Download
management of information systems security challenges n.
Skip this Video
Loading SlideShow in 5 Seconds..
Management of information systems - security challenges PowerPoint Presentation
Download Presentation
Management of information systems - security challenges

Management of information systems - security challenges

121 Vues Download Presentation
Télécharger la présentation

Management of information systems - security challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Management of information systems - security challenges MBA 501 WEEK 7

  2. This week: continuing our look at management issues • Last week we looked at the operational issue of outsourcing • This week we will look at another operational issue – that of managing security • Both of these areas reflect the change in focus of the IS function • From managing inwards, to managing outwards • WHY? WHAT HAS HAPPENED?

  3. Why is security an important management issue? • Information is a key business asset • It needs to be accessible to all who need it • It needs to be protected • Managers need to develop and implement an overall strategy for security • Managers need to understand the threats • Managers need to understand specific techniques for protecting systems • Particularly important as organizations move into eBusiness and open up • Goal is to reduce business risk to an acceptable level McNurlin & Sprague. Information Systems Management in Practice. 7th Ed. Pearson Prentice Hall

  4. Management issues re security • Business consequences of poor security can be very serious • damage to IT infrastructure through threats and attacks from outside • loss of data, exposure of customer’s private information, loss of profits, loss of opportunity, damaged reputation • Consumer impacts (credit cards exposed, viruses, malware, spyware etc) • “Chill” effect on eBusiness – both buy side and sell side (B2C) • Security issues have high profile in the media McNurlin & Sprague. Information Systems Management in Practice. 7th Ed. Pearson Prentice Hall

  5. Identifying and managing risk • Airtight security is not possible • Risks must be identified and prioritized (in terms of the business context) • Then resources must be put into guarding against the most serious threats • What does “serious mean”? – most likely to happen / greatest business impact? McNurlin & Sprague. Information Systems Management in Practice. 7th Ed. Pearson Prentice Hall

  6. Key security issues for both customers and managers • Organizations must guard their own data, and their customer’s data and create a secure and predictable environment for commercial exchange - they must create TRUST • Basic pillars of security : ‘PAIN’ • Privacy (and confidentiality) • Authentication and Authorization (Identification) • Integrity • Non-repudiation McNurlin & Sprague. Information Systems Management in Practice. 7th Ed. Pearson Prentice Hall

  7. PAIN: Privacy and Confidentiality • One of the major concerns that customers have about eBusiness – Internet is a public space • Firms need to ensure that information that is private or sensitive is kept secure and not used for any purpose other than that agreed to • credit card numbers • trade secrets / proprietary information • business plans • health records etc • Confidentiality during transactions is usually ensured by encryption McNurlin & Sprague. Information Systems Management in Practice. 7th Ed. Pearson Prentice Hall

  8. PAIN: Authentication • When someone submits something to your website, how can you be sure that they are who they claim to be. eg. • using credit cards • making a contract or application • registering for an email newsletter • Authentication is the process by which one entity verifies that another entity is who they claim to be • Authentication requires evidence in the form of credentials: : • “something you have” plus “something you know” plus something you are (biometrics) eg. • username and password • Two-factor authentication (Gmail example) • credit card - match exact billing name and address • digital signatures and digital certificates

  9. PAIN: Authorization • Once a person has been authenticated, we need to be satisfied that she is authorized to access or do certain things on our site • Does the person (or program) have the right to access particular data, programs, or system resources (particularly important when protecting a server from hackers) • Authorization is usually determined by comparing information about the person or program with access control information associated with the resource being accessed (permissions) McNurlin & Sprague. Information Systems Management in Practice. 7th Ed. Pearson Prentice Hall

  10. PAIN: Integrity • Integrity is the ability to prevent data from being altered or destroyed in an unauthorized or accidental manner • This could include hacking to deface a website • Altering data held on your website or database • Intercepting data • The parties to a transaction must be assured that all data and documents connected with it cannot be altered without detection McNurlin & Sprague. Information Systems Management in Practice. 7th Ed. Pearson Prentice Hall

  11. PAIN: Non-repudiation • The ability to ensure that neither side in a transaction can later claim that they for instance • didn’t order something using a credit card • or didn’t accept an order or offer for something • Non-repudiation ensures that neither side can back out of a transaction by claiming it never took place • Particular problem with credit cards • Verified by Visa • Non-repudiation is also achieved by using digital signatures that make it difficult to claim that you weren’t involved in an exchange McNurlin & Sprague. Information Systems Management in Practice. 7th Ed. Pearson Prentice Hall

