SlideShare a Scribd company logo

Management Information Systems

M
msd11

this ppt deals with the Information security, threats and control, digital signature,hierarchy of Information baseline. Risk assessment process and security process to handle threats

Related slideshows

Cyber Security Awareness Month 2017-Nugget 3
Cyber Security Awareness Month 2017-Nugget 3Cyber Security Awareness Month 2017-Nugget 3
Cyber Security Awareness Month 2017-Nugget 3
 
Security and management
Security and managementSecurity and management
Security and management
 
Cyber Security Awareness Month 2017- Nugget2
Cyber Security Awareness Month 2017- Nugget2Cyber Security Awareness Month 2017- Nugget2
Cyber Security Awareness Month 2017- Nugget2
 
1 of 32
Download to read offline
Dr. Manjunath VS Director Nitte School of Management Management Information Systems
For Information Assurance Information Security
▪ Confidentiality Non disclosure to unauthorized persons ▪ Integrity Ensuring accuracy, relevancy,& completeness and internal consistency ▪ Availability Providing timely, reliable access to authorized users ▪ Authorization & Authentication Ensures validity of transmission by confirming the validity of sender & Receiver ▪ Non- repudiation of origin Provision of a process to ensure that no party can deny sending & receiving To protect from security threats let us know which are they Five Common Pillars of Security What needs to be taken care about information?
▪ Destruction ▪ Deletion ▪ Bugs infection ▪ Theft ▪ Corruption ▪ Misuse Each of these threats have a character Security Threats
▪ Information is not a tangible thing. ▪ Information cannot be accounted But it is a valuable “Asset” and needs to be protected from the threats. ▪ Organization has large data ,information & IT infrastructure but then Which of it should be secured? The issue is how to search this asset for security response. What is the Problem?
What we need, therefore, is a Process to select, assess, & choose security control measure for each asset, which assures its security. We begin with Baseline information. Solution
Baseline: Beyond which security control is not required ▪ Identify useful information that organization owns. ▪ Label and code it, and put it in a catalogue. ▪ Assign a value to each information entity. ▪ Order it in descending order for deciding security control response. Baseline Information
Baseline Information Asset IT Equipment Personal Software & Applications Data & Information Is made of Hardware With specifications Information Possessed By individuals In paper & Electronic media Software Solutions, Packages, Tools Information Records on paper And in Electronic Media Ledgers, Journals, Registers, Documents Electronic Files , Folders, Databases, E- documents Hierarchy of Information Baseline
The factor of choice is “Risk”. i.e. Risk of not protecting the asset. A risk is the possibility that a threat is capable of exploiting a known weakness ▪ A process which measures this risk is called Risk Assessment. ▪ Risk on assessment is measured in terms of Risk exposure. ▪ Risk Exposure = Probability of Threat occurrence x value of damage due to threat impact. ▪ Security response is directly linked to Risk Exposure. ▪ Higher risk exposure requires higher and tighter security control. This is best handled by a Security management Process. Basic for Choice of Information Security Response
▪ Establish Information asset baseline ▪ Identify threats: Active, Passive & Circumstances ▪ Estimate the asset value assessing criticality ▪ Determine the threats which may occur ▪ Estimate the probability of threat occurrence ▪ Estimate the impact of the threat (damage) ▪ Measure for each information asset a “Risk exposure” ▪ Prioritize the assets by risk exposure Take up each asset for evolving a security response Risk Assessment Process
