Lecturer: Mr. Michael Allotey Contact Information: - - PowerPoint PPT Presentation

lecturer mr michael allotey contact information mallotey
SMART_READER_LITE
LIVE PREVIEW

Lecturer: Mr. Michael Allotey Contact Information: - - PowerPoint PPT Presentation

Oct 26, 2022 1.31k likes •1.87k views

Lecturer: Mr. Michael Allotey Contact Information: mallotey@ug.edu.gh School of Information and Communication Studies Department of Information Studies Second Semester (2018-2019) Lecture Overview As the use of information systems increase in

slide-1
SLIDE 1

School of Information and Communication Studies Department of Information Studies

Second Semester (2018-2019)

Lecturer: Mr. Michael Allotey Contact Information: mallotey@ug.edu.gh

slide-2
SLIDE 2

Lecture Overview

As the use of information systems increase in organizations, the risks/threats associated with them also continue to increase. These risks can be categorized into two:

  • 1. Risks to users
  • 2. Risks to the systems.

This lectures focusses on risks or threats to the information systems in

  • rganizations.

Slide 2

slide-3
SLIDE 3

Session Outline

The key topics to be covered in the session are as follows:

  • 1. Defining Information Systems Security
  • 2. Information systems security Issues.

Slide 3

slide-4
SLIDE 4

Reading List

  • Laudon, C.K. Laudon, J.P. (2000) Management Information Systems (11th Ed.), NJ, Prentice-Hall in Honkong, Pearson.
  • Senn, J.A. (1982) Information Systems in Management, NY Wadsworth Publishing Company.
  • Stoner, J.A.F. (1999) Management, (1999) Prentice-Hall of India, New Delhi.
  • Lucey Terry, (1995) Management Information Systems, DP Publishing Ltd. Aldine Place, London.
  • Watson, H.J. et al (1991) Information System for Management: A Book of Reading.
  • Hutchinson, S.E. & Sawyer, S.C. (2000) Computers, Communications and Information: A User’s Introduction.
  • Liebenau, J., & Backhouse, J. (1990). Understanding Information. London: Macmillan.
  • Dhillon, G., & Backhouse, J. (2000). Information System Security Management in the New Millennium. Communications of the ACM,

43(7), 125–128.

  • Alter, S. (1999). Information systems: A management perspective. Reading, Mass. [u.a.: Addison Wesley.
  • O’Brien, J.A. (2009) Introduction to Information Systems, Boston, Pearson.
  • Long, P. et al (2016) Cambridge International AS and A Level IT Coursebook, University Printing House, Cambridge CB2 8BS, UK.

Slide 4

slide-5
SLIDE 5

DEFINING INFORMATION SYSTEMS SECURITY (ISS)

Topic One

Slide 5

slide-6
SLIDE 6

What is ISS?

Information systems security (ISS) involves precautions taken to keep all aspects of information systems away from unauthorized access and use. The components to be protected include: All hardware, all software, network equipment's, data and all gateways between networks.

Slide 6

slide-7
SLIDE 7

ISS In The Past

In the past, information to a large extent was confined to a particular location and it was relatively easy to:

  • preserve its confidentiality, i.e. restricting access to those

authorized

  • preserve its integrity, i.e. ensuring that its content and

form were not subject to unauthorized modification, as well as

  • maintaining its availability and related resources, i.e.

preventing their unauthorized withholding. Therefore, maintaining confidentiality, integrity, and availability were the three main goal of ISS.

Slide 7

slide-8
SLIDE 8

ISS Today

  • Today, considering the transformed nature of
  • rganizations and the expanded scope of information

processing, managing information security is not just restricted to preserving confidentiality, integrity, and availability.

  • The emphasis has moved to establishing responsibility,

integrity of people, trustworthiness, and ethicality (Dhillon and Backhouse 2000)

Slide 8

slide-9
SLIDE 9

INFORMATION SYSTEMS SECURITY ISSUES

Topic Two

Slide 9

slide-10
SLIDE 10

ISS Issues

  • All information systems linked up in networks are

prone to security violations.

  • These could be from within the organization or
  • utside the organization.
  • They could also be exposed to virus infections

and many other forms of computer crimes.

Slide 10

slide-11
SLIDE 11

Probable threats to information systems

  • Natural causes: such as fires and floods
  • Accidents: Deliberate or non-deliberate

inappropriate behavior of individuals: Such as; human error, systems analysis and design faults, malfunctions, rough handling etc.

Slide 11

slide-12
SLIDE 12

Probable threats to information systems

  • Employee and Consultant: such as violations of

safeguards by trusted personnel

  • Links to other organizations: Electronic

information is always at risk in networked environments.

  • Outsiders: system intruders (Hackers, DOS attacks)

and malwares.

Slide 12

slide-13
SLIDE 13

Impacts of information systems security breach

  • loss of vital information
  • Auditors and government

agencies ask numerous questions

  • Senior managers become
  • rnery
  • People can be demoted,

sometimes fired

  • Extra hours will be

wasted in attempts to replace or reconstruct lost data and paper files.

