SlideShare a Scribd company logo

Chapter 5

Download as PPTX, PDF
Anil Bilgihan
Anil Bilgihan

This document discusses managing and securing information systems in hospitality organizations. It covers the importance of computers, identifying mission critical systems like reservation and POS systems, maintaining these systems, common causes of system failure, and strategies for disaster recovery and business continuity planning. It also discusses security challenges like viruses, spyware, and data encryption. PCI compliance for payment card data is explained.

Related slideshows

Information Technology
Information TechnologyInformation Technology
Information Technology
 
TID Chapter 1 Introduction To Information Technology
TID Chapter 1 Introduction To Information TechnologyTID Chapter 1 Introduction To Information Technology
TID Chapter 1 Introduction To Information Technology
 
Ics1 Chapter1
Ics1 Chapter1Ics1 Chapter1
Ics1 Chapter1
 
1 of 46
Managing andSecuring theInformation SystemChapter 5
“Over 60% of the people who have a security breach, have a breach on systems that they aren't actively managing. If we would just take the time to understand where our critical information is, and then manage those systems properly, the risk reduction would be enormous.”Dorian Cougias, Network Frontiers
Computer DependenceHow important are computers to hospitality organizations? Turn the computer system off during a rush period and observe the consequences.Keeping computer downtime to a minimum in guest related areas (e.g., reservations and front desk) is critical.
Mission-Critical SystemsMission-critical systems are systems that whose reliable performance is crucial to the successful performance of the organization in which it is used.For a hotel, mission critical systems are central reservation system (CRS) and property management system (PMS). For a restaurant, mission critical system is Point of Sale system (POS).
Maintaining the SystemsTo make sure that these systems are up and running, there needs to be a systematic approach to maintain them.Enterprise LevelUnit level (restaurant or hotel)User level (remote access- guest or staff)
All businesses are subject to business disruptionsThe reasons may be different such as FireFloodEarthquakesVandalismStealingHuman errorUtility disruptions (such as power outages)Malicious threats from outsiders or misuse of systems.
Disaster Contingency RecoveryPlanAlthough a DCRP is vital, it is primarily a reactive approach (i.e., a corrective control) and not a comprehensive plan for risk management.In contrast, a business continuity plan (BCP) seeks to eliminate or reduce the impact of a disaster condition before the condition occurs.
Business Continuity PlanBusiness Continuity Planning (BCP) is an interdisciplinary concept used to create and validate a practiced logistical plan for how an organization will recover and restore partially or completely interrupted critical function(s) within a predetermined time after a disaster or extended disruption.
Common Causes of System FailureOperator ErrorHardware FailurePower ProblemsSoftware BugSystem OverloadVirusSpywareApple AdKeylogger Hardware
Operator ErrorVarious operator errors can cause system failure Common errors include improper handling of lengthy processing routines (e.g., end-of-day audit), database maintenance (e.g., changing and deleting data), and hardware (e.g., moving a hard disk without parking the read/write head). Providing thorough training and establishing careful procedures reduce operator mistakes
Hardware Failure
Hardware FailureFive basic measures reduce hardware malfunctions:Keep the temperature and relative humidity at the appropriate levelsKeep equipment cleanKeep magnets away from computersKeep Water and corrosive agents away from computersEstablish a preventative maintenance program
Fault-TolerantA fault-tolerant computer is equipped with a backup system enabling it to function despite the failure of certain internal hardware components such as a hard drive or disk controller card.
Storage Area NetworkA storage area network (SAN) is an architecture to attach remote computer storage devices such as disk arrays to servers in such a way that, to the operating system, the devices appear as locally attached
Redundant Array of Independent Disks
Redundant Array of Independent Disks (RAID)
Internet Security Challenges
Power ProblemsPower line trouble causes 70 percent of hardware and software failures. Symptoms include burned components, garbled transactions, memory loss, corrupted data, lost data, and unexplained intermittent problems.
Power ProblemsTo avoid power disturbances, the following measures should be implemented.Surge protectionProper wiring and groundingUninterruptible Power Supply (UPS)
UPSA user level surge protection
