Lecture12 (IS342) (Control&Security)

Lecture 12
Control and Information

Security
(IS342)
Abdisalam Issa-Salwe
Taibah University
Information Systems
College of Computer Science & Engineering
Topic list
About Control
Security/Threats and risk
Intrusion Prevention
Contingency planning
Building control into an information
system
Privacy and data protection
Internal vs External Threat
Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering
About control
Control is the process through

which standards for performance of
people and processes are set,
communicated, and applied.
Effective control systems use
mechanisms to monitor activities
and take corrective action, if
necessary.
About control (cont)

The control process is a continuous

flow between measuring, comparing
and action. There are different steps
in the control process, for example:

Establishing performance standards,

Measuring actual performance,
Comparing measured performance
against established standards, and
Taking corrective action.
About control (cont)

Security controls are the set of organizational

structures, policies, standards, procedures, and
technologies which support the business functions
of the enterprise while reducing risk exposure and
protecting information

Preventative: Designed to keep errors or

irregularities from occurring
Detective: Designed to detect errors and
irregularities which have already occurred and to
report to appropriate personnel
Responsive: Designed to respond to errors or
irregularities to restore operations and prevent
future issues
Administrative: Processes and procedures
Technical: Software and hardware technologies
Physical: Facility and environmental security
Why information Security? (cont)

Security in information
management context means the
protection of data from accidental
or deliberate threats which might
cause:

unauthorised modification,
disclosure or destruction of data, and
the protection of the information system
from the degradation or non-availability
of services
Control/Security
Information Security is the protection of

information to prevent loss,
unauthorized access or misuse.
It is also the process of assessing
threats and risks to information and the
procedures and controls to preserve:
Confidentiality: Access to data is
limited to authorized entities
Integrity: Assurance that the data is
accurate and complete
Availability: Data is accessible, when
required, by those who are authorized
to access it
Data management (cont)

Security protection of personal information

starts with strong data management
practices
Database Management
User access controls
Database administrator access
controls
Restrictions on view, update,
modification, or deletion of data
Appropriate usage guidelines for data
Use of real personal information in
development and test environments
Data management (cont)

The disaster recovery plan allows an organization to

respond to an interruption in services by
implementing a disaster recovery plan to restore
critical business functions and data
Backups

Backup media should be secure

Backups should be reliable for recovery purposes
Backup and restore processes should be controlled
to avoid errors and unauthorized access
Backup media should be tested regularly to ensure
integrity
Recovery

Recovery plans should be documented and tested

Data recovery is usually integrated with disaster
recovery and business continuity plans
Intrusion Prevention
Prevention is the best possible cure
Firewalls
Anti-virus
Content scanning
Security patches
Emerging intrusion prevention
systems
User awareness
10
Contingency planning
Risk is a function of the likelihood of a threat exploiting a

security vulnerability with a resulting impact
Potential threats
Emergency situations or natural events
Organized or deliberate malicious actions
Internal accidents, carelessness, or ignorance
Malicious code (virus, worms, spyware, malware)
Loss of utilities or services
Equipment or systems failure
Serious information security events
Security vulnerabilities
Unsecured accounts
Unpatched systems
Insecure configurations
Network perimeter weaknesses
Inappropriate trust models
Untrained users and administrators

11
Why information Security?

I.T and Computers have brought

Information Age
The spread of Internet & relative
ease of access made easier
Information Breach
Unauthorised reading of data
Unauthorised modification of data
Unauthorised destruction of data
12
13
Why Information Security? (cont)

Your future is not secure if your

information is not secure
Information Resources need to be
guarded, protected and controlled
14
15
16
Internal vs External Threat

The External Threats
Organisations connection to Internet
17
18
19
Phishing: a high-tech scam that uses email or websites to deceive

you into disclosing your credit card numbers, bank account
information, Social Security number, passwords, or other sensitive
information
20
10
21
22
11
Mobile Code: Automatically

runs hostile programs on
your computer without
your knowledge simply
because you visited a web
site
23
24
12
25
To ensure your system does not get infected by viruses you

should perform all of the following:
Scan all email attachments,
Ensure your anti-virus software scans your system daily,
Turn off the option for your email to automatically download
attachments.
26
13
27
28
14
29
30
15
31
32
16
33
34
17
Physical access control

Personal identification numbers

(Pins)
Door locks
Card entry systems
Computer theft
35
Building control into an information system

Control can be classified into:

Security control
It is about protection of data from accidental or
deliberate threats
Integrity control:
In the context of security is preserved when data is
the same as in source documents and has not been
accidentally or intentionally altered, destroyed or
disclosed
System integrity:
Operating conforming to the design specification
despite attempts (deliberate or accidental) to make it
have incorrectly.
Contingency controls:
It is an unscheduled interruption of computing
services that requires measures outside the day-today routing operating procedures
36
18
37
Building control into an information system (cont)