  • Law suits
  • Ruined Reputation
  • Revenue Lost

Slide 13

slide-14
SLIDE 14

Practices that increase Threat to Information systems

  • Employees keeping passwords/access codes in the
  • pen (on paper)
  • Absence of antivirus software or outdated antivirus

software

  • Computer users in organizations continuing to use

default passwords.

Slide 14

slide-15
SLIDE 15

Practices that increase Threat to Information systems

  • Failure to install effective fire walls or intrusion detection

systems

  • Absence of proper background checks on new employees
  • Lack of proper monitoring of employees, particularly IT

personnel.

  • Fired, dismissed or sacked employees become disgruntled

and can cause mischief.

Slide 15

slide-16
SLIDE 16

PREVENTION, DETECTION AND REACTION TO SECURITY THREATS

Topic Three

Slide 16

slide-17
SLIDE 17

Prevention, Detection And Reaction To Security Threats

  • Organizations may apply a set of measures usually

know as security controls.

  • Security controls may be implemented at three main

levels:

  • Technical
  • Formal
  • Informal

Slide 17

This is based on how information is handled in the organization. (Liebenau and Backhouse 1990)

slide-18
SLIDE 18

Technical Level

security controls such as anti-virus software, firewalls, intrusion detection systems, access control devices, and cryptographic controls.

Formal Level

Security policies, structures of responsibility and contingency plans

Informal level

Awareness programs, adoption of good management practices, and development of a security culture that fosters the protection of information assets

slide-19
SLIDE 19

FUNDAMENTAL PRINCIPLES TO FOLLOW WHEN IMPLEMENTING INFORMATION SYSTEMS SECURITY CONTROLS

Topic Four

Slide 19

slide-20
SLIDE 20

Introduction

This is composed of six principles, which are classified into three classes, namely:

  • Principles for informal level IS security

controls

  • Principles for formal level IS security

controls

  • Principles for Technical level IS security

controls

Slide 20

slide-21
SLIDE 21

Principles For Informal Level IS Security Controls

Principle 1: Education, training and awareness, although important, are not sufficient for managing information

  • security. A focus on developing a security culture goes a

long way in developing and sustaining a secure environment. Principle 2: Responsibility, integrity, trust, and ethicality are the cornerstones for maintaining a secure environment.

Slide 21

slide-22
SLIDE 22

Principles For Formal Level IS Security Controls

  • Principle 1: Establishing a boundary between what

can be formalized and what should be norm based is the basis for establishing appropriate control measures.

  • Principle 2: Rules for managing information

security have little relevance unless they are contextualized.

Slide 22

slide-23
SLIDE 23

Principles For Technical Level IS Security Controls

  • Principle 1: In managing the security of technical

systems a rationally planned grandiose strategy will fall short of achieving the purpose.

  • Principle 2: Formal models for maintaining the

confidentiality, integrity and availability (CIA) of information cannot be applied to commercial

  • rganizations on a grand scale. Micro-management

for achieving CIA is the way forward.

Slide 23

slide-24
SLIDE 24

ISS CONTROLS/ SYSTEM PROTECTION PROGRAMS

Topic Five

Slide 24

slide-25
SLIDE 25

Introduction

Information Protection Programs have 2 broad Components based on the nature of threats and/ or the levels at which information is handled in the

  • rganization.
  • Technology Protection (Technical Level)
  • Human – based Protection (Formal/ Informal Level)

Slide 25

slide-26
SLIDE 26

Technological Protection (Technical Level Security Controls)

  • Physical Protection
  • Firewalls
  • Security Protocols
  • Encryption
  • Authentication
  • Virus monitoring and

prevention

  • Audit control software
  • System monitoring and

Incident response

  • Performing system

backups

  • Planning for disaster

recovery

  • Other protection

measures.

Slide 26

slide-27
SLIDE 27

Physical Protection

This has to do with physically denying unauthorized people. They are:

  • Keeping information system resources

under lock and key.

  • Physically securing computers to desks
  • Locking hard drives with key
  • Fixing intruder alarms
  • Closed – Circuit Television (CCTV)

Slide 27

slide-28
SLIDE 28

Firewalls

  • A firewall can be either software or hardware

that sits between the user’s computer and an external network that filters information coming in and out of the users computer. Firewalls cannot do the following:

  • It cannot prevent individuals, on internal

networks, using their own modems to bypassthe firewall.

Slide 28

slide-29
SLIDE 29

Firewalls

  • Employee misconduct or carelessness cannot be

controlled by firewalls (e.g. Control of passwords or user accounts)

  • Users on stand alone computers can choose to

disable the firewall, leaving their computer open to harmful intruders.

