230 likes | 234 Views
Managing Information Systems. Information Systems Security and Control Part 2 Dr. Stephania Loizidou Himona ACSC 345. Objectives. Demonstrate that Information System vulnerabilities can be controlled Demonstrate the ways in which Information Systems can be controlled in an organisation
E N D
Managing Information Systems Information Systems Security and Control Part 2 Dr. Stephania Loizidou Himona ACSC 345
Objectives • Demonstrate that Information System vulnerabilities can be controlled • Demonstrate the ways in which Information Systems can be controlled in an organisation • Demonstrate some of the technologies that can be used to control Information Systems vulnerabilities Dr. S. Loizidou - ACSC345
Controlling Information Systems • Recall there are numerous threats to Information Systems • Hardware failures • Software failures • Upgrade issues • Disasters • Malicious intent Dr. S. Loizidou - ACSC345
Controlling Information Systems • To minimise likelihood of threats, must control the environment in which Information Systems are developed and deployed • Controls put in place to: • Manually control environment of Information Systems • Automatically add controls to Information Systems Dr. S. Loizidou - ACSC345
Controlling Information Systems • Implemented through • Policies • Procedures • Standards • Control must be thought about through all stages of Information Systems analysis, construction, deployment operations and maintenance Dr. S. Loizidou - ACSC345
Controlling Information Systems • What sort of controls can be put in place? Dr. S. Loizidou - ACSC345
Controls • General controls • Controls for design, security and use of Information Systems throughout the organisation • Application controls • Specific controls for each application • User functionality specific Dr. S. Loizidou - ACSC345
General Controls • Implementation controls • Audit system development • Ensure properly managed and controlled • Ensure user involvement • Ensure procedures and standards are in use • Software controls • Authorised access to systems Dr. S. Loizidou - ACSC345
General Controls • Hardware controls • Physically secure hardware • Monitor for and fix malfunction • Environmental systems and protection • Backup of disk-based data Dr. S. Loizidou - ACSC345
General Controls • Computer operations controls • Day-to-day operations of Information Systems • Procedures • System set-up • Job processing • Backup and recovery procedures Dr. S. Loizidou - ACSC345
General Controls • Data security controls • Prevent unauthorised access, change or destruction • When data is in use or being stored • Physical access to terminals • Password protection • Data level access controls Dr. S. Loizidou - ACSC345
General Controls • Administrative controls • Ensure organisational policies, procedures and standards and enforced • Segregation of functions to reduce errors and fraud • Supervision of personal to ensure policies and procedures are being adhered to Dr. S. Loizidou - ACSC345
Application Controls • Input controls • Data is accurate and consistent on entry • Direct keying of data, double entry or automated input • Data conversion, editing and error handling • Field validation on entry • Input authorisation and auditing • Checks on totals to catch errors Dr. S. Loizidou - ACSC345
Application Controls • Processing controls • Data is accurate and complete on processing • Checks on totals to catch errors • Compare to master records to catch errors • Field validation on update Dr. S. Loizidou - ACSC345
Application Controls • Output controls • Data is accurate, complete and properly distributed on output • Checks on totals to catch errors • Review processing logs • Track recipients of data Dr. S. Loizidou - ACSC345
Protecting Information Systems • What sorts of technology can we use to implement Information Systems controls? Dr. S. Loizidou - ACSC345
Protecting Information Systems • Information Systems, especially TPS, require high degrees of availability • Technology is available to ensure systems are available and contain accurate information Dr. S. Loizidou - ACSC345
High Availability Computing • Systems available for most of the time (some downtime allowed) • Recover quickly from crash / downtime • Redundant servers and clustering • Mirroring of data and networked storage • Load balancing • Scalable and robust infrastructure • Disaster recovery planning Dr. S. Loizidou - ACSC345
Fault Tolerant Computing • Systems available all the time (no downtime allowed) • Specialist hardware • HP NonStop (Tandem), Stratos • Detect and correct faults in hardware and software to keep processing Dr. S. Loizidou - ACSC345
Network Security • Permanent (open) network connectivity: Internet, Extranet, wireless • Firewall: proxy or stateful inspection • Firewalls must be managed and part of security policy • Encryption: public key, SSL of S-HTTP • Authentication and integrity • Digital signatures and certificates Dr. S. Loizidou - ACSC345
Developing Control • Lots of threats to Information Systems • Lots of controls required • Decision on which controls to use based upon likelihood of threat and cost • Risk assessment • Likely frequency of threat • Cost of damage • Cost of implementation Dr. S. Loizidou - ACSC345
HOMEWORK Dr. S. Loizidou - ACSC345
HOMEWORK Dr. S. Loizidou - ACSC345