Lecture 25
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Lecture 25 as PDF for free.
More details
- Words: 688
- Pages: 23
Managing Information Systems Information Systems Security and Control Part 2 Section 14.2
1
Objectives • Demonstrate that Information System vulnerabilities can be controlled • Demonstrate the ways in which Information Systems can be controlled in an organisation • Demonstrate some of the technologies that can be used to control Information Systems vulnerabilities 2
Controlling Information Systems • Recall there are numerous threats to Information Systems – – – – –
Hardware failures Software failures Upgrade issues Disasters Malicious intent 3
Controlling Information Systems • To minimise likelihood of threats, must control the environment in which Information Systems are developed and deployed • Controls put in place to: – Manually control environment of Information Systems – Automatically add controls to Information Systems 4
Controlling Information Systems • Implemented through – Policies – Procedures – Standards
• Control must be thought about through all stages of Information Systems analysis, construction, deployment operations and maintenance 5
Controlling Information Systems • What sort of controls can be put in place?
6
Controls • General controls – Controls for design, security and use of Information Systems throughout the organisation
• Application controls – Specific controls for each application – User functionality specific 7
General Controls • Implementation controls – – – –
Audit system development Ensure properly managed and controlled Ensure user involvement Ensure procedures and standards are in use
• Software controls – Authorised access to systems 8
General Controls • Hardware controls – – – –
Physically secure hardware Monitor for and fix malfunction Environmental systems and protection Backup of disk-based data
9
General Controls • Computer operations controls – – – – –
Day-to-day operations of Information Systems Procedures System set-up Job processing Backup and recovery procedures
10
General Controls • Data security controls – Prevent unauthorised access, change or destruction – When data is in use or being stored – Physical access to terminals – Password protection – Data level access controls 11
General Controls • Administrative controls – Ensure organisational policies, procedures and standards and enforced – Segregation of functions to reduce errors and fraud – Supervision of personal to ensure policies and procedures are being adhered to
12
Application Controls • Input controls – Data is accurate and consistent on entry – Direct keying of data, double entry or automated input – Data conversion, editing and error handling – Field validation on entry – Input authorisation and auditing – Checks on totals to catch errors 13
Application Controls • Processing controls – – – –
Data is accurate and complete on processing Checks on totals to catch errors Compare to master records to catch errors Field validation on update
14
Application Controls • Output controls – Data is accurate, complete and properly distributed on output – Checks on totals to catch errors – Review processing logs – Track recipients of data
15
Protecting Information Systems • What sorts of technology can we use to implement Information Systems controls?
16
Protecting Information Systems • Information Systems, especially TPS, require high degrees of availability • Technology is available to ensure systems are available and contain accurate information
17
High Availability Computing • Systems available for most of the time (some downtime allowed) – – – – – –
Recover quickly from crash / downtime Redundant servers and clustering Mirroring of data and networked storage Load balancing Scalable and robust infrastructure Disaster recovery planning 18
Fault Tolerant Computing • Systems available all the time (no downtime allowed) – Specialist hardware • HP NonStop (Tandem), Stratos
– Detect and correct faults in hardware and software to keep processing
19
Network Security • Permanent (open) network connectivity: Internet, Extranet, wireless – Firewall: proxy or stateful inspection – Firewalls must be managed and part of security policy – Encryption: public key, SSL of S-HTTP – Authentication and integrity – Digital signatures and certificates 20
Developing Control • Lots of threats to Information Systems • Lots of controls required • Decision on which controls to use based upon likelihood of threat and cost • Risk assessment – Likely frequency of threat – Cost of damage – Cost of implementation 21
HOMEWORK
22
HOMEWORK
23
1
Objectives • Demonstrate that Information System vulnerabilities can be controlled • Demonstrate the ways in which Information Systems can be controlled in an organisation • Demonstrate some of the technologies that can be used to control Information Systems vulnerabilities 2
Controlling Information Systems • Recall there are numerous threats to Information Systems – – – – –
Hardware failures Software failures Upgrade issues Disasters Malicious intent 3
Controlling Information Systems • To minimise likelihood of threats, must control the environment in which Information Systems are developed and deployed • Controls put in place to: – Manually control environment of Information Systems – Automatically add controls to Information Systems 4
Controlling Information Systems • Implemented through – Policies – Procedures – Standards
• Control must be thought about through all stages of Information Systems analysis, construction, deployment operations and maintenance 5
Controlling Information Systems • What sort of controls can be put in place?
6
Controls • General controls – Controls for design, security and use of Information Systems throughout the organisation
• Application controls – Specific controls for each application – User functionality specific 7
General Controls • Implementation controls – – – –
Audit system development Ensure properly managed and controlled Ensure user involvement Ensure procedures and standards are in use
• Software controls – Authorised access to systems 8
General Controls • Hardware controls – – – –
Physically secure hardware Monitor for and fix malfunction Environmental systems and protection Backup of disk-based data
9
General Controls • Computer operations controls – – – – –
Day-to-day operations of Information Systems Procedures System set-up Job processing Backup and recovery procedures
10
General Controls • Data security controls – Prevent unauthorised access, change or destruction – When data is in use or being stored – Physical access to terminals – Password protection – Data level access controls 11
General Controls • Administrative controls – Ensure organisational policies, procedures and standards and enforced – Segregation of functions to reduce errors and fraud – Supervision of personal to ensure policies and procedures are being adhered to
12
Application Controls • Input controls – Data is accurate and consistent on entry – Direct keying of data, double entry or automated input – Data conversion, editing and error handling – Field validation on entry – Input authorisation and auditing – Checks on totals to catch errors 13
Application Controls • Processing controls – – – –
Data is accurate and complete on processing Checks on totals to catch errors Compare to master records to catch errors Field validation on update
14
Application Controls • Output controls – Data is accurate, complete and properly distributed on output – Checks on totals to catch errors – Review processing logs – Track recipients of data
15
Protecting Information Systems • What sorts of technology can we use to implement Information Systems controls?
16
Protecting Information Systems • Information Systems, especially TPS, require high degrees of availability • Technology is available to ensure systems are available and contain accurate information
17
High Availability Computing • Systems available for most of the time (some downtime allowed) – – – – – –
Recover quickly from crash / downtime Redundant servers and clustering Mirroring of data and networked storage Load balancing Scalable and robust infrastructure Disaster recovery planning 18
Fault Tolerant Computing • Systems available all the time (no downtime allowed) – Specialist hardware • HP NonStop (Tandem), Stratos
– Detect and correct faults in hardware and software to keep processing
19
Network Security • Permanent (open) network connectivity: Internet, Extranet, wireless – Firewall: proxy or stateful inspection – Firewalls must be managed and part of security policy – Encryption: public key, SSL of S-HTTP – Authentication and integrity – Digital signatures and certificates 20
Developing Control • Lots of threats to Information Systems • Lots of controls required • Decision on which controls to use based upon likelihood of threat and cost • Risk assessment – Likely frequency of threat – Cost of damage – Cost of implementation 21
HOMEWORK
22
HOMEWORK
23
Related Documents
Lecture 25
May 2020 10
Lecture 25
December 2019 15
Lecture 25
May 2020 8
Lecture 23 25
November 2019 13
Lecture 11, Ch. 25
December 2019 26
Lecture 25 - Immunodeficiency
November 2019 16More Documents from ""
Cii Member Form
May 2020 10
Finanacial Accounting
May 2020 9
Managing Information Systems
May 2020 10
Proposed Syllabus Mba-gtu
May 2020 5
Gcci Membership Form
May 2020 12