Slide 29

slide-30
SLIDE 30

Security Protocols

These are set of rules used by computers to communicate with each other across a network- when using the internet. There are two forms:

  • Secure Sockets Layer (SSL)
  • Transport Layer Security (TLS)

Slide 30

slide-31
SLIDE 31

Secure Sockets Layer (SSL)

This allows data to be sent and received securely over the internet. When a user logs onto a website, SSL encrypts the data – only the users computer and the web server are able to make sense of what is transmitted.

Slide 31

slide-32
SLIDE 32

Transport Layer Security (TLS)

  • This is similar to SSL but is a more recent

security system.

  • TLS is more effective than SSL
  • It is essentially designed to provide

encryption, authentication and data integrity between devices and users when communicating over the internet.

  • Only the most recent web browsers support

the TLS.

Slide 32

slide-33
SLIDE 33

Encryption

  • Encryption is primarily used to protect data

incase it has been hacked or accessed illegally.

  • It uses a secret key that has the capability of

altering the characters in a message.

  • The key used to encrypt (encode) the message

is know as encryption key; the key used to decrypt (decipher) the message is known as the decryption key. When a message undergoes encryption, it becomes a cypher script.

Slide 33

slide-34
SLIDE 34

Authentication

Authentication is used to verify that data comes from a secure and trusted source. Authentication comes in the following forms:

  • Digital Certificates
  • Passwords
  • Biometrics

Slide 34

slide-35
SLIDE 35

Digital Certificates

  • A digital certificate is an electronic document

that is used to identify an individual, a server, a company, or some other entity, and to associate that identity with a public key.

  • Like a driver's license, a passport, a student ID, a

library card, or other commonly used personal IDs, a certificate provides generally recognized proof of a person's identity.

  • Digital Certificates use public key cryptography

to address the problem of impersonation.

Slide 35

slide-36
SLIDE 36

Passwords

  • Password is a word or string of characters

used for user authentication to prove identity or access approval in order to gain access to an information system.

Slide 36

slide-37
SLIDE 37

Biometrics

Biometrics relies on certain unique characteristics of human beings. Examples include:

  • Fingerprint scans
  • Signature recognition
  • Retina scans
  • Iris recognition
  • Face recognition
  • Voice recognition

Slide 37

slide-38
SLIDE 38

Virus Monitoring and Prevention

This includes activities such as:

  • Installing antivirus software and update frequently
  • Not using external storage devices from untrusted

sources.

  • Deleting without opening, all unknown emails and email

attachments.

  • Quickly cleaning up your system as soon as you contract

a virus

  • Periodically scanning your system

Slide 38

slide-39
SLIDE 39

Audit control software

This is software which enables organizations to keep track of all activities on computers within the information system. It ensures that every user of the system leaves foot prints of their activities.

Slide 39

slide-40
SLIDE 40

System monitoring and Incident Response

This involves setting up a help desk and/or

  • perations control center within the organization to

carry out:

  • Incident monitoring: Can be done manually or

with the use of applications

  • Incident management.

Slide 40

slide-41
SLIDE 41

Performing System Backups

This entails saving a copy of data stored on the system's hard drives to a different data storage facility.

Slide 41

slide-42
SLIDE 42

Planning For Disaster Recovery

Keeping back up sites to enable business continuity in time of a

  • disaster. Examples of back up sites include:
  • Hot backup sites: where essential systems have been

duplicated at the alternative facility and are fully configured to pickup operations should the primary site fail.

  • Warm backup sites: Where essential systems have been

duplicated but not fully configured.

  • Cold backup sites: essentially, an empty facility in which an
  • rganization can reconstitute its system

Slide 42

slide-43
SLIDE 43

Other Protection Measures.

  • Uninterrupted Power Supply (UPS)
  • Redundant critical components

(equipment, communications, etc.)

Slide 43

slide-44
SLIDE 44

HUMAN BASED PROTECTION

Topic Six

Slide 44

slide-45
SLIDE 45

Human Based Protection

The following are some of the basic human based protections that need to be put in place:  Ethics : new and dynamic situations create difficulties and in many situations, there simply are no established rules for action. The way forward is to ensure members will act according to a set of working norms embedded in ethical standards. The difficulty is, where do new and existing members get the ethics needed to shape informal norms and behavior.

slide-46
SLIDE 46

Human Based Protection

  • Laws : Creation of policies, procedures,

standards and training requirements directly relating to the improvement of information system confidentiality, integrity and availability.

slide-47
SLIDE 47

Human Based Protection

Effective Management: Management of information system change and performance

  • f risk analyses to evaluate risk potential of

new information systems and re-evaluate risks associated with existing business applications and IT infrastructure.

slide-48
SLIDE 48

Human Based Protection

Education and awareness creation: education, training and awareness creation are essential in establishing effective policy compliance.

  • The effectiveness of policies, procedures and

standards are seriously undermined if organizational users are able to claim ignorance of their existence. This is particularly true with respect to compliance with specific standards and procedures.

slide-49
SLIDE 49

**END**

Thank You

Slide 49