Scribd Logo
Upload

Welcome to Scribd!

  • Lecture 25

    Uploaded by

    Ratish Kakkad
    81 views23 pages
    Managing Information Systems Information Systems Security and Control Part 2 Section 14. Objectives Demonstrate that Information System vulnerabilities can be controlled. Demonstrate some of the technologies that can be used to control Information Systems vulnerabilities.

    Original Description:

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Managing Information Systems Information Systems Security and Control Part 2 Section 14. Objectives Demonstrate that Information System vulnerabilities can be controlled. Demonstrate some of the technologies that can be used to control Information Systems vulnerabilities.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    81 views23 pages

    Lecture 25

    Uploaded by

    Ratish Kakkad
    Managing Information Systems Information Systems Security and Control Part 2 Section 14. Objectives Demonstrate that Information System vulnerabilities can be controlled. Demonstrate some of the technologies that can be used to control Information Systems vulnerabilities.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 23

    Managing Information Systems

    Information Systems Security and Control


    Part 2
    Section 14.2

    1
    Objectives
    • Demonstrate that Information System
    vulnerabilities can be controlled
    • Demonstrate the ways in which Information
    Systems can be controlled in an
    organisation
    • Demonstrate some of the technologies that
    can be used to control Information Systems
    vulnerabilities

    2
    Controlling Information Systems
    • Recall there are numerous threats to
    Information Systems
    – Hardware failures
    – Software failures
    – Upgrade issues
    – Disasters
    – Malicious intent

    3
    Controlling Information Systems
    • To minimise likelihood of threats, must
    control the environment in which
    Information Systems are developed and
    deployed
    • Controls put in place to:
    – Manually control environment of Information
    Systems
    – Automatically add controls to Information
    Systems
    4
    Controlling Information Systems
    • Implemented through
    – Policies
    – Procedures
    – Standards
    • Control must be thought about through all
    stages of Information Systems analysis,
    construction, deployment operations and
    maintenance

    5
    Controlling Information Systems
    • What sort of controls can be put in place?

    6
    Controls
    • General controls
    – Controls for design, security and use of
    Information Systems throughout the
    organisation
    • Application controls
    – Specific controls for each application
    – User functionality specific

    7
    General Controls
    • Implementation controls
    – Audit system development
    – Ensure properly managed and controlled
    – Ensure user involvement
    – Ensure procedures and standards are in use
    • Software controls
    – Authorised access to systems

    8
    General Controls
    • Hardware controls
    – Physically secure hardware
    – Monitor for and fix malfunction
    – Environmental systems and protection
    – Backup of disk-based data

    9
    General Controls
    • Computer operations controls
    – Day-to-day operations of Information Systems
    – Procedures
    – System set-up
    – Job processing
    – Backup and recovery procedures

    10
    General Controls
    • Data security controls
    – Prevent unauthorised access, change or
    destruction
    – When data is in use or being stored
    – Physical access to terminals
    – Password protection
    – Data level access controls

    11
    General Controls
    • Administrative controls
    – Ensure organisational policies, procedures and
    standards and enforced
    – Segregation of functions to reduce errors and
    fraud
    – Supervision of personal to ensure policies and
    procedures are being adhered to

    12
    Application Controls
    • Input controls
    – Data is accurate and consistent on entry
    – Direct keying of data, double entry or
    automated input
    – Data conversion, editing and error handling
    – Field validation on entry
    – Input authorisation and auditing
    – Checks on totals to catch errors
    13
    Application Controls
    • Processing controls
    – Data is accurate and complete on processing
    – Checks on totals to catch errors
    – Compare to master records to catch errors
    – Field validation on update

    14
    Application Controls
    • Output controls
    – Data is accurate, complete and properly
    distributed on output
    – Checks on totals to catch errors
    – Review processing logs
    – Track recipients of data

    15
    Protecting Information Systems
    • What sorts of technology can we use to
    implement Information Systems controls?

    16
    Protecting Information Systems
    • Information Systems, especially TPS,
    require high degrees of availability
    • Technology is available to ensure systems
    are available and contain accurate
    information

    17
    High Availability Computing
    • Systems available for most of the time
    (some downtime allowed)
    – Recover quickly from crash / downtime
    – Redundant servers and clustering
    – Mirroring of data and networked storage
    – Load balancing
    – Scalable and robust infrastructure
    – Disaster recovery planning

    18
    Fault Tolerant Computing
    • Systems available all the time (no downtime
    allowed)
    – Specialist hardware
    • HP NonStop (Tandem), Stratos
    – Detect and correct faults in hardware and
    software to keep processing

    19
    Network Security
    • Permanent (open) network connectivity:
    Internet, Extranet, wireless
    – Firewall: proxy or stateful inspection
    – Firewalls must be managed and part of security
    policy
    – Encryption: public key, SSL of S-HTTP
    – Authentication and integrity
    – Digital signatures and certificates
    20
    Developing Control
    • Lots of threats to Information Systems
    • Lots of controls required
    • Decision on which controls to use based
    upon likelihood of threat and cost
    • Risk assessment
    – Likely frequency of threat
    – Cost of damage
    – Cost of implementation
    21
    HOMEWORK

    22
    HOMEWORK

    23

    You might also like