Chapter 12. Information Security Management

Similar documents
Securing Information Systems

Why you MUST protect your customer data

Securing Information Systems

CHAPTER 8 SECURING INFORMATION SYSTEMS

Securing Information Systems

Cybersecurity in Higher Ed

INTERNET SAFETY IS IMPORTANT

The Cyber War on Small Business

Information Security in Corporation

Securing Information Systems

Building a Case for Mainframe Security

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 1 Introduction to Security

Cyber Risks in the Boardroom Conference

Chapter 6 Network and Internet Security and Privacy

Ethics and Information Security. 10 주차 - 경영정보론 Spring 2014

Cyber Security Issues

CERTIFIED SECURE COMPUTER USER COURSE OUTLINE

Mobile Application Privacy Policy

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

Course Outline (version 2)

4 Information Security

ELECTRONIC BANKING & ONLINE AUTHENTICATION

Securing Information Systems Barbarians at the Gateway

IS-906: Workplace Security Awareness. Visual 1 IS-906: Workplace Security Awareness

Cyber fraud and its impact on the NHS: How organisations can manage the risk

2005 E-Crime Watch Survey Survey Results Conducted by CSO magazine in cooperation with the U.S. Secret Service and CERT Coordination Center

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

mhealth SECURITY: STATS AND SOLUTIONS

Author: Tonny Rabjerg Version: Company Presentation WSF 4.0 WSF 4.0

What is Cybersecurity?

Certified Cyber Security Analyst VS-1160

Copyright

BEST PRACTICES FOR PERSONAL Security

PULSE TAKING THE PHYSICIAN S

Education Network Security

Checklist: Credit Union Information Security and Privacy Policies

Introduction to Ethical Hacking. Chapter 1

Discovering Computers Living in a Digital World

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

Village Software. Security Assessment Report

Cyber Insurance: What is your bank doing to manage risk? presented by

IT Privacy Certification Outline of the Body of Knowledge (BOK) for the Certified Information Privacy Technologist (CIPT)

Cybersecurity Survey Results

IT Privacy Certification Outline of the Body of Knowledge (BOK) for the Certified Information Privacy Technologist (CIPT)

DIRECTIVE ON INFORMATION TECHNOLOGY SECURITY FOR BANK PERSONNEL. June 14, 2018

Chapter 4 Network and Internet Security

SHS Annual Information Privacy and Security Training

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)

IS Today: Managing in a Digital World 9/17/12

The Cost of Denial-of-Services Attacks

ENDPOINT SECURITY WHITE PAPER. Endpoint Security and the Case For Automated Sandboxing

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

CCISO Blueprint v1. EC-Council

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

SINGLE COURSE. NH9000 Certified Ethical Hacker 104 Total Hours. COURSE TITLE: Certified Ethical Hacker

Start the Security Walkthrough

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

HIPAA UPDATE. Michael L. Brody, DPM

Sample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited.

Security+ SY0-501 Study Guide Table of Contents

Vulnerabilities in online banking applications

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 1 Introduction to Security

Cybersecurity and Hospitals: A Board Perspective

Personal Cybersecurity

Security Policies and Procedures Principles and Practices

Operational Network Security

Computer Security Policy

itexamdump 최고이자최신인 IT 인증시험덤프 일년무료업데이트서비스제공

A Review Paper on Network Security Attacks and Defences

Chapter 10: Security and Ethical Challenges of E-Business

HIPAA Regulatory Compliance

Management of IT Infrastructure Security by Establishing Separate Functional Area with Spiral Security Model

It s still very important that you take some steps to help keep up security when you re online:

GLBA. The Gramm-Leach-Bliley Act

Keep the Door Open for Users and Closed to Hackers

HIPAA Security and Privacy Policies & Procedures

Technology in Action 12/11/2014. Cybercrime and Identity Theft (cont.) Cybercrime and Identity Theft (cont.) Chapter Topics

IT Privacy Certification Outline of the Body of Knowledge (BOK) for the Certified Information Privacy Technologist (CIPT)

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

Forensic analysis with leading technology: the intelligent connection Fraud Investigation & Dispute Services

ANATOMY OF A DATA BREACH: DEVELOPMENTS IN DATA SECURITY AND CLOUD COMPUTING LAW

NETWORK THREATS DEMAN

Syllabus: The syllabus is broadly structured as follows:

Overview. Handling Security Incidents. Attack Terms and Concepts. Types of Attacks

Introduction to Computing

Cybersecurity The Evolving Landscape

Legal Aspects of Cybersecurity

E-companion. Quiz for IT-knowledge

A Security Model for Space Based Communication. Thom Stone Computer Sciences Corporation

FACTS WHAT DOES FARMERS STATE BANK DO WITH YOUR PERSONAL INFORMATION? WHY? WHAT? HOW? L QUESTIONS?