Criticality Pyramid Level 2 Level 1 Level 4 Level 3 Important for Mission Success Affects Mission achievement No effect on Mission Critical Inf.asset Classified Sensitive Not Sensitive Mission critical Asset could be: Hardware, software, packages, network, database, servers, records, E-manuals Level 1 is least critical and level 4 is most critical Critically of Information Asset
Threats & causes ▪ Destruction: Human error & Natural calamity ▪ Deletion: Human error, System error ▪ Bugs infection: Not protected by anti virus ▪ Theft: By employees or visitors as access to information is not supervised or protected ▪ Corruption: Technical reasons or power failure or malicious attempt to corrupt What are the different threats to Information Asset?
1. Prevention: Focus on Preventing internal, external sources threatening the security 2. Detection: Focus on detection of possible threats and dealing with them by other policy measures 3. Containment: Restricting focus on containing the damage to sensitive information 4. Deterrence: Focus on discouraging possible actions which may be a threat to information security 5. Recovery: Focus on actions which would help to recover the lost information or damage thereof in spite of security controls Security Policies to Handle Threats
For effective security control implementation you need a SMS Objectives of SMS: ▪ Identify information asset in terms of criticality ▪ Select appropriate security control ▪ Implement the control measure ▪ Review & audit the measures to- ▪ Minimize the loss and damage ▪ Recover fast from any threat impact ▪ Prevent, detect, deter the effect of security threat Security Management System [SMS]
1. Information System failure: Hardware, software, Network, communication, Technology. 2. Human actions: Illegal access, Theft, Erroneous operations, and program changes. 3. Natural calamities: Fire, earthquake, Floods, and such other acts. Causes of Threats
Manual Controls 1. Premises: Restricting access control. Recording entry & exits and time spent in the premise jobs done etc. 2. Hardware & software: Checking authenticity, authority, usage rights & recording their operations. 3 System Operations: Setting up authority to initiate operations, putting responsibility for backup & recovery. 4 Data & Information: Access control to databases & servers. Control on changes. Security Controls: Manual & Automated
Input & Output 1. Input data & documents:Control Totals, Document count Source check, & process error stops. Field specifications & checks for validity. Checking Digital signature. 2. Input processing: Introduce data integrity checks Check application of process rules. 3. Output Processing: Confirm correctness, Ensure updates and create backups. Automated Controls
1. Control Access to location 2. Personnel Security 3. Physical security 4. Disaster Recovery plan 5. Laws & Regulations 6. Network security 7. Ensuring software integrity 8. Use of cryptology 9. Secure use of software 10. Controlling human factors 11. Information User Ethics Choice of control is on case to case basis. An asset may be secured by more than one control. Information Security Controls
Hardware, Facilities & IT Infrastructure Threats: Natural calamities, Power failures, Theft, Unauthorized use ▪ Controls: ▪ Design buildings suitably ▪ Separate critical assets from main locations ▪ Store a back up of sensitive asset in different location ▪ Install close circuit camera ▪ Screen employees & visitors ▪ Use biometric access controls Threats & Controls- I
Software & Packages Threats; Theft, Corruption, Unauthorized use & changes ▪ Controls: ▪ Physical Access Controls ▪ Authority & usage rights ▪ Separate change management system ▪ Biometric access controls ▪ Store Duplicates/backups (Mirror image) in other location Threats & Controls- II