  12. Security for e-payments and other transactions: encryption • The cornerstone for secure online payments and other transactions is encryption • Messages moving across the network can be encrypted or scrambled in such as way that it is too difficult, expensive or time consuming for an unauthorized person to unscramble it • The protocol that ensures this is SSL/TLS (Transport Layer Security) – an explanation from Google • Simple explanation of digital encryption using toolbox and key example McNurlin & Sprague. Information Systems Management in Practice. 7th Ed. Pearson Prentice Hall

  13. Management problem? • “Airtight security is not possible because companies have to allow on-line commerce. They have to make trade-offs between absolute information security and efficient flow of information.” McNurlin + Sprague • The management challenge is that of finding the balance • What is the reality of the threat? • What do you think are the most serious and high risk threats to business? McNurlin & Sprague. Information Systems Management in Practice. 7th Ed. Pearson Prentice Hall

  14. All threats are not equal for all organizations • “..the key components for managing a security program are the likelihood and the likely impact of an attack.” • CSI Computer Crime and Security Survey

  15. What are companies worried about? Canadian Cyber Crime research (2013) from International Cyber Security Protection Alliance https://www.icspa.org/fileadmin/user_upload/Downloads/ICSPA_Canada_Cyber_Crime_Study_May_2013.pdf

  16. What is the extent of the problem? • Half the respondents to the CSI survey didn’t experience a security incident over the course of the year – but that doesn’t mean that they weren’t threatened • 2010 CSI Computer Crime and Security Survey

  17. 2010 CSI Computer Crime and Security Survey

  18. 2010 CSI Computer Crime and Security Survey

  19. Types of direct threats and attacks: Risks to infrastructure (particularly eBusiness) • Distributed Denial of Service attacks (DoS) • Wikileaks (2010) • 4Chan attacks on Anti-Piracy Websites (2011) • Hacking – web site defacement • New York Times – 1998 • DNS Highjack • Twitter - 2009 • Malicious code: viruses, worms, trojans etc • Skype’s network frozen by a trojan horse attack in 2007 • Stuxnet– attacks on nuclear facilities and other industrial targets

  20. Types of threats and attacks: Attacks ondata • Intercepted transmissions (eavesdropping / sniffing) • Attacks related to insecure passwords - are “strong” passwords and frequent changes the answer? • social engineering (and how to protect against it) • Phishing

  21. A new source of threat: BYOD • Security lax on the part of employees (not even a lock screen is common) • Sensitive work files stored on personal devices • Devices on the corporate network without IT knowledge • Fragmentation of operating system / support cost increases • Phone number as piece of branding / customer connection (what happens when employee leaves?)

  22. BYOD Policy: security, confidentiality and privacy • 69 % of companies permit some form of BYOD • 70 % have no policy to manage the practice • While 26 % of those with no policy plan to have one in place within one year, 44 % said they have no plans to enact one at all. • IDC Canada Survey 2012 • Software is being developed to create separate “spaces” on phones for work and personal use egBlackberry Balance

  23. Creating a Security Policy (including BYOD) • The CSI Survey identified that a very small percentage of those surveyed did not have some kind of information security policy • The policy is aimed at both educating employees and managing (and balancing) the “people risks” we have identified • What should it address, and why?

  24. Control strategies for managers to ensure the integrity of an IS • Containment • Deterrence • Obfuscation • Recovery • Firms must balance these strategies to suit their business requirements

  25. Containment • Make the target look as unattractive as possible • Heavily encrypted data is less attractive • Focus on controlling access to data resources by erecting barriers • Expensive and requires constant vigilance to keep ahead of attackers • Physically remove the target system from threats • Isolating systems from the network • Distributing data across an organization or geographic area

  26. Deterrence • Need to understand and anticipate the motives of those who would breach security • Use of threats of prosecution and dismissal (internal), and well publicized barriers • Monitoring patterns of data usage or access to resources • Implementation of defenses or countermeasures

  27. Obfuscation • Involves hiding and/or distributing assets so that any damage caused can be limited • Often entails monitoring of all an organization’s activities, not just those where security threats are perceived (a broader strategy than containment or deterrence) • Needs good overview and frequent auditing of hardware, software and network resources • Eg. to identify illegal software loaded onto employees machines

  28. Recovery • Assumes security breach will occur, and puts in place an action plan and strategy for business recovery • Requires extensive organizational planning • Backup systems, redundant systems needed (often outsourced) • Emergency planning and recovery in place

  29. Two questions to consider • Reporting a cybercrime occurs less than 50% of the time. Why is this? Is this a good thing or not? What might you do to encourage a higher percentage of companies to make formal reports? • What is your view about the assertion that "Security is as much a human problem as a technical problem?"