Your security on click Jobs

BRING SPEAR PHISHING PROTECTION TO THE MASSES

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Identity Theft, Fraud & You. PrePare. Protect. Prevent.

Wayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk

716 West Ave Austin, TX USA

Lakeshore Technical College Official Policy

CONSIDERATIONS BEFORE MOVING TO THE CLOUD

Insider Threat Program: Protecting the Crown Jewels. Monday, March 2, 2:15 pm - 3:15 pm

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

Transcription:

Chapter 12 Information Security Management

We Have to Design It for Privacy... and Security. Tension between Maggie and Ajit regarding terminology to use with Dr. Flores. Overly technical communication is a common problem for techies when talking with business professionals. Maggie and Ajit discuss security design later. C o p y r i g h t 2015 P e a r s o n E d u c a t i o n, I n c. 12-2

PRIDE Design for Security C o p y r i g h t 2015 P e a r s o n E d u c a t i o n, I n c. 12-3

Study Questions Q1: What is the goal of information systems security? Q2: How big is the computer security problem? Q3: How should you respond to security threats? Q4: How should organizations respond to security threats? Q5: How can technical safeguards protect against security threats? Q6: How can data safeguards protect against security threats? Q7: How can human safeguards protect against security threats? Q8: How should organizations respond to security incidents? Q9: 2024? C o p y r i g h t 2015 P e a r s o n E d u c a t i o n, I n c. 12-4

Q1: What Is the Goal of Information Systems Security? C o p y r i g h t 2015 P e a r s o n E d u c a t i o n, I n c. 12-5

Examples of Threat/ Loss C o p y r i g h t 2015 P e a r s o n E d u c a t i o n, I n c. 12-6

What Are the Sources of Threats? C o p y r i g h t 2015 P e a r s o n E d u c a t i o n, I n c. 12-7

What Types of Security Loss Exists? Unauthorized Data Disclosure Pretexting Phishing Spoofing IP spoofing Email spoofing Drive-by sniffers Hacking Natural disasters C o p y r i g h t 2015 P e a r s o n E d u c a t i o n, I n c. 12-8

Incorrect Data Modification Procedures incorrectly designed or not followed. Increasing a customer s discount or incorrectly modifying employee s salary. Placing incorrect data on company the Web site. Improper internal controls on systems. System errors. Faulty recovery actions after a disaster. C o p y r i g h t 2015 P e a r s o n E d u c a t i o n, I n c. 12-9

Faulty Service Incorrect data modification Systems working incorrectly Procedural mistakes Programming errors IT installation errors Usurpation Denial of service (unintentional) Denial-of-service attacks (intentional) C o p y r i g h t 2015 P e a r s o n E d u c a t i o n, I n c. 12-10

Loss of Infrastructure Human accidents. Theft and terrorist events. Disgruntled or terminated employee. Natural disasters. Advanced Persistent Threat (APT) Sophisticated, possibly long-running computer hack perpetrated by large, well-funded organizations. C o p y r i g h t 2015 P e a r s o n E d u c a t i o n, I n c. 12-11

Goal of Information Systems Security Find an appropriate trade-off between the risk of loss and the cost of implementing safeguards. Use a good antivirus software. Delete browser cookies. Get in front of the security problem by making appropriate trade-offs for your life and your business. 12-12

Q2: How Big Is the Computer Security Problem? Computer Crime Costs per Organizational Respondent 12-13

Average Computer Crime Cost and Percent of Attacks by Type (5 Most Expensive Types) 12-14

Ponemon Study Findings (2012) It is difficult to estimate the exact cost of a computer crime. Cost of computer crime is usually based on surveys. Data loss is the single most expensive consequence of computer crime, accounting for 44% of costs in 2012. 80% of respondents believe data on mobile devices poses significant risks. 12-15

Ponemon 2012 Studies Summary Median cost of computer crime increasing. Malicious insiders increasingly serious security threat. Data loss is principal cost of computer crime. Survey respondents believe mobile device data a significant security threat. Security safeguards work 12-16

Q3: How Should You Respond to Security Threats? Personal Security Safeguards 12-17

Using MIS InClass Exercise 12: Phishing for Credit Cards, Identifying Numbers, Bank Accounts Assume, you and a group of other students will investigate phishing attacks. Search the Web for phishing, beware that your search may bring the attention of an active phisher. Do not give any data to any site you visit as part of this exercise! 12-18

