Lecturer: Mr. Michael Allotey Contact Information: mallotey@ug.edu.gh School of Information and Communication Studies Department of Information Studies Second Semester (2018-2019)
Lecture Overview As the use of information systems increase in organizations, the risks/threats associated with them also continue to increase. These risks can be categorized into two: 1. Risks to users 2. Risks to the systems. This lectures focusses on risks or threats to the information systems in organizations. Slide 2
Session Outline The key topics to be covered in the session are as follows: 1. Defining Information Systems Security 2. Information systems security Issues. Slide 3
Reading List • Laudon, C.K. Laudon, J.P. (2000) Management Information Systems (11th Ed.), NJ, Prentice-Hall in Honkong, Pearson. • Senn, J.A. (1982) Information Systems in Management, NY Wadsworth Publishing Company. • Stoner, J.A.F. (1999) Management, (1999) Prentice-Hall of India, New Delhi. • Lucey Terry, (1995) Management Information Systems, DP Publishing Ltd. Aldine Place, London. • Watson, H.J. et al (1991) Information System for Management: A Book of Reading. • Hutchinson, S.E. & Sawyer, S.C. (2000) Computers, Communications and Information: A User’s Introduction. • Liebenau, J., & Backhouse, J. (1990). Understanding Information. London: Macmillan. • Dhillon, G., & Backhouse, J. (2000). Information System Security Management in the New Millennium. Communications of the ACM, 43(7), 125 – 128. • Alter, S. (1999). Information systems: A management perspective. Reading, Mass. [u.a.: Addison Wesley. • O’Brien, J.A. (2009) Introduction to Information Systems, Boston, Pearson. • Long, P. et al (2016) Cambridge International AS and A Level IT Coursebook, University Printing House, Cambridge CB2 8BS, UK. Slide 4
Topic One DEFINING INFORMATION SYSTEMS SECURITY (ISS) Slide 5
What is ISS? Information systems security (ISS) involves precautions taken to keep all aspects of information systems away from unauthorized access and use. The components to be protected include: All hardware, all software, network equipment's, data and all gateways between networks. Slide 6
ISS In The Past In the past, information to a large extent was confined to a particular location and it was relatively easy to: • preserve its confidentiality , i.e. restricting access to those authorized • preserve its integrity , i.e. ensuring that its content and form were not subject to unauthorized modification, as well as • maintaining its availability and related resources , i.e. preventing their unauthorized withholding. Therefore, maintaining confidentiality, integrity, and availability were the three main goal of ISS. Slide 7
ISS Today • Today, considering the transformed nature of organizations and the expanded scope of information processing, managing information security is not just restricted to preserving confidentiality, integrity, and availability. • The emphasis has moved to establishing responsibility, integrity of people, trustworthiness, and ethicality (Dhillon and Backhouse 2000) Slide 8
Topic Two INFORMATION SYSTEMS SECURITY ISSUES Slide 9
ISS Issues • All information systems linked up in networks are prone to security violations. • These could be from within the organization or outside the organization. • They could also be exposed to virus infections and many other forms of computer crimes. Slide 10
Probable threats to information systems • Natural causes : such as fires and floods • Accidents: Deliberate or non-deliberate inappropriate behavior of individuals: Such as; human error, systems analysis and design faults, malfunctions, rough handling etc. Slide 11
Probable threats to information systems • Employee and Consultant : such as violations of safeguards by trusted personnel • Links to other organizations : Electronic information is always at risk in networked environments. • Outsiders : system intruders (Hackers, DOS attacks) and malwares. Slide 12
Impacts of information systems security breach • loss of vital information • Extra hours will be • Auditors and government wasted in attempts to agencies ask numerous replace or reconstruct questions lost data and paper • Senior managers become files. ornery • Law suits • People can be demoted, • Ruined Reputation sometimes fired • Revenue Lost Slide 13
Practices that increase Threat to Information systems • Employees keeping passwords/access codes in the open (on paper) • Absence of antivirus software or outdated antivirus software • Computer users in organizations continuing to use default passwords. Slide 14
Practices that increase Threat to Information systems • Failure to install effective fire walls or intrusion detection systems • Absence of proper background checks on new employees • Lack of proper monitoring of employees, particularly IT personnel. • Fired, dismissed or sacked employees become disgruntled and can cause mischief. Slide 15
Topic Three PREVENTION, DETECTION AND REACTION TO SECURITY THREATS Slide 16
Prevention, Detection And Reaction To Security Threats • Organizations may apply a set of measures usually know as security controls. • Security controls may be implemented at three main levels: • Technical This is based on how information is • Formal handled in the organization. • Informal (Liebenau and Backhouse 1990) Slide 17
Informal level Technical Level Formal Level Awareness security controls Security programs, such as anti-virus policies, adoption of good software, structures of management firewalls, practices, and responsibility intrusion development of a and detection security culture contingency that fosters the systems, access plans protection of control devices, information assets and cryptographic controls.
