1 / 18

BUS 361: E-Business

BUS 361: E-Business. Chapter 5 Security & Controls. Learning Objectives. Identify the security risks Describe how e-bus is made secure Identify major components of security systems Identify and evaluate major security strategies Identify major issues in implementing good security

kiaria
Download Presentation

BUS 361: E-Business

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. BUS 361: E-Business Chapter 5 Security & Controls

  2. Learning Objectives • Identify the security risks • Describe how e-bus is made secure • Identify major components of security systems • Identify and evaluate major security strategies • Identify major issues in implementing good security • Describe the significant types of security tools available

  3. Introduction Every I.S. subject to risks: • Error • Fraud • Malicious acts • Disasters (natural ones)

  4. Some risks … • New Service – unknown processes, procedures • New Business Models – new unique risks • Revenue leakage, no real contact to improve poor image • New Processes – Extranet linkages with strict product specs. If we can’t meet specs … • New Technology • New Fulfillment Processes • Outsourcing IT activities

  5. Malicious Acts • Infections – viruses, Trojan horses, worms • Unauthorized S/W – spyware, adware, keyloggers • Unauthorized uses of computers • Theft, sabotage, or destruction of hardware • Denial of service attacks • Passwords (capitals, numbers) • Website/server attacks • Electronic theft or sabotage of electronic data • Financial fraud

  6. What to do? • Do not overlook the threats • What is a threat? • One potential source of problems unhappy Ee • Firewalls • Anti-virus software • Spyware blockers

  7. Controls • Preventive, detective and corrective measures • 2 categories of controls • General • Applications • Guided by company strategy, policies and proceedures

  8. General Controls Common across all applications • Security management • Physical & logical access controls … • System Acquisition & Development controls • System maintenance & change controls • Operations control • Business continuity controls …

  9. Physical & Logical Access • Physical • Access to servers, tape storage etc. • Security features like cameras, alarms, etc. • Logical • ID’s, Passwords, Biometrics • CAPTCHA • Firewalls (double walls?) • Intrusion detection systems (false positives)

  10. Business Continuity Plan How do we handle a system problem? Includes a disaster recovery plan addressing .. • Listing of potential disasters • Roles & responsibilities • Scripts, contact lists • Critical processing priorities • Backup plans, location and access • Power requirements, backups • Rebuilding procedures, timelines

  11. Application Controls Needed for the 4 basic areas: • Input • Check digits (SIN, Stud#) • Processing • Logs, control totals, hash, time stamping • Output • Distribution, access, printer use • Storage • Logical access to databases etc. Access requests

  12. Communications Control • Authenticity of sender & receiver • Message integrity • Encryption – 128 bit commonly used • Public and private keys • https • Message digests (message check total) • Digital Signatures – encrypted message digest

  13. Public Key Infrastructure • Public keys need stored and be accessible to everyone • Must be managed … hence PKI • Stores & delivers PK’s as needed • Provides privacy, security, authentication & support • Manages the generation & distribution of P/P key pairs and publishes the public ones

  14. Terminology • Sniffing • Drive-by hacking • …

  15. Security Policies • Establish accepted transactions • Clearly defined • Standards that must be met (or surpassed) • Require updating regularly

  16. Common security goals • Complying with service agreements • Complying with laws • Protecting data confidentiality • Protecting data from unauthorized modification • Logging transactions and data exchanges • Need documented and implemented

  17. Major Components … • Security administration • In-house or outsourced, budgets • S.O.P’s • Information Management • Ownership, custodians, security levels • Privilege Management • Access, r/w, Principle of Least Privilege

  18. And … • Physical Security • Logical access control • End-User Computing Policy • Software acquisition • Impact of Data Mobility • Personnel Mgmt • Security Montoring

More Related