1 / 23

Managing Information Systems

Managing Information Systems. Information Systems Security and Control Part 2 Dr. Stephania Loizidou Himona ACSC 345. Objectives. Demonstrate that Information System vulnerabilities can be controlled Demonstrate the ways in which Information Systems can be controlled in an organisation

larkinj
Download Presentation

Managing Information Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Managing Information Systems Information Systems Security and Control Part 2 Dr. Stephania Loizidou Himona ACSC 345

  2. Objectives • Demonstrate that Information System vulnerabilities can be controlled • Demonstrate the ways in which Information Systems can be controlled in an organisation • Demonstrate some of the technologies that can be used to control Information Systems vulnerabilities Dr. S. Loizidou - ACSC345

  3. Controlling Information Systems • Recall there are numerous threats to Information Systems • Hardware failures • Software failures • Upgrade issues • Disasters • Malicious intent Dr. S. Loizidou - ACSC345

  4. Controlling Information Systems • To minimise likelihood of threats, must control the environment in which Information Systems are developed and deployed • Controls put in place to: • Manually control environment of Information Systems • Automatically add controls to Information Systems Dr. S. Loizidou - ACSC345

  5. Controlling Information Systems • Implemented through • Policies • Procedures • Standards • Control must be thought about through all stages of Information Systems analysis, construction, deployment operations and maintenance Dr. S. Loizidou - ACSC345

  6. Controlling Information Systems • What sort of controls can be put in place? Dr. S. Loizidou - ACSC345

  7. Controls • General controls • Controls for design, security and use of Information Systems throughout the organisation • Application controls • Specific controls for each application • User functionality specific Dr. S. Loizidou - ACSC345

  8. General Controls • Implementation controls • Audit system development • Ensure properly managed and controlled • Ensure user involvement • Ensure procedures and standards are in use • Software controls • Authorised access to systems Dr. S. Loizidou - ACSC345

  9. General Controls • Hardware controls • Physically secure hardware • Monitor for and fix malfunction • Environmental systems and protection • Backup of disk-based data Dr. S. Loizidou - ACSC345

  10. General Controls • Computer operations controls • Day-to-day operations of Information Systems • Procedures • System set-up • Job processing • Backup and recovery procedures Dr. S. Loizidou - ACSC345

  11. General Controls • Data security controls • Prevent unauthorised access, change or destruction • When data is in use or being stored • Physical access to terminals • Password protection • Data level access controls Dr. S. Loizidou - ACSC345

  12. General Controls • Administrative controls • Ensure organisational policies, procedures and standards and enforced • Segregation of functions to reduce errors and fraud • Supervision of personal to ensure policies and procedures are being adhered to Dr. S. Loizidou - ACSC345

  13. Application Controls • Input controls • Data is accurate and consistent on entry • Direct keying of data, double entry or automated input • Data conversion, editing and error handling • Field validation on entry • Input authorisation and auditing • Checks on totals to catch errors Dr. S. Loizidou - ACSC345

  14. Application Controls • Processing controls • Data is accurate and complete on processing • Checks on totals to catch errors • Compare to master records to catch errors • Field validation on update Dr. S. Loizidou - ACSC345

  15. Application Controls • Output controls • Data is accurate, complete and properly distributed on output • Checks on totals to catch errors • Review processing logs • Track recipients of data Dr. S. Loizidou - ACSC345

  16. Protecting Information Systems • What sorts of technology can we use to implement Information Systems controls? Dr. S. Loizidou - ACSC345

  17. Protecting Information Systems • Information Systems, especially TPS, require high degrees of availability • Technology is available to ensure systems are available and contain accurate information Dr. S. Loizidou - ACSC345

  18. High Availability Computing • Systems available for most of the time (some downtime allowed) • Recover quickly from crash / downtime • Redundant servers and clustering • Mirroring of data and networked storage • Load balancing • Scalable and robust infrastructure • Disaster recovery planning Dr. S. Loizidou - ACSC345

  19. Fault Tolerant Computing • Systems available all the time (no downtime allowed) • Specialist hardware • HP NonStop (Tandem), Stratos • Detect and correct faults in hardware and software to keep processing Dr. S. Loizidou - ACSC345

  20. Network Security • Permanent (open) network connectivity: Internet, Extranet, wireless • Firewall: proxy or stateful inspection • Firewalls must be managed and part of security policy • Encryption: public key, SSL of S-HTTP • Authentication and integrity • Digital signatures and certificates Dr. S. Loizidou - ACSC345

  21. Developing Control • Lots of threats to Information Systems • Lots of controls required • Decision on which controls to use based upon likelihood of threat and cost • Risk assessment • Likely frequency of threat • Cost of damage • Cost of implementation Dr. S. Loizidou - ACSC345

  22. HOMEWORK Dr. S. Loizidou - ACSC345

  23. HOMEWORK Dr. S. Loizidou - ACSC345

More Related