1.
Security and Control
Management Information Systems

2.
OBJECTIVES
• Explain why information systems need
special protection from destruction, error, and
abuse
• Assess the business value of security and
control
• Evaluate elements of an organizational and
managerial framework for security and control
Management Information Systems

3.
• Evaluate the most important tools
and technologies for safeguarding
information resources
• Identify the challenges posed by
information systems security and
control and management solutions
OBJECTIVES (Continued)
Management Information Systems

4.
Introductory Remarks:
Information security has become a high
priority for all organizations, big and
small, no matter the vertical. However,
there are still many challenges that
these businesses and associations
must overcome if they hope to truly
protect data from lone hackers as well
as major cybercriminal groups.

5.
Information Security Challenges
The challenges of information security can be divided into
the following areas:
Confidentiality and Privacy - Ensuring that only the
intended recipients can read certain information
Authentication - Ensuring that information is actually
sent by the stated sender
Integrity - Ensuring that the original information was not
altered and that no one tampered with it
Availability - Ensuring that important information can be
accessed at all times and places

6.
Introduction
Two Major Developments During the Past
Decade:
1. Widespread Computerization
2. Growing Networking and Internetworking
The Internet
• Need for Automated Tools for Protecting Files
and Other Information.
• Network and Internetwork Security refer to
measures needed to protect data during its
transmission from one computer to another in a
network or from one network to another in an
internetwork.

7.
Security is complex. Some reasons are:
• Requirements for security services are:
– Confidentiality
– Availability
– Integrity
– Non-repudiation
– Privacy
– Authenticity
…Continue

8.
Key Management is difficult.
Creation, Distribution, and
Protection of Key information
calls for the need for secure
services, the same services
that they are trying to provide.

9.
SYSTEM VULNERABILITY AND ABUSE
Management Information Systems
Contemporary Security Challenges and Vulnerabilities

10.
• Inadequate security and control may create serious
legal liability.
• Businesses must protect not only their own information
assets but also those of customers, employees, and
business partners. Failure to do so can lead to costly
litigation for data exposure or theft.
• A sound security and control framework that protects
business information assets can thus produce a high
return on investment.
Management Information Systems
BUSINESS VALUE OF SECURITY AND CONTROL

11.
• Use of fixed Internet addresses through use of
cable modems or DSL
• Lack of encryption with most Voice over IP (VoIP)
• Widespread use of e-mail and instant messaging
(IM)
Management Information Systems
SYSTEM VULNERABILITY AND ABUSE
Internet Vulnerabilities:
Why Systems Are Vulnerable (Continued)

12.
• Radio frequency bands are easy to scan
• The service set identifiers (SSID) identifying the
access points broadcast multiple times
Management Information Systems
SYSTEM VULNERABILITY AND ABUSE
Wireless Security Challenges:

13.
SYSTEM VULNERABILITY AND ABUSE
Wi-Fi Security Challenges
Management Information Systems

14.
• Computer viruses, worms, trojan horses
• Spyware
• Spoofing and Sniffers
• Denial of Service (DoS) Attacks
• Identity theft
• Cyberterrorism and Cyberwarfare
• Vulnerabilities from internal threats (employees);
software flaws
Management Information Systems
SYSTEM VULNERABILITY AND ABUSE
Malicious Software: Viruses, Worms, Trojan Horses, and
Spyware
Hackers and Cybervandalism

15.
i). Spyware: Is a type of malware that's hard to detect. It collects
information about surfing habits, browsing history, or personal
information (such as credit card numbers), and often uses the
Internet to pass this information along to third parties without you
knowing.
ii). Denial-of-service attack (DoS attack): Is a cyber-attack
where the perpetrator seeks to make a machine or network
resource unavailable to its intended users, such as to
temporarily or indefinitely interrupt or suspend services of a host
connected to the Internet.

16.
iii). Identity theft: is a crime in which an
imposter obtains key pieces of personal
information, such as Social Security or driver's
license numbers, in order to impersonate
someone else.
iv). Cyberterrorism: Is“a cyber attack using or
exploiting computer or communication networks
to cause sufficient destruction to generate fear
or intimidate a society into an ideological goal.”

17.
v). A spoof attack: is when a malicious
party impersonates another device or user
on a network in order to launch attacks
against network hosts, steal data, spread
malware or bypass access controls.
vi). Packet sniffing: Refers capture data
as it is transmitted over a network and is
used by network professionals to diagnose
network issues, and by malicious users to
capture unencrypted data, like passwords
and usernames.

18.
Computer Virus: a piece of code
that is capable of copying itself and
typically has a detrimental effect,
such as corrupting the system or
destroying data.
computer worm: is a self-
replicating virus that does not alter
files but resides in active memory
and duplicates itself.

19.
Management Information Systems
BUSINESS VALUE OF SECURITY AND CONTROL
Legal and Regulatory Requirements for Electronic
Records Management
• Electronic Records Management (ERM): Policies,
procedures and tools for managing the retention,
destruction, and storage of electronic records

20.
Management Information Systems
BUSINESS VALUE OF SECURITY AND CONTROL
Data Security and Control Laws:
• The Health Insurance Portability and Accountability
Act (HIPAA)
• Sarbanes-Oxley Act of 2002

21.
• Electronic Evidence: Computer data stored on disks
and drives, e-mail, instant messages, and e-
commerce transactions
• Computer Forensics: Scientific collection,
examination, authentication, preservation, and
analysis of computer data for use as evidence in a
court of law
Management Information Systems
BUSINESS VALUE OF SECURITY AND CONTROL
Electronic Evidence and Computer Forensics