Data & Information Threats; Corruption, Unauthorized access & use, Theft ▪ Controls: ▪ Backups ▪ Access controls ▪ Antivirus software ▪ Entry controls ▪ Biometric controls ▪ Authority & Rights structure ▪ Signing privacy & confidentiality contracts Threats & Controls- III
Network Security Threats: Unauthorized entry & usage ▪ Controls: ▪ Fire wall, Proxy servers ▪ Redundant lines for as alternative route ▪ Access controls ▪ Encryption/ Decryption ▪ Biometric controls Threats & Controls- IV
▪ General controls: ▪ Audit of security systems ▪ Maintaining logs and taking reviews ▪ Designing fault tolerant systems ▪ Signing of privacy/confidentiality bonds ▪ Appoint DB administrator ▪ Appoint System administrator ▪ Exposing employees to threats & controls, its impact and their role & responsibilities Threats & Controls- V
E- Business Environment: ▪ Use of Internet/Intranet/Extranet ▪ Web based application development Security controls: ▪ Firewall/Proxy servers: Prevention of unauthorized access ▪ Use of Cryptology: Prevent exposure to unauthorized recipient ▪ Authentication: Use of Public/ Private keys for authenticity ▪ Message Integrity: Ensuring that message is not corrupted ▪ Digital signature: Confirmation of sender’s authenticity Information Security in E-Business
Order value is Rs.20 million. Message Encrypt By code Order value is Rs.20 million. Redro V Rs 0.02 noillim. Cipher Text Decrypt By code Order value is Rs.20 million. Order Value Is Rs 20 Milion Sender Receiver Encrypt code: One example Code rewrite in reverse order Encryption/Decryption Process
▪ Purpose: To ensure trust in electronic transaction, digital signature is used so that parties involved cannot deny its authenticity. ▪ Why Digital signature: Because it cannot be faked. It uses cryptography. They are legally accepted in a court. ▪ Use of Public KEY & Private key. Example: Bank locker has two keys One is of the banker (Public Key) Other is of locker owner (Private Key) Public keys are known to both parties while Private are secret to the holder Digital Signature
Internet Firewall Organization Network Firewall
Firewall: 1. It is essentially a filter dedicated to secure network from unauthorized entry or exit. 2. It is a set of software utilities which hold information security policy of the organization. 3. When entry to network is sought, it checks through the utilities the validity and authority of sender & receiver and the rights, and bars the access to network, if so required. 4. Firewall sits on the router of the network. Firewall for Network Security Internet/Intranet/Extranet
1. Malicious code ▪ Viruses : Attached to the program. ▪ Logic bombs: Installed in the system to execute when certain parameters are met. ▪ Trojan horses: Installed through freeware. 2. Nature of attacks ▪ Password attacks ▪ Insider attacks ▪ Sniffers: Network management tools ▪ Denial of service ▪ IP spoofing: Attacks on IP Address ▪ Hacking: Theft of information Threats to Network
Types of disasters: ▪ Natural: Floods, Tornadoes, Hurricanes, Earthquakes ▪ Man made: Fire, leaks, Telephone/ cable interruptions, Explosions, Building collapse, Crashes, Civil disturbances Disaster Recovery Planning
Disaster Analysis Impacts, Classification, Consequences, Probability Determining Response Specifications Time, Resources, Roles, Responsibilities Escalation steps Personnel Contact Information Response Procedures DRP system Display DRP System Model
Recognition • Expresses the need • Has a concern for security. Awareness • Awareness Training • Informal procedures Understanding • Security planned • SMS in place Control Managed, Measured, Tracked, Improved. Adaptation • Continuous Evolution/Improvement • Threats anticipated & countered Level 1 Level 2 Level 3 Level 4 Level 5 Hierarchy of Secure Practices

