Managing Information Systems Security and Control Part 2

Managing Information Systems Security and Control Part 2 Dr. Stephania Loizidou Himona ACSC 345 Dr. S. Loizidou - ACSC 345

Objectives § Demonstrate that Information System vulnerabilities can be controlled § Demonstrate the ways in which Information Systems can be controlled in an organisation § Demonstrate some of the technologies that can be used to control Information Systems vulnerabilities Dr. S. Loizidou - ACSC 345 2

Controlling Information Systems § Recall there are numerous threats to Information Systems – Hardware failures – Software failures – Upgrade issues – Disasters – Malicious intent Dr. S. Loizidou - ACSC 345 3

Controlling Information Systems § To minimise likelihood of threats, must control the environment in which Information Systems are developed and deployed § Controls put in place to: – Manually control environment of Information Systems – Automatically add controls to Information Systems Dr. S. Loizidou - ACSC 345 4

Controlling Information Systems § Implemented through – Policies – Procedures – Standards § Control must be thought about through all stages of Information Systems analysis, construction, deployment operations and maintenance Dr. S. Loizidou - ACSC 345 5

Controlling Information Systems § What sort of controls can be put in place? Dr. S. Loizidou - ACSC 345 6

Controls § General controls – Controls for design, security and use of Information Systems throughout the organisation § Application controls – Specific controls for each application – User functionality specific Dr. S. Loizidou - ACSC 345 7

General Controls § Implementation controls – Audit system development – Ensure properly managed and controlled – Ensure user involvement – Ensure procedures and standards are in use § Software controls – Authorised access to systems Dr. S. Loizidou - ACSC 345 8

General Controls § Hardware controls – Physically secure hardware – Monitor for and fix malfunction – Environmental systems and protection – Backup of disk-based data Dr. S. Loizidou - ACSC 345 9

General Controls § Computer operations controls – Day-to-day operations of Information Systems – Procedures – System set-up – Job processing – Backup and recovery procedures Dr. S. Loizidou - ACSC 345 10

General Controls § Data security controls – Prevent unauthorised access, change or destruction – When data is in use or being stored – Physical access to terminals – Password protection – Data level access controls Dr. S. Loizidou - ACSC 345 11

General Controls § Administrative controls – Ensure organisational policies, procedures and standards and enforced – Segregation of functions to reduce errors and fraud – Supervision of personal to ensure policies and procedures are being adhered to Dr. S. Loizidou - ACSC 345 12

Application Controls § Input controls – Data is accurate and consistent on entry – Direct keying of data, double entry or automated input – Data conversion, editing and error handling – Field validation on entry – Input authorisation and auditing – Checks on totals to catch errors Dr. S. Loizidou - ACSC 345 13

Application Controls § Processing controls – Data is accurate and complete on processing – Checks on totals to catch errors – Compare to master records to catch errors – Field validation on update Dr. S. Loizidou - ACSC 345 14

Application Controls § Output controls – Data is accurate, complete and properly distributed on output – Checks on totals to catch errors – Review processing logs – Track recipients of data Dr. S. Loizidou - ACSC 345 15

Protecting Information Systems § What sorts of technology can we use to implement Information Systems controls? Dr. S. Loizidou - ACSC 345 16

Protecting Information Systems § Information Systems, especially TPS, require high degrees of availability § Technology is available to ensure systems are available and contain accurate information Dr. S. Loizidou - ACSC 345 17

High Availability Computing § Systems available for most of the time (some downtime allowed) – Recover quickly from crash / downtime – Redundant servers and clustering – Mirroring of data and networked storage – Load balancing – Scalable and robust infrastructure – Disaster recovery planning Dr. S. Loizidou - ACSC 345 18

Fault Tolerant Computing § Systems available all the time (no downtime allowed) – Specialist hardware § HP Non. Stop (Tandem), Stratos – Detect and correct faults in hardware and software to keep processing Dr. S. Loizidou - ACSC 345 19

Network Security § Permanent (open) network connectivity: Internet, Extranet, wireless – Firewall: proxy or stateful inspection – Firewalls must be managed and part of security policy – Encryption: public key, SSL of S-HTTP – Authentication and integrity – Digital signatures and certificates Dr. S. Loizidou - ACSC 345 20

Developing Control § § § Lots of threats to Information Systems Lots of controls required Decision on which controls to use based upon likelihood of threat and cost § Risk assessment – Likely frequency of threat – Cost of damage – Cost of implementation Dr. S. Loizidou - ACSC 345 21

HOMEWORK Dr. S. Loizidou - ACSC 345 22

HOMEWORK Dr. S. Loizidou - ACSC 345 23