Topic Four FUNDAMENTAL PRINCIPLES TO FOLLOW WHEN IMPLEMENTING INFORMATION SYSTEMS SECURITY CONTROLS Slide 19
Introduction This is composed of six principles, which are classified into three classes, namely: • Principles for informal level IS security controls • Principles for formal level IS security controls • Principles for Technical level IS security controls Slide 20
Principles For Informal Level IS Security Controls Principle 1: Education, training and awareness, although important, are not sufficient for managing information security. A focus on developing a security culture goes a long way in developing and sustaining a secure environment. Principle 2: Responsibility, integrity, trust, and ethicality are the cornerstones for maintaining a secure environment. Slide 21
Principles For Formal Level IS Security Controls • Principle 1: Establishing a boundary between what can be formalized and what should be norm based is the basis for establishing appropriate control measures. • Principle 2: Rules for managing information security have little relevance unless they are contextualized. Slide 22
Principles For Technical Level IS Security Controls • Principle 1: In managing the security of technical systems a rationally planned grandiose strategy will fall short of achieving the purpose. • Principle 2: Formal models for maintaining the confidentiality, integrity and availability (CIA) of information cannot be applied to commercial organizations on a grand scale. Micro-management for achieving CIA is the way forward. Slide 23
Topic Five ISS CONTROLS/ SYSTEM PROTECTION PROGRAMS Slide 24
Introduction Information Protection Programs have 2 broad Components based on the nature of threats and/ or the levels at which information is handled in the organization. • Technology Protection (Technical Level) • Human – based Protection (Formal/ Informal Level) Slide 25
Technological Protection (Technical Level Security Controls) • Physical Protection • Audit control software • Firewalls • System monitoring and Incident response • Security Protocols • Performing system • Encryption backups • Authentication • Planning for disaster • Virus monitoring and recovery prevention • Other protection measures. Slide 26
Physical Protection This has to do with physically denying unauthorized people. They are: • Keeping information system resources under lock and key. • Physically securing computers to desks • Locking hard drives with key • Fixing intruder alarms • Closed – Circuit Television (CCTV) Slide 27
Firewalls • A firewall can be either software or hardware that sits between the user’s computer and an external network that filters information coming in and out of the users computer. Firewalls cannot do the following: • It cannot prevent individuals, on internal networks, using their own modems to bypassthe firewall. Slide 28
Firewalls • Employee misconduct or carelessness cannot be controlled by firewalls (e.g. Control of passwords or user accounts) • Users on stand alone computers can choose to disable the firewall, leaving their computer open to harmful intruders. Slide 29
Security Protocols These are set of rules used by computers to communicate with each other across a network- when using the internet. There are two forms: • Secure Sockets Layer (SSL) • Transport Layer Security (TLS) Slide 30
Recommend
More recommend
