You are on page 1of 30

INFORMATION SYSTEM SECURITY, CONTROL AND AUDIT

WHAT IS INFORMATION SECURITY?

Means protecting information and information systems from unauthorized access, use disclosure, disruption, modification, or destruction

The process of ensuring business systems and information assets are protected, secure and available.

INFORMATION SYSTEMS SECURITY


A discipline that protects the Confidentiality, Integrity and Availability of information and information services aka: Network Security, Computer Security, Information Assurance, Cyber Warfare

WHY IT IS IMPORTANT
Information security can be expected to achieve important business objectives by protecting: Information assets Mission critical applications and systems Productivity daily activities and operations The privacy of individuals and their confidential information The legal position of the organization by complying with laws and contracts

With the migration toward an Internet-based world, it becomes more critical to protect Internet-based applications. Web-based applications, Ecommerce, Voice over IP (Internet Protocol) , etc.

Products ( Physical Security)


confidentiality

COMMUNICATIONS
Integrity

INFORMATION

A
Availability

SECURITY CLASSIFICATION FOR INFORMATION


 Important

aspect of information security and risk management is recognizing the value o information and defining appropriate procedures and protection requirements for the information  Not all information is equal and so not all information requires the same degree of protection.

SYSTEM VULNERABILITY AND ABUSE


Security incase of Information System refers to Policies, Procedures and Technical Measures
Computer Hardware, Software Communication Networks Data

Threats to the computerized IS are:


Hardware Failure Software Failure Personnel Actions Theft data, Service or equipment Fire Electrical Problems User Errors Program Changes Telecommunication Problems

WHY SYSTEMS ARE VULNERABLE


Client (User)
Communication Lines Corporate Services Corporate Systems

Data Bases
1. Tapping 2. Sniffing 1. Unauthorized 3. Message Access Alteration 2. Errors 4. Theft & Fraud 1. Hacking 2. Viruses 3. Theft & Fraud 4. Vandalism 5. Denial of Service Attacks

1. 2. 3. 4. 5.

Theft of Data Copying Data Alteration of Data Hardware Failure Software Failure

TYPES OF VULNERABILITIES
Internet Vulnerabilities  Wireless Security Challenges


Authentication Request Challenge Response Success Legitimate User

Intruder

   

Malicious Software: Viruses, Worms, Trojan Horses, & Spy ware Hackers Computer Crime & Cyber Terrorism Internal Threats: Employees Software Vulnerability

HACKER MOTIVATIONS
Attack the Evil Empire (Microsoft) Display of dominance Showing off, revenge Misdirected creativity Embezzlement, greed Who knows what evil lurks in the hearts of men?

THREATS: MALWARE
Malware is Malicious Software deliberately created and specifically designed to damage, disrupt or destroy network services, computer data and software. There are several types... types...

MALWARE TYPES
Viruses: Conceal themselves Infect computer systems Replicate themselves Deliver a payload

MALWARE TYPES
Worms: Worms: Programs that are capable of independently propagating throughout a computer network. They replicate fast and consume large amounts of the host computers memory.

Malware Types
Trojan Horses: Programs that contain hidden functionality that can harm the host computer and the data it contains. THs are not automatic replicators - computer users inadvertently set them off.

Malware Types
Software Bombs: Time Bombs - triggered by a specific time/date Logic Bombs - triggered by a specific event Both are introduced some time before and will damage the host system

BUSINESS VALUE OF SECURITY & CONTROL


1.

2. 3.

Security and Control have become a critical , although perhaps unappreciated, area of information systems investment The longer computer systems are down, the more serious the consequences for the firm Computers have very valuable information assets to protect

Types of Information Systems Controls: General Controls Application Controls Input Controls Processing Controls Output Controls Risk Assessment Security Policy Ensuring Business Continuity Security Outsourcing

TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROL


Access Control
It consists of all policies and procedures a company uses to prevent improper access to systems by unauthorized insiders and outsiders. Access control software is designed to allow authorized persons to use systems or to access data using some method for authentication. Some times systems use tokens such as smart cards for access control Biometric Authentication.

 FIREWALLS
 A firewall is a combination of hardware and software that controls the flow of incoming and outgoing network traffic.  It is placed between the organizations private internal networks and untrusted external networks such as the Internet.

Internet

Data Base

Policy Rules

 Intrusion

Detection Systems

 Feature full-time monitoring tools placed at the fullmost vulnerable points or hot spots of corporate networks to detect and deter intruders continually.  The system generates an alarm if it finds a suspicious or anomalous event.  It also be customized to shut down a particularly sensitive part of a network if it receives unauthorized traffic.

Antivirus Software
It is designed to check computer systems and drives for the presence of computer viruses. The software can eliminate the virus from the infected area. However, most antivirus software is effective only against viruses already known when the software was written. To remain effective, the antivirus software must be continually updated.

Securing Wireless Networks


Extensible Authentication Protocol

Encryption and Public Key Infrastructure


It is the coding and scrambling of messages to prevent unauthorized access to or understanding of the data being transmitted.

Public Key Encryption Sender Scrambled Message Encrypt With Public key Encrypt With Private key Recipient

Ensuring Software Reliability

DISASTER RECOVERY

a) Natural Disasters

Tsunami Earth quakes Fires Criminal & Terrorist acts floods b) Man-Made Disasters Man-

NEED FOR SECURITY

Confidentiality Integrity Availability Authenticity NonNon-repudiation Risk Management

METHODS OF MINIMIZING RISKS


The threats of accidents & malfunctions in the ISS are many such as:
Controlling software development & modifications Providing security training Maintaining Physical Security Accidents Uncontrollable external events Attacks Controlling access to data, computers & networks Controlling traditional transaction processing Data Preparation & authorization Data Validation Error Correction

Maintaining security in web-based webtransactions Privacy Authentication Integrity Motivating efficient & effective operation Auditing IS

Risk Control Measures


 Three

types of controls
Corporate security policy, Password policy, Hiring policy & Disciplinary policy

 Administrative

 Logical
Passwords, network & host based firewalls, network detection systems, access control list

 Physical
Doors, locks, heating, fencing, security guards, air conditioning, smoke, fire alarms, fire suppression systems, cameras, etc

Information Security Audit


 The

Audit Process

Audit Planning & Preparation Establishing Audit Objectives Performing the Review
 Data Centre Personnel  Equipment  Policies & Procedures  Physical Security/Environmental Controls  Backup Procedures

Issuing the Review Report Encryption and IT Audit

Ensuring System Quality


   

Software Quality Assurance Methodologies Resource Allocation Software Metrics


 Carefully designed  Formal  Objective  Measure significant aspects of the system  Used consistently  Agreed to by users advance

 

Quality tools Data Quality Audits