Chapter 10
Information Security Management
“But How Do You Implement That Security?”
• Video conference with potential PRIDE promoter and advertiser, San Diego Sports
• PRIDE originally designed to store medical data.
• SDS wants to know if PRIDE systems provide acceptable level of security.
• Doesn’t want to be affiliated with company with major security problem.
• Criminals now focus attacks on inter-organizational systems.
Copyright © 2016 Pearson Education, Inc.
10-2
PRIDE Design for Security
Copyright © 2016 Pearson Education, Inc.
10-3
Study Questions
Q1: What is the goal of information systems security?
Q2: How big is the computer security problem?
Q3: How should you respond to security threats?
Q4: How should organizations respond to security threats?
Q5: How can technical safeguards protect against security threats?
Q6: How can data safeguards protect against security threats?
Q7: How can human safeguards protect against security threats?
Q8: How should organizations respond to security incidents?
Q9: 2025?
Copyright © 2016 Pearson Education, Inc.
10-4
Q1: What Is the Goal of Information Systems Security?
Copyright © 2016 Pearson Education, Inc.
10-5
Examples of Threat/Loss
Copyright © 2016 Pearson Education, Inc.
10-6
What Are the Sources of Threats?
Copyright © 2016 Pearson Education, Inc.
10-7
What Types of Security Loss Exists?
• Unauthorized Data Disclosure
• Pretexting
• Phishing
• Spoofing
– IP spoofing
– Email spoofing
• Drive-by sniffers
– Wardrivers
• Hacking
Copyright © 2016 Pearson Education, Inc.
10-8
Incorrect Data Modification
•
•
•
•
•
•
Procedures incorrectly designed or not followed
Increasing a customer’s discount or incorrectly modifying employee’s salary
Placing incorrect data on company Web site
Improper internal controls on systems
System errors
Faulty recovery actions after a disaster
Copyright © 2016 Pearson Education, Inc.
10-9
Faulty Service
• Incorrect data modification
• Systems working incorrectly
• Procedural mistakes
• Programming errors
• IT installation errors
• Usurpation
• Denial of service (unintentional)
• Denial-of-service attacks (intentional)
Copyright © 2016 Pearson Education, Inc.
10-10
Loss of Infrastructure
• Human accidents
• Theft and terrorist events
• Disgruntled or terminated employee
• Natural disasters
• Advanced Persistent Threat (APT)
– Sophisticated, possibly long-running computer hack perpetrated by large, wellfunded organizations
Copyright © 2016 Pearson Education, Inc.
10-11
Goal of Information Systems Security
• Find appropriate trade-off between risk of loss and cost of implementing
safeguards
• Use antivirus software
• Deleting browser cookies?
• Get in front of security problem by making appropriate trade-offs for your
life and your business
Copyright © 2016 Pearson Education, Inc.
10-12
Q2: How Big Is the Computer Security Problem?
Computer Crime Costs per Organizational Respondent
Copyright © 2016 Pearson Education, Inc.
10-13
Average Computer Crime Cost and Percent of Attacks by Type (5 Most Expensive
Types)
Copyright © 2016 Pearson Education, Inc.
10-14
Computer Crime Costs
Copyright © 2016 Pearson Education, Inc.
10-15
Ponemon Study Findings (2013)
• No one knows exact cost of computer crime
• Cost of computer crime based on surveys
• Data loss single most expensive consequence of computer crime, accounting for 44% of
costs in 2013
• 80% of respondents believe data on mobile devices poses significant risks.
Copyright © 2016 Pearson Education, Inc.
10-16
Ponemon 2013 Studies Summary
• Median cost of computer crime increasing
• Malicious insiders increasingly serious security threat
• Data loss is principal cost of computer crime
• Survey respondents believe mobile device data a significant security threat
• Security safeguards work
• Ponemon Study 2014
Copyright © 2016 Pearson Education, Inc.
10-17
Q3: How Should You Respond to Security Threats?
Personal Security
Safeguards
Copyright © 2016 Pearson Education, Inc.
10-18
So What? The Latest from Black Hat
• Annual security conference caters to hackers, security professionals, corporations, and
government entities
• Briefings on how things can be hacked
• Show how to exploit weaknesses in hardware, software, protocols, or systems from smartphones
to ATMs
• Encourage companies to fix product vulnerabilities and serve as educational forum for hackers,
developers, manufacturers, and government agencies
Copyright © 2016 Pearson Education, Inc.
10-19
Q4: How Should Organizations Respond to Security Threats?
Copyright © 2016 Pearson Education, Inc.
10-20
Security Policy Should Stipulate
• What sensitive data the organization will store
• How it will process that data
• Whether data will be shared with other organizations
• How employees and others can obtain copies of data stored about them
• How employees and others can request changes to inaccurate data
• What employees can do with their own mobile devices at work
As a new hire, seek out your employer’s security policy
Copyright © 2016 Pearson Education, Inc.
10-21
Ethics Guide: Securing Privacy
“The best way to solve a problem is not to have it.”
– Resist providing sensitive data
– Don’t collect data you don’t need
•
Gramm-Leach-Bliley (GLB) Act, 1999
•
Privacy Act of 1974
•
Health Insurance Portability and Accountability Act (HIPAA), 1996
•
Australian Privacy Act of 1988
–
Government, healthcare data, records maintained by businesses with revenues in excess of AU$3
million.
Copyright © 2016 Pearson Education, Inc.
10-22
Ethics Guide: Securing Privacy: Wrap Up
• Business professionals have responsibility to consider legality, ethics, and wisdom when you
request, store, or disseminate data
• Think carefully about email you open over public, wireless networks
• Use long, strong passwords
Copyright © 2016 Pearson Education, Inc.
10-23
Q5: How Can Technical Safeguards Protect Against Security Threats?
Copyright © 2016 Pearson Education, Inc.
10-24
Essence of https (SSL or TLS)
Copyright © 2016 Pearson Education, Inc.
10-25