Data will maintain its integrity if

it is complete and not corrupt.
This means that:
The original input of the data
must be controlled
Any processing and storage
should be set up so that they
are complete and correct
38
19
Building control into an information system (cont)

Input control should ensure the

accuracy, completeness and
validity:

Data verification involves ensuring data

entered matches source documents
Data validating involves ensuring that
data entered is not incomplete or
unreasonable. Various checks:
Check digits
Control totals
Hash totals
Range checks
Limit checks
39
Privacy and data protection

Privacy:
The right of the individual to
control the use of information
about him or her, including
information on financial status,
health and lifestyle (i.e. prevent
unauthorised disclosure).
40
20
Data protection principles

Personal data is information about a

living individual, including
expression of opinion about him or
her. Data about organisation is not
personal data
Data users are organisation or
individuals who control personal
data and the use of personal data
A data subject is an individual who
is the subject of personal data
41
42
21
43
44
22
Internet security issue

Establishing organisation links to

the Internet brings numerous
security dangers
Corruptions such as viruses on a single

computer can spread through the
network to all the organisation's
computer
Hacking: involves attempting to gain
unauthorised access to a computer
system
45
46
23
About virus

A program or piece of code that is loaded onto

your computer without your knowledge and runs
against your wishes.
Viruses can also replicate themselves. All
computer viruses are manmade.
A simple virus that can make a copy of itself
over and over again is relatively easy to
produce.
Even such a simple virus is dangerous because it
will quickly use all available memory and bring
the system to a halt.
An even more dangerous type of virus is one
capable of transmitting itself across networks
and bypassing security systems.
47
48
24
49
Type of virus/program

File virus: Files viruses infect program files

Boot sector or stealth virus: the boot sector
is the part of every hard disk and diskette.
The stealth virus hides from virus detection
programs by hiding themselves in boot
records or files.
Trojan: it is a small program that performs
unexpected function. It hides itself inside a
valid program.
Logic bomb: a logic bomb is a program that is
executed when a specific act is performed.
50
25
Type of virus/program (cont)

Time bomb: a time bomb is a

program that is activated at a
certain time or date, such as Friday
the 13th or April 1st
Worm: it is a type of virus that can
replicate (copy) itself and use
memory, but cannot attach itself to
other programs
Droppers: it is a program that
installs a virus while performing
another function
51
Type of virus/program (cont)

Macro virus: it is a piece of selfreplicating code written in an

applications macro language.
Example, Melissa was a well
publicised macro virus
52
26
53
Tutorial Question
Information system management and
security on the Internet
Discuss
54
27
Reference

Barbara C. McNurlin and Ralph H.

Sprague (2003): Information Systems
Management in Practice 6th edition,
Prentice Hall.
Kioskea, IT Security - Introduction to IT
Security,
http://en.kioskea.net/contents/secu/secui
ntro.php3, accessed on 15/03/2010.
Abdisalam Issa-Salwe, Taibah University
Lecture Notes, 2010.
Rackspace, Securing an IT Infrastructure:
A Decision Makers Guide to Securing an
IT Infrastructure, A Rackspace White
Paper , 2010
55
28

Lecture12 (IS342) (Control&Security)

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lecture12 (IS342) (Control&Security)

Uploaded by

Copyright:

Available Formats

Lecture 12

Control and Information

Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering

Control is the process through

Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering

About control (cont)

The control process is a continuous

Establishing performance standards,

Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering

About control (cont)

Security controls are the set of organizational

Preventative: Designed to keep errors or

Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering

Why information Security? (cont)

Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering

Information Security is the protection of

Data management (cont)

Security protection of personal information

Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering

Data management (cont)

The disaster recovery plan allows an organization to

Backup media should be secure

Recovery plans should be documented and tested

Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering

Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering

Risk is a function of the likelihood of a threat exploiting a

Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering

Why information Security?

I.T and Computers have brought

Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering

Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering

Why Information Security? (cont)

Your future is not secure if your

Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering

Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering

Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering

Internal vs External Threat

Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering

Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering

Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering

Phishing: a high-tech scam that uses email or websites to deceive

Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering

Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering

Mobile Code: Automatically

Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering

Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering

Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering

To ensure your system does not get infected by viruses you

Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering

Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering

Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering

Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering

Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering

Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering

Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering

Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering

Physical access control

Personal identification numbers

Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering

Building control into an information system

Control can be classified into:

Abdisalam Issa-Salwe, Taibah University , College of Computer Science & Engineering