22.
General controls:
• Software and hardware
• Computer operations
• Data security
• Systems implementation process
Management Information Systems
ESTABLISHING A MANAGEMENT FRAMEWORK FOR
SECURITY AND CONTROL
Types of Information Systems Controls

23.
• Input
• Processing
• Output
Management Information Systems
ESTABLISHING A MANAGEMENT FRAMEWORK FOR
SECURITY AND CONTROL
Application controls:

24.
• Determines the level of risk to the firm if a specific
activity or process is not properly controlled
Management Information Systems
ESTABLISHING A MANAGEMENT FRAMEWORK FOR
SECURITY AND CONTROL
Risk Assessment:

25.
• Acceptable Use Policy (AUP)
• Authorization policies
Management Information Systems
ESTABLISHING A MANAGEMENT FRAMEWORK FOR
SECURITY AND CONTROL
Security Policy:
Policy ranking information risks, identifying acceptable
security goals, and identifying the mechanisms for
achieving these goals

26.
• Downtime: Period of time in which a system is not
operational
• Fault-tolerant computer systems: Redundant
hardware, software, and power supply components to
provide continuous, uninterrupted service
• High-availability computing: Designing to maximize
application and system availability
Management Information Systems
ESTABLISHING A MANAGEMENT FRAMEWORK FOR
SECURITY AND CONTROL
Ensuring Business Continuity

27.
• Load balancing: Distributes access requests across
multiple servers
• Mirroring: Backup server that duplicates processes on
primary server
• Recovery-oriented computing: Designing computing
systems to recover more rapidly from mishaps
Management Information Systems
ESTABLISHING A MANAGEMENT FRAMEWORK FOR
SECURITY AND CONTROL
Ensuring Business Continuity (Continued)

28.
• Disaster recovery planning: Plans for restoration of
computing and communications disrupted by an
event such as an earthquake, flood, or terrorist
attack
• Business continuity planning: Plans for handling
mission-critical functions if systems go down
Management Information Systems
ESTABLISHING A MANAGEMENT FRAMEWORK FOR
SECURITY AND CONTROL
Ensuring Business Continuity (Continued)

29.
• MIS audit: Identifies all of the controls that govern
individual information systems and assesses their
effectiveness
• Security audits: Review technologies, procedures,
documentation, training, and personnel
Management Information Systems
ESTABLISHING A MANAGEMENT FRAMEWORK FOR
SECURITY AND CONTROL
Auditing:

30.
Management Information Systems
TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROL
Access Control
• Passwords
Authentication:
Access control: Consists of all the policies and
procedures a company uses to prevent improper access
to systems by unauthorized insiders and outsiders
• Tokens, smart cards
• Biometric authentication

31.
• Firewalls: Hardware and software controlling flow of
incoming and outgoing network traffic
• Intrusion detection systems: Full-time monitoring
tools placed at the most vulnerable points of
corporate networks to detect and deter intruders
Management Information Systems
TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROL
Firewalls, Intrusion Detection Systems, and
Antivirus Software

32.
• Antivirus software: Software that checks computer
systems and drives for the presence of computer
viruses and can eliminate the virus from the infected
area
• Wi-Fi Protected Access specification
Management Information Systems
TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROL
Firewalls, Intrusion Detection Systems, and
Antivirus Software (Continued)

33.
Management Information Systems
TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROL
A Corporate Firewall
Figure 10-7

34.
• Public key encryption: Uses two different keys, one
private and one public. The keys are mathematically
related so that data encrypted with one key can be
decrypted using only the other key
• Message integrity: The ability to be certain that the
message being sent arrives at the proper destination
without being copied or changed
Management Information Systems
Chapter 10 Security and Control
TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROL
Encryption and Public Key Infrastructure

35.
• Digital signature: A digital code attached to an
electronically transmitted message that is used to
verify the origin and contents of a message
• Digital certificates: Data files used to establish the
identity of users and electronic assets for protection
of online transactions
• Public Key Infrastructure (PKI): Use of public key
cryptography working with a certificate authority
Management Information Systems
TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROL
Encryption and Public Key Infrastructure
(Continued)

36.
• Secure Sockets Layer (SSL) and its successor
Transport Layer Security (TLS): protocols for secure
information transfer over the Internet; enable client
and server computer encryption and decryption
activities as they communicate during a secure Web
session.
• Secure Hypertext Transfer Protocol (S-HTTP): used for
encrypting data flowing over the Internet; limited to
Web documents, whereas SSL and TLS encrypt all
data being passed between client and server.
Management Information Systems
TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROL
Encryption and Public Key Infrastructure
(Continued)

37.
Management Information Systems
TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROL
Public Key Encryption
Figure 10-8

38.
Management Information Systems
TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROL
Digital Certificates
Figure 10-9

39.
Management Information Systems
MANAGEMENT OPPORTUNITIES, CHALLENGES AND SOLUTIONS
Management Opportunities:
Creation of secure, reliable Web sites and
systems that can support e-commerce and
e-business strategies

40.
• Designing systems that are neither overcontrolled
nor undercontrolled
• Implementing an effective security policy
Management Information Systems
MANAGEMENT OPPORTUNITIES, CHALLENGES AND SOLUTIONS
Management Challenges:

41.
• Security and control must become a more visible
and explicit priority and area of information systems
investment.
• Support and commitment from top management is
required to show that security is indeed a corporate
priority and vital to all aspects of the business.
• Security and control should be the responsibility of
everyone in the organization.
Management Information Systems
MANAGEMENT OPPORTUNITIES, CHALLENGES AND SOLUTIONS
Solution Guidelines: