1 / 30

Management of information systems - security challenges

Management of information systems - security challenges . MBA 501 WEEK 7. This week: continuing our look at management issues . Last week we looked at the operational issue of outsourcing This week we will look at another operational issue – that of managing security

kineta
Download Presentation

Management of information systems - security challenges

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Management of information systems - security challenges MBA 501 WEEK 7

  2. This week: continuing our look at management issues • Last week we looked at the operational issue of outsourcing • This week we will look at another operational issue – that of managing security • Both of these areas reflect the change in focus of the IS function • From managing inwards, to managing outwards • WHY? WHAT HAS HAPPENED?

  3. Why is security an important management issue? • Information is a key business asset • It needs to be accessible to all who need it • It needs to be protected • Managers need to develop and implement an overall strategy for security • Managers need to understand the threats • Managers need to understand specific techniques for protecting systems • Particularly important as organizations move into eBusiness and open up • Goal is to reduce business risk to an acceptable level McNurlin & Sprague. Information Systems Management in Practice. 7th Ed. Pearson Prentice Hall

  4. Management issues re security • Business consequences of poor security can be very serious • damage to IT infrastructure through threats and attacks from outside • loss of data, exposure of customer’s private information, loss of profits, loss of opportunity, damaged reputation • Consumer impacts (credit cards exposed, viruses, malware, spyware etc) • “Chill” effect on eBusiness – both buy side and sell side (B2C) • Security issues have high profile in the media McNurlin & Sprague. Information Systems Management in Practice. 7th Ed. Pearson Prentice Hall

  5. Identifying and managing risk • Airtight security is not possible • Risks must be identified and prioritized (in terms of the business context) • Then resources must be put into guarding against the most serious threats • What does “serious mean”? – most likely to happen / greatest business impact? McNurlin & Sprague. Information Systems Management in Practice. 7th Ed. Pearson Prentice Hall

  6. Key security issues for both customers and managers • Organizations must guard their own data, and their customer’s data and create a secure and predictable environment for commercial exchange - they must create TRUST • Basic pillars of security : ‘PAIN’ • Privacy (and confidentiality) • Authentication and Authorization (Identification) • Integrity • Non-repudiation McNurlin & Sprague. Information Systems Management in Practice. 7th Ed. Pearson Prentice Hall

  7. PAIN: Privacy and Confidentiality • One of the major concerns that customers have about eBusiness – Internet is a public space • Firms need to ensure that information that is private or sensitive is kept secure and not used for any purpose other than that agreed to • credit card numbers • trade secrets / proprietary information • business plans • health records etc • Confidentiality during transactions is usually ensured by encryption McNurlin & Sprague. Information Systems Management in Practice. 7th Ed. Pearson Prentice Hall

  8. PAIN: Authentication • When someone submits something to your website, how can you be sure that they are who they claim to be. eg. • using credit cards • making a contract or application • registering for an email newsletter • Authentication is the process by which one entity verifies that another entity is who they claim to be • Authentication requires evidence in the form of credentials: : • “something you have” plus “something you know” plus something you are (biometrics) eg. • username and password • Two-factor authentication (Gmail example) • credit card - match exact billing name and address • digital signatures and digital certificates

  9. PAIN: Authorization • Once a person has been authenticated, we need to be satisfied that she is authorized to access or do certain things on our site • Does the person (or program) have the right to access particular data, programs, or system resources (particularly important when protecting a server from hackers) • Authorization is usually determined by comparing information about the person or program with access control information associated with the resource being accessed (permissions) McNurlin & Sprague. Information Systems Management in Practice. 7th Ed. Pearson Prentice Hall

  10. PAIN: Integrity • Integrity is the ability to prevent data from being altered or destroyed in an unauthorized or accidental manner • This could include hacking to deface a website • Altering data held on your website or database • Intercepting data • The parties to a transaction must be assured that all data and documents connected with it cannot be altered without detection McNurlin & Sprague. Information Systems Management in Practice. 7th Ed. Pearson Prentice Hall

  11. PAIN: Non-repudiation • The ability to ensure that neither side in a transaction can later claim that they for instance • didn’t order something using a credit card • or didn’t accept an order or offer for something • Non-repudiation ensures that neither side can back out of a transaction by claiming it never took place • Particular problem with credit cards • Verified by Visa • Non-repudiation is also achieved by using digital signatures that make it difficult to claim that you weren’t involved in an exchange McNurlin & Sprague. Information Systems Management in Practice. 7th Ed. Pearson Prentice Hall

  12. Security for e-payments and other transactions: encryption • The cornerstone for secure online payments and other transactions is encryption • Messages moving across the network can be encrypted or scrambled in such as way that it is too difficult, expensive or time consuming for an unauthorized person to unscramble it • The protocol that ensures this is SSL/TLS (Transport Layer Security) – an explanation from Google • Simple explanation of digital encryption using toolbox and key example McNurlin & Sprague. Information Systems Management in Practice. 7th Ed. Pearson Prentice Hall

  13. Management problem? • “Airtight security is not possible because companies have to allow on-line commerce. They have to make trade-offs between absolute information security and efficient flow of information.” McNurlin + Sprague • The management challenge is that of finding the balance • What is the reality of the threat? • What do you think are the most serious and high risk threats to business? McNurlin & Sprague. Information Systems Management in Practice. 7th Ed. Pearson Prentice Hall

  14. All threats are not equal for all organizations • “..the key components for managing a security program are the likelihood and the likely impact of an attack.” • CSI Computer Crime and Security Survey

  15. What are companies worried about? Canadian Cyber Crime research (2013) from International Cyber Security Protection Alliance https://www.icspa.org/fileadmin/user_upload/Downloads/ICSPA_Canada_Cyber_Crime_Study_May_2013.pdf

  16. What is the extent of the problem? • Half the respondents to the CSI survey didn’t experience a security incident over the course of the year – but that doesn’t mean that they weren’t threatened • 2010 CSI Computer Crime and Security Survey

  17. 2010 CSI Computer Crime and Security Survey

  18. 2010 CSI Computer Crime and Security Survey

  19. Types of direct threats and attacks: Risks to infrastructure (particularly eBusiness) • Distributed Denial of Service attacks (DoS) • Wikileaks (2010) • 4Chan attacks on Anti-Piracy Websites (2011) • Hacking – web site defacement • New York Times – 1998 • DNS Highjack • Twitter - 2009 • Malicious code: viruses, worms, trojans etc • Skype’s network frozen by a trojan horse attack in 2007 • Stuxnet– attacks on nuclear facilities and other industrial targets

  20. Types of threats and attacks: Attacks ondata • Intercepted transmissions (eavesdropping / sniffing) • Attacks related to insecure passwords - are “strong” passwords and frequent changes the answer? • social engineering (and how to protect against it) • Phishing

  21. A new source of threat: BYOD • Security lax on the part of employees (not even a lock screen is common) • Sensitive work files stored on personal devices • Devices on the corporate network without IT knowledge • Fragmentation of operating system / support cost increases • Phone number as piece of branding / customer connection (what happens when employee leaves?)

  22. BYOD Policy: security, confidentiality and privacy • 69 % of companies permit some form of BYOD • 70 % have no policy to manage the practice • While 26 % of those with no policy plan to have one in place within one year, 44 % said they have no plans to enact one at all. • IDC Canada Survey 2012 • Software is being developed to create separate “spaces” on phones for work and personal use egBlackberry Balance

  23. Creating a Security Policy (including BYOD) • The CSI Survey identified that a very small percentage of those surveyed did not have some kind of information security policy • The policy is aimed at both educating employees and managing (and balancing) the “people risks” we have identified • What should it address, and why?

  24. Control strategies for managers to ensure the integrity of an IS • Containment • Deterrence • Obfuscation • Recovery • Firms must balance these strategies to suit their business requirements

  25. Containment • Make the target look as unattractive as possible • Heavily encrypted data is less attractive • Focus on controlling access to data resources by erecting barriers • Expensive and requires constant vigilance to keep ahead of attackers • Physically remove the target system from threats • Isolating systems from the network • Distributing data across an organization or geographic area

  26. Deterrence • Need to understand and anticipate the motives of those who would breach security • Use of threats of prosecution and dismissal (internal), and well publicized barriers • Monitoring patterns of data usage or access to resources • Implementation of defenses or countermeasures

  27. Obfuscation • Involves hiding and/or distributing assets so that any damage caused can be limited • Often entails monitoring of all an organization’s activities, not just those where security threats are perceived (a broader strategy than containment or deterrence) • Needs good overview and frequent auditing of hardware, software and network resources • Eg. to identify illegal software loaded onto employees machines

  28. Recovery • Assumes security breach will occur, and puts in place an action plan and strategy for business recovery • Requires extensive organizational planning • Backup systems, redundant systems needed (often outsourced) • Emergency planning and recovery in place

  29. Two questions to consider • Reporting a cybercrime occurs less than 50% of the time. Why is this? Is this a good thing or not? What might you do to encourage a higher percentage of companies to make formal reports? • What is your view about the assertion that "Security is as much a human problem as a technical problem?"

More Related