Q4: How Should Organizations Respond to Security Threats? 12-19

Security Policy Should Stipulate What sensitive data the organization will store. How it will process that data. Whether data will be shared with other organizations. How employees and others can obtain copies of data stored about them. How employees and others can request changes to inaccurate data. What employees can do with their own mobile devices at work As a new hire, seek out your employer s security policy. 12-20

Ethics Guide: Securing Privacy The best way to solve a problem is not to have it. Resist providing sensitive data. Don t collect data you don t need. Gramm-Leach-Bliley (GLB) Act, 1999 Privacy Act of 1974 Health Insurance Portability and Accountability Act (HIPAA), 1996 Australian Privacy Act of 1988 Government, healthcare data, records maintained by businesses with revenues in excess of AU$3 million. 12-21

Ethics Guide: Securing Privacy: Wrap Up As a business professional, you have the responsibility to consider legality, ethics, and wisdom when you request, store, or disseminate data. Think carefully about emails that you open over public wireless networks. Use long and strong passwords. 12-22

Q5: How Can Technical Safeguards Protect Against Security Threats? 12-23

Essence of https (SSL or TLS) 12-24

Use of Multiple Firewalls 12-25

Malware Protection 1. Antivirus and antispyware programs. 2. Scan frequently. 3. Update malware definitions. 4. Open email attachments only from known sources. 5. Install software updates. 6. Browse only reputable Internet neighborhoods. 12-26

Malware Types and Spyware and Adware Symptoms Viruses Payload Trojan horses Worms Beacons 12-27

Design for Secure Applications SQL injection attack User enters SQL statement into a form instead of a name or other data. Accepted code becomes part of database commands issued. Improper data disclosure, data damage, and loss possible. Well designed applications make injections ineffective. 12-28

Q6: How Can Data Safeguards Protect Against Security Threats? 12-29

Q7: How Can Human Safeguards Protect Against Security Threats? 12-30

Q7: How Can Human Safeguards Protect Against Security Threats? 12-31

Account Administration Account Management Standards for new user accounts, modification of account permissions, and removal of accounts that are not needed. Password Management Users should change passwords frequently. Help Desk Policies 12-32

Sample Account Acknowledgment Form 12-33

Systems Procedures 12-34

Q8: How Should Organizations Respond to Security Incidents? 12-35

Security Wrap Up Be aware of threats to computer security as an individual, business professional, or an employee. Know trade-offs of loss risks and the cost of safeguards. Ways to protect your computing devices and data. Understand technical, data, and human safeguards. Understand how organizations should respond to security incidents. 12-36

Q9: 2024 APTs more common, inflicting serious damage Continued concern about balance of national security and data privacy. Computer crimes targeting mobile devices leads to improved operating systems security. Improved security procedures and employee training. Criminals focus on less protected mid-sized and smaller organizations, and individuals. Electronic lawlessness by organized gangs. Strong local electronic sheriffs electronic border and enforce existing laws? 12-37

Guide: Metasecurity What are the security problems? What are the managers responsibilities for controls over the security system? All major software vendors are obvious targets for security attacks against their networks. What do these companies do to prevent this? What extra precautions can you take when you hire and manage employees such as white-hat hackers? 12-38

Guide: The Final, Final Word Routine work will migrate to countries with lower labor costs. Be a symbolic-analytic worker Abstract thinking How to experiment Systems thinking Collaboration The best is yet to come! What you do with it is up to you. 12-39

Active Review Q1: What is the goal of information systems security? Q2: How big is the computer security problem? Q3: How should you respond to security threats? Q4: How should organizations respond to security threats? Q5: How can technical safeguards protect against security threats? Q6: How can data safeguards protect against security threats? Q7: How can human safeguards protect against security threats? Q8: How should organizations respond to security incidents? Q9: 2024 12-40

Case 12: Will You Trust FIDO? One-third of all people record passwords somewhere, whether on a sticky note or in a computer file. Malicious code searches for files that include "password" or some variant. Many web sites offer to authenticate you using your Facebook or other common credentials. Use credentials only at site where created. 12-41

Alternatives to Passwords Biometric: Fingerprints, retinal scans, keystroke rhythm Picture password in Windows 8 User makes three gestures over a photo. Asking user to name people in group photo or provide facts about people in photo. One defect: If user s authentication compromised once, it is compromised for all sites where that authentication method used. 12-42

Fast Identity OnLine (FIDO) 12-43

Will You Trust FIDO? Probably FIDO does not eliminate need to send private data over the Internet, but substantially reduces it. Password or PIN never sent over a network. Forming open standards and asking the community to find holes and problems long before standard is implemented. Support of major, well-funded organizations. 12-44

12-45

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback