Presentation Transcript

1. Managing Information Technology6th Edition

   CHAPTER 16INFORMATION SECURITY
2. Information Security Background Organizations face security threats from both within and outside Traditional security measures have addressed external threats Understanding the managerial aspects of information security is important because of the changing regulatory environment and the potential risk exposure that some firms face
3. E-Crime Example of Credit card security breaches TJX CardSystems Inc.
4. E-Crime Many Types of E-Crime All incur costs to organizations or individuals Figure 16.2
5. E-Crime Some common ways computers are attacked
6. E-Crime Other techniques used in E-Crime:
7. E-Crime Hacker vs. Cracker
8. E-Crime All managers responsible for security compliance should have an understanding of the basics of security Technology
9. Information Risk Management Steps in Risk Management Determine the organization’s information assets and their values Decide how long can the organization function without specific information assets Develop and implement security procedures (controls) to protect these information assets
10. Information Risk Management Steps in Risk Management Determine the organization’s information assets and their values Example: One organization determined that corporate information found on employee laptops is an important asset The organization estimates that a loss of the information on a single laptop may cost $50,000 on average
11. Information Risk Management Calculation of the expected losses due to a vulnerability can be calculated by the following formula:
12. Information Risk Management Quantitative example: Losing the corporate data from a single laptop has an estimated value of $50,000 The corporation identified three occurrences in the last two years where a laptop had been lost This is an Annual Occurrence Rate of 1.5
13. Information Risk Management Quantitative example: Therefore, the Annualized Expected Losses (AEL) amount to $75,000
14. Information Risk Management After performing a quantitative risk analysis, the Annualized Expected Losses (AEL) are used to perform security cost-benefit analysis
15. Information Risk Management Security Cost-Benefit Analysis Managers must estimate the costs of the actions performed to secure the information asset The Return Benefit from the actions can be estimated by the following formula:
16. Information Risk Management Security Cost-Benefit Analysis From the laptop example, the company estimates that adding strong encryption to the corporate data on the laptops will cost $100 per year for each of the 200 laptops in the company Overall, a $20,000 annualized cost for this intervention would be realized
17. Information Risk Management Security Cost-Benefit Analysis After performing a the analysis, we find that this action has an estimated return benefit of $55,000 per year
18. Compliance with Current Security Laws Legal and Regulatory Environment Impacts information security practices Figure 16.7
19. Compliance with Current Security Laws Sarbanes-Oxley Act of 2002 (SOX) Created as a response to the scandals at Enron, Tyco, WorldCom, and others Applies to publicly traded US companies
20. Compliance with Current Security Laws SOX affects IS leaders in two major ways: Records retention The act states that companies must retain electronic communication such as email and instant messaging for a period of at least five years IT audit controls Officers must certify that they are responsible for establishing and maintaining internal controls
21. Compliance with Current Security Laws Section 404 of SOX states that companies must use an internal control framework such as COSO
22. Compliance with Current Security Laws Internal controls are assurance processes COSO defines internal controls:
23. Compliance with Current Security Laws The COSO framework contains five interrelated categories: Risk Assessment Control Environment Control Activities Monitoring Information and Communication
24. Compliance with Current Security Laws Gramm-Leach-Bliley Act of 1999 (GBLA) Mandates that all organizations maintain a high level of confidentiality of all financial information of their clients or customers The act gives federal agencies and states to enforce the following rules: Financial Privacy Rule Safeguards Rule
25. Compliance with Current Security Laws Gramm-Leach-Bliley Act of 1999 (GBLA) Financial Privacy Rule Requires financial institutions to provide customers with privacy notices Organizations must clearly state their privacy policies when establishing relationships with customers Organizations cannot disclose nonpublic personal information to a third-party Safeguards Rule
26. Compliance with Current Security Laws Gramm-Leach-Bliley Act of 1999 (GBLA) Safeguards Rule Organizations must have a written security plan in place to protect customer’s nonpublic confidential information
27. Compliance with Current Security Laws Health Insurance Portability and Accountability Act (HIPAA) HIPPA requires organizations to secure nonpublic confidential medical information Noncompliance can lead to serious penalties and fines
28. Compliance with Current Security Laws Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT) Commonly called the PATRIOT Act Gives the US government greater ability to access information Victims of computer hacking can now request law enforcement assistance
29. Developing and Information Security Policy Information Security Policies Required by many regulations (e.g., SOX) Required to obtain insurance
30. Developing and Information Security Policy Who should develop the security policy? Representatives of all affected user groups and stakeholders Must have support of managers who train and enforce the policy Committee who develops policy should meet regularly to ensure that security policy meets the organization’s needs and satisfies current regulations
31. Developing and Information Security Policy What should be in the policy? Common Topics Access control policies External access policies User a physical policies Example Policies SANS Institute provides template of many policy types
32. Developing and Information Security Policy Policy should be appropriate to the estimated risks of the organization They should be quickly modified when new situations arise affecting security Organizations should make it easy for employees to access the most recent policy
33. Planning for Business Continuity This is more than simple disaster recovery When an organization cannot resume operations in a reasonable time frame, it leads to business failure
34. Planning for Business Continuity McNurlin & Sprague identified the following components of BCP that were often overlooked before the 9/11 terrorist attacks: Alternate workspaces for people with working computers and phone lines Backup IT sites that are not too close, but not too far away Up-to-date evacuation plans that everyone knows and has practiced
35. Planning for Business Continuity McNurlin & Sprague identified the following components of BCP that were often overlooked before the 9/11 terrorist attacks: Backed-up laptops and departmental servers, because a lot of corporate information is housed on these machines rather than in the data center Helping people cope with a disaster by having easily accessible phone lists, e-mail lists, and even instant-messenger lists so that people can communicate with loved ones and colleagues
36. Planning for Business Continuity Creating a BCP begins with a business impact analysis with the following steps: Define the critical business processes and departments Identify interdependencies between them Examine all possible disruptions to these systems Gather quantitative and qualitative information on these threats Provide remedies for restoring systems
37. Planning for Business Continuity Disruptions are usually ranked based on the following categories:
38. Planning for Business Continuity Electronic Records Management (ERM) Covers the retention of important digital documents Grew out of the need to satisfy regulation such as SOX and HIPAA May require a centralized approach eDiscovery amendments to rules for civil procedures make ERM even more important
39. Planning for Business Continuity Electronic Records Management (ERM) ERM managers are responsible for the following Defining what constitutes an electronic record Analyzing the current business environment and developing appropriate ERM policies Classifying specific records based upon their importance, regulatory requirements, and duration Authenticating records by maintaining accurate logs and procedures to prove that these are the actual records, and that they have not been altered Managing policy compliance
40. Planning for Business Continuity Electronic Records Management (ERM) Managers must realize that businesses may be digitally liable for actions their employees have taken when communicating electronically Electronic corporate information may reside on computers external to the company (e.g. cached email)
41. The Chief Information Security Role With increasing pressure to comply with laws and regulations, many companies have added a chief information security officer (CISO) to there is organization Responsible for monitoring information security risks and developing strategies to mitigate that risk
42. The Chief Information Security Role As it is impossible to eliminate all risk, the CISO must balance the trade-offs between risks and the costs of eliminating them