Software BugA bug is a logic error in the program preventing it from working properlyFor example, one hospitality accounting program aborts if the user forgets to turn on the printer before printing a financial statement
System OverloadPlacing too many demands on a computer can greatly diminish its performance and may cause system failure.Causes of system overloads include:Insufficient Central Processing Unit (CPU) Clock Speed.Inadequate Random Access Memory (RAM)Slow Mechanical ComponentsFile FragmentationInadequate Disk Storage
External hard drive that can be connected to computer by USB or Firewire
VirusVirus spreads by copying itself from one program to the next, changing or destroying each program that it infects without the user knowing it.The carrier of a virus is a program that appears legitimate called a TROJAN HORSE
What to do in a Virus AttackIsolate and disconnectRemove the virusRestore your dataReinstall programsScan for virusesRestore filesDocument the processPrevent future infectionLearn from your mistakes
Restaurant Network SecurityA computer security study was conducted among restaurant managers 24 % of the restaurant networks had a computer network attack within the last 12 months. On average, the restaurants received 1-5 network attacks within the last 12 months
Attack TypesVirus Attack (71.4%)Insider Abuse of Net Access (57.1%) Laptop Theft (42.9%)Spoofing (39.3%) (using someone else's resources for spam or illegal activity).
Chapter 5
Protection from AttacksThe most used protection tool is anti-virus software (86.2%), hardware firewall (79.3%) and physical security (75.9%).The least used network security tools are honeypots (7.7%) and biometrics (14.8%).
SpywareSpyware is computer software that is installed secretly on a computer to intercept or take partial control over the user's interaction with the computer, without the user's informed consent
Backup StrategiesBackup FrequencyBackup MethodRotation of Secondary Storage MediaHardcopy
Computer SecuritySecurity violation examples include:Salespeople copying the hotel client list onto a USB drive and selling it to a competitorFront-desk clerks receiving cash to settle guest folios, but instead pocketing the cash and transferring the outstanding balance to a bogus city ledger account or “black hole” account.Employees gaining access to payroll records and changing wage rates.Servers voiding entree items off guest checks after collecting cash.
Security ProblemsThe keyboardUsing obvious passwordsNot regularly changing passwordsHackersCommunication LineInternetPhysical Access
Most Common Passwords
EncryptionIn the case of transmitting data over the Internet protocol, using a secure, encrypted way of communication is also a key to secure data transmission. Computer encryption is based on the science of cryptography, which has been used throughout history.Vidoe: Encryption of Credit Card Data
Encryption
Chapter 5
Chapter 5
PhishingPhishing is a technique used by strangers to "fish" for information about you, information that you would not normally disclose to a stranger, such as your bank account number, PIN, and other personal identifiers such as your National Insurance number. These messages often contain company/bank logos that look legitimate and use flowery or legalistic language about improving security by confirming your identity details.
Phishingexample
IT ComplianceKeeping IT systems in line with local, state, national and international level laws, regulations, standards, and policies.The Payment Card Industry Council is a consortium of credit card issuing brands: Visa, Incorporated; American Express, MasterCard Worldwide, Discover Financial Services and JCB International
PCI DSSPCI Council have formed this consortium to improve the security of the global payment system by protecting consumers, merchants and banks from frauds and hacks. The consortium has created a set of Data Security Standards governing the protection of all sensitive cardholder data stored electronically or on paper.Video: PCI DSS ExplainedWebsite: PCI DSS
Chapter 5
PCI DSSRequirement 1: Install and maintain a firewall configuration to protect cardholder dataRequirement 2: Do not use vendor-supplied defaults for system passwords and other security parametersRequirement 3: Protect stored cardholder dataRequirement 4: Encrypt transmission of cardholder data across open, public networks
PCI DSSRequirement 5: Use and regularly update anti-virus softwareRequirement 6: Develop and maintain secure systems and applicationsRequirement 7: Restrict access to cardholder data by business need to-knowRequirement 8: Assign a unique ID to each person with computer access
PCI DSSRequirement 9: Restrict physical access to cardholder data.Requirement 10: Track and monitor all access to network resources and cardholder dataRequirement 11: Regularly test security systems and processesRequirement 12: Maintain a policy that addresses information security

More Related Content

Chapter 5

  • 2. “Over 60% of the people who have a security breach, have a breach on systems that they aren't actively managing. If we would just take the time to understand where our critical information is, and then manage those systems properly, the risk reduction would be enormous.”Dorian Cougias, Network Frontiers
  • 3. Computer DependenceHow important are computers to hospitality organizations? Turn the computer system off during a rush period and observe the consequences.Keeping computer downtime to a minimum in guest related areas (e.g., reservations and front desk) is critical.
  • 4. Mission-Critical SystemsMission-critical systems are systems that whose reliable performance is crucial to the successful performance of the organization in which it is used.For a hotel, mission critical systems are central reservation system (CRS) and property management system (PMS). For a restaurant, mission critical system is Point of Sale system (POS).
  • 5. Maintaining the SystemsTo make sure that these systems are up and running, there needs to be a systematic approach to maintain them.Enterprise LevelUnit level (restaurant or hotel)User level (remote access- guest or staff)
  • 6. All businesses are subject to business disruptionsThe reasons may be different such as FireFloodEarthquakesVandalismStealingHuman errorUtility disruptions (such as power outages)Malicious threats from outsiders or misuse of systems.
  • 7. Disaster Contingency RecoveryPlanAlthough a DCRP is vital, it is primarily a reactive approach (i.e., a corrective control) and not a comprehensive plan for risk management.In contrast, a business continuity plan (BCP) seeks to eliminate or reduce the impact of a disaster condition before the condition occurs.
  • 8. Business Continuity PlanBusiness Continuity Planning (BCP) is an interdisciplinary concept used to create and validate a practiced logistical plan for how an organization will recover and restore partially or completely interrupted critical function(s) within a predetermined time after a disaster or extended disruption.
  • 9. Common Causes of System FailureOperator ErrorHardware FailurePower ProblemsSoftware BugSystem OverloadVirusSpywareApple AdKeylogger Hardware
  • 10. Operator ErrorVarious operator errors can cause system failure Common errors include improper handling of lengthy processing routines (e.g., end-of-day audit), database maintenance (e.g., changing and deleting data), and hardware (e.g., moving a hard disk without parking the read/write head). Providing thorough training and establishing careful procedures reduce operator mistakes
  • 12. Hardware FailureFive basic measures reduce hardware malfunctions:Keep the temperature and relative humidity at the appropriate levelsKeep equipment cleanKeep magnets away from computersKeep Water and corrosive agents away from computersEstablish a preventative maintenance program
  • 13. Fault-TolerantA fault-tolerant computer is equipped with a backup system enabling it to function despite the failure of certain internal hardware components such as a hard drive or disk controller card.
  • 14. Storage Area NetworkA storage area network (SAN) is an architecture to attach remote computer storage devices such as disk arrays to servers in such a way that, to the operating system, the devices appear as locally attached
  • 15. Redundant Array of Independent Disks
  • 16. Redundant Array of Independent Disks (RAID)
  • 18. Power ProblemsPower line trouble causes 70 percent of hardware and software failures. Symptoms include burned components, garbled transactions, memory loss, corrupted data, lost data, and unexplained intermittent problems.
  • 19. Power ProblemsTo avoid power disturbances, the following measures should be implemented.Surge protectionProper wiring and groundingUninterruptible Power Supply (UPS)
  • 20. UPSA user level surge protection
  • 21. Software BugA bug is a logic error in the program preventing it from working properlyFor example, one hospitality accounting program aborts if the user forgets to turn on the printer before printing a financial statement
  • 22. System OverloadPlacing too many demands on a computer can greatly diminish its performance and may cause system failure.Causes of system overloads include:Insufficient Central Processing Unit (CPU) Clock Speed.Inadequate Random Access Memory (RAM)Slow Mechanical ComponentsFile FragmentationInadequate Disk Storage
  • 23. External hard drive that can be connected to computer by USB or Firewire
  • 24. VirusVirus spreads by copying itself from one program to the next, changing or destroying each program that it infects without the user knowing it.The carrier of a virus is a program that appears legitimate called a TROJAN HORSE
  • 25. What to do in a Virus AttackIsolate and disconnectRemove the virusRestore your dataReinstall programsScan for virusesRestore filesDocument the processPrevent future infectionLearn from your mistakes
  • 26. Restaurant Network SecurityA computer security study was conducted among restaurant managers 24 % of the restaurant networks had a computer network attack within the last 12 months. On average, the restaurants received 1-5 network attacks within the last 12 months
  • 27. Attack TypesVirus Attack (71.4%)Insider Abuse of Net Access (57.1%) Laptop Theft (42.9%)Spoofing (39.3%) (using someone else's resources for spam or illegal activity).
  • 29. Protection from AttacksThe most used protection tool is anti-virus software (86.2%), hardware firewall (79.3%) and physical security (75.9%).The least used network security tools are honeypots (7.7%) and biometrics (14.8%).
  • 30. SpywareSpyware is computer software that is installed secretly on a computer to intercept or take partial control over the user's interaction with the computer, without the user's informed consent
  • 31. Backup StrategiesBackup FrequencyBackup MethodRotation of Secondary Storage MediaHardcopy
  • 32. Computer SecuritySecurity violation examples include:Salespeople copying the hotel client list onto a USB drive and selling it to a competitorFront-desk clerks receiving cash to settle guest folios, but instead pocketing the cash and transferring the outstanding balance to a bogus city ledger account or “black hole” account.Employees gaining access to payroll records and changing wage rates.Servers voiding entree items off guest checks after collecting cash.
  • 33. Security ProblemsThe keyboardUsing obvious passwordsNot regularly changing passwordsHackersCommunication LineInternetPhysical Access
  • 35. EncryptionIn the case of transmitting data over the Internet protocol, using a secure, encrypted way of communication is also a key to secure data transmission. Computer encryption is based on the science of cryptography, which has been used throughout history.Vidoe: Encryption of Credit Card Data
  • 39. PhishingPhishing is a technique used by strangers to "fish" for information about you, information that you would not normally disclose to a stranger, such as your bank account number, PIN, and other personal identifiers such as your National Insurance number. These messages often contain company/bank logos that look legitimate and use flowery or legalistic language about improving security by confirming your identity details.
  • 41. IT ComplianceKeeping IT systems in line with local, state, national and international level laws, regulations, standards, and policies.The Payment Card Industry Council is a consortium of credit card issuing brands: Visa, Incorporated; American Express, MasterCard Worldwide, Discover Financial Services and JCB International
  • 42. PCI DSSPCI Council have formed this consortium to improve the security of the global payment system by protecting consumers, merchants and banks from frauds and hacks. The consortium has created a set of Data Security Standards governing the protection of all sensitive cardholder data stored electronically or on paper.Video: PCI DSS ExplainedWebsite: PCI DSS
  • 44. PCI DSSRequirement 1: Install and maintain a firewall configuration to protect cardholder dataRequirement 2: Do not use vendor-supplied defaults for system passwords and other security parametersRequirement 3: Protect stored cardholder dataRequirement 4: Encrypt transmission of cardholder data across open, public networks
  • 45. PCI DSSRequirement 5: Use and regularly update anti-virus softwareRequirement 6: Develop and maintain secure systems and applicationsRequirement 7: Restrict access to cardholder data by business need to-knowRequirement 8: Assign a unique ID to each person with computer access
  • 46. PCI DSSRequirement 9: Restrict physical access to cardholder data.Requirement 10: Track and monitor all access to network resources and cardholder dataRequirement 11: Regularly test security systems and processesRequirement 12: Maintain a policy that addresses information security