More Related Content

Management Information Systems

  • 1. Dr. Manjunath VS Director Nitte School of Management Management Information Systems
  • 3. ▪ Confidentiality Non disclosure to unauthorized persons ▪ Integrity Ensuring accuracy, relevancy,& completeness and internal consistency ▪ Availability Providing timely, reliable access to authorized users ▪ Authorization & Authentication Ensures validity of transmission by confirming the validity of sender & Receiver ▪ Non- repudiation of origin Provision of a process to ensure that no party can deny sending & receiving To protect from security threats let us know which are they Five Common Pillars of Security What needs to be taken care about information?
  • 4. ▪ Destruction ▪ Deletion ▪ Bugs infection ▪ Theft ▪ Corruption ▪ Misuse Each of these threats have a character Security Threats
  • 5. ▪ Information is not a tangible thing. ▪ Information cannot be accounted But it is a valuable “Asset” and needs to be protected from the threats. ▪ Organization has large data ,information & IT infrastructure but then Which of it should be secured? The issue is how to search this asset for security response. What is the Problem?
  • 6. What we need, therefore, is a Process to select, assess, & choose security control measure for each asset, which assures its security. We begin with Baseline information. Solution
  • 7. Baseline: Beyond which security control is not required ▪ Identify useful information that organization owns. ▪ Label and code it, and put it in a catalogue. ▪ Assign a value to each information entity. ▪ Order it in descending order for deciding security control response. Baseline Information
  • 8. Baseline Information Asset IT Equipment Personal Software & Applications Data & Information Is made of Hardware With specifications Information Possessed By individuals In paper & Electronic media Software Solutions, Packages, Tools Information Records on paper And in Electronic Media Ledgers, Journals, Registers, Documents Electronic Files , Folders, Databases, E- documents Hierarchy of Information Baseline
  • 9. The factor of choice is “Risk”. i.e. Risk of not protecting the asset. A risk is the possibility that a threat is capable of exploiting a known weakness ▪ A process which measures this risk is called Risk Assessment. ▪ Risk on assessment is measured in terms of Risk exposure. ▪ Risk Exposure = Probability of Threat occurrence x value of damage due to threat impact. ▪ Security response is directly linked to Risk Exposure. ▪ Higher risk exposure requires higher and tighter security control. This is best handled by a Security management Process. Basic for Choice of Information Security Response
  • 10. ▪ Establish Information asset baseline ▪ Identify threats: Active, Passive & Circumstances ▪ Estimate the asset value assessing criticality ▪ Determine the threats which may occur ▪ Estimate the probability of threat occurrence ▪ Estimate the impact of the threat (damage) ▪ Measure for each information asset a “Risk exposure” ▪ Prioritize the assets by risk exposure Take up each asset for evolving a security response Risk Assessment Process
  • 11. Criticality Pyramid Level 2 Level 1 Level 4 Level 3 Important for Mission Success Affects Mission achievement No effect on Mission Critical Inf.asset Classified Sensitive Not Sensitive Mission critical Asset could be: Hardware, software, packages, network, database, servers, records, E-manuals Level 1 is least critical and level 4 is most critical Critically of Information Asset
  • 12. Threats & causes ▪ Destruction: Human error & Natural calamity ▪ Deletion: Human error, System error ▪ Bugs infection: Not protected by anti virus ▪ Theft: By employees or visitors as access to information is not supervised or protected ▪ Corruption: Technical reasons or power failure or malicious attempt to corrupt What are the different threats to Information Asset?
  • 13. 1. Prevention: Focus on Preventing internal, external sources threatening the security 2. Detection: Focus on detection of possible threats and dealing with them by other policy measures 3. Containment: Restricting focus on containing the damage to sensitive information 4. Deterrence: Focus on discouraging possible actions which may be a threat to information security 5. Recovery: Focus on actions which would help to recover the lost information or damage thereof in spite of security controls Security Policies to Handle Threats
  • 14. For effective security control implementation you need a SMS Objectives of SMS: ▪ Identify information asset in terms of criticality ▪ Select appropriate security control ▪ Implement the control measure ▪ Review & audit the measures to- ▪ Minimize the loss and damage ▪ Recover fast from any threat impact ▪ Prevent, detect, deter the effect of security threat Security Management System [SMS]
  • 15. 1. Information System failure: Hardware, software, Network, communication, Technology. 2. Human actions: Illegal access, Theft, Erroneous operations, and program changes. 3. Natural calamities: Fire, earthquake, Floods, and such other acts. Causes of Threats
  • 16. Manual Controls 1. Premises: Restricting access control. Recording entry & exits and time spent in the premise jobs done etc. 2. Hardware & software: Checking authenticity, authority, usage rights & recording their operations. 3 System Operations: Setting up authority to initiate operations, putting responsibility for backup & recovery. 4 Data & Information: Access control to databases & servers. Control on changes. Security Controls: Manual & Automated
  • 17. Input & Output 1. Input data & documents:Control Totals, Document count Source check, & process error stops. Field specifications & checks for validity. Checking Digital signature. 2. Input processing: Introduce data integrity checks Check application of process rules. 3. Output Processing: Confirm correctness, Ensure updates and create backups. Automated Controls
  • 18. 1. Control Access to location 2. Personnel Security 3. Physical security 4. Disaster Recovery plan 5. Laws & Regulations 6. Network security 7. Ensuring software integrity 8. Use of cryptology 9. Secure use of software 10. Controlling human factors 11. Information User Ethics Choice of control is on case to case basis. An asset may be secured by more than one control. Information Security Controls
  • 19. Hardware, Facilities & IT Infrastructure Threats: Natural calamities, Power failures, Theft, Unauthorized use ▪ Controls: ▪ Design buildings suitably ▪ Separate critical assets from main locations ▪ Store a back up of sensitive asset in different location ▪ Install close circuit camera ▪ Screen employees