that are needed to protect online transactions that
may be done through e-commerce Web sites.
• Digital certificate systems use reliable third parties known as a certificate authority (CA).
• The CA will verify that a public key belongs to the right user and will allow encrypted messages to be
sent.
• Public key infrastructure uses public key cryptography that works alongside a CA.
• In e-commerce Web sites, public key infrastructure helps facilitate online transactions.
Fault-tolerant vs. high-availability computing:
• Fault-tolerant computer systems have redundant hardware, software components that allow a fluent
service that is continuous.
The computer system uses unique software methods to detect failures in hardware.
• When a hardware failure is detected; the fault-tolerant computer system's software will switch to a
backup device.
• High-availability computing allows a company to quickly recover from a system failure.
• Fault-tolerant computing allows a system to be used continually while high-availability computing
implies that the system will be unavailable for some time.
Disaster recovery planning vs. business continuity planning:
• Disaster recovery planning establishes strategies for restoring a company's computing and
communications services after a disaster such as an earthquake or hurricane.
• This type of planning concentrates on the technical issues that go into maintaining a system and
keeping it running.
• This would mean backing up files and maintaining backup computer systems or backing up disaster
recovery services.
• Business continuity planning establishes strategies on how to restore a company's business operations
after a disaster.
• This type of planning concentrates on the company's business processes and identifies what should be
done in order to handle mission-critical functions for when the information systems crash.
Security problems posed by cloud computing:
• Cloud computing providers do not offer much transparency to their customers.
• The main reason behind the lack of transparency is because cloud computing is highly distributed
among numerous corporate clients.
• The cloud applications are found in virtual libraries that are located in remote data centers and server
farms.
• The providers usually send out work to many data centers all over the world, which leads to the user
not knowing the exact whereabouts of their data.
• It is also very hard to deal with unauthorized activity within the cloud network, so it is very harmful
especially if company data is not encrypted.
Measures for improving software quality and reliability:
• To improve software quality and reliability a company can establish effective and clear security and
controls.
• They can also use software metrics, which assess the information system in the form of computed
measurements.
• Software metrics will help a company measure their system's performance and determine any
problems when they occur.
• Companies can also use a walkthrough, which is a detailed inspection of a specification or design
document that is performed by a group of skilled individuals who are experienced in dealing with the
objectives of the code or program.
• Also, when testing a program, the company can make sure that it is completely debugged, meaning
that any occurrences of errors are taken care of and eliminated.
Discussion Questions:
1. Security isn’t simply a technology issue, it’s a business issue. Discuss.
2. If you were developing a business continuity plan for your company, where would you start? What
aspects of the business would the plan address?
3. Suppose your business had an e-commerce Web site where it sold goods and accepted credit card
payments. Discuss the major security threats to this Web site and their potential impact. What can be
done to minimize these threats?
1. Security isn’t simply a technology issue, it’s a business issue. Discuss.
Answer
There are many business factors that go into security. A company needs to implement and maintain
strong security practices so that they keep a strong business image.
Why security is a business issue:
• Technology is the basis for good security but the business aspect is what actually controls the
performance and efficiency of the security.
• Weak management and organization can make the best security software and systems useless.
• If security is poorly managed, this could negatively affect customer service and overall production.
• Also, poor security would not safely protect a company's important data which would be bad for the
organization in terms of business operations.
• The company wouldn't be able to survive if their information and customers information is not
protected.
• Good business policies will make sure that security software is being correctly implemented and
maintained.
• This will allow customers to rely on the organization's security practices and make them feel safe.
2. If you were developing a business continuity plan for your company, where would you start? What
aspects of the business would the plan address?
Answer
Business continuity plans are essential for a company. These plans help deal with the company's
operations after something goes wrong, such as a major disaster.
Developing a business continuity plan:
• If a company's systems go clown, it is important to have an effective response to the disaster.
• A good business continuity plan would involve knowing what actions should be taken in case major
company facilities go clown, key personnel or other employees are lost, or their IT infrastructure
crashes.
• Two major areas to address for an effective plan would be keeping the business up and running to
maintain survival and allocating resources for crisis support.
• Management should get together and discuss how they will keep the business together even after
something major happens to the company.
• These discussions would most likely involve performing a business impact analysis, which would point
out the company's most important systems and the extent of impact that a system failure would have
on business operations.
• Ultimately, the goal for a strong business continuity plan would be to determine the most time that is
available for the survival of the business while the systems are down, and prioritize what areas of the
business need to be addressed and fixed as soon as possible.
3. Suppose your business had an e-commerce Web site where it sold goods and accepted credit card
payments. Discuss the major security threats to this Web site and their potential impact. What can be
done to minimize these threats?
Answer:
Several major security threats are possible when implementing an e-commerce Web site for business
processes. These threats can be very harmful to both the business and consumers.
Security threats and their impact:
• E-commerce Web sites are always a big target for hackers and intruders.
• Hackers can obtain a customer’s credit card information if the Web site has weak security features.
• This is a threat that could negatively affect the credibility of the business as well as drastically destroy
an individual’s identity.
• Another threat is posed if a hacker decides to fill the Web site with viruses and other threats that
could slow down or render useless a computer’s ability to operate.
• This would affect the performance of many customers’ computers as well as the business’s computers
that are needed to run the company’s operations.
A lot can be done in order to minimize these security threats.
Actions to take to ensure security:
• To minimize these security threats the company can implement various business tools.
• One of these tools is a firewall, which can stop an intruder or hacker from accessing private networks.
• This would help prevent the hackers from getting credit card information from the consumers as well
as the company’s other important data.
• Another business tool is an intrusion detection system which would alert the company’s system if
something out of the ordinary happens such as an attempted intrusion from a hacker.
• Also, both business and consumer can use antivirus software for their computers which would get rid
of any viruses that are on the computer.
• The antivirus software would also warn the user of any potential malicious Web sites that may contain
viruses.

Lauden Chapter 8

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lauden Chapter 8

Uploaded by

Copyright:

Available Formats

Lauden Chapter 8 Securing Information Systems

Chapter 8 Securing Information Systems

INTERACTIVE SESSION: TECHNOLOGY

1. Why are information systems vulnerable to destruction, error, and abuse?

2. What is the business value of security and control?

Acceptable use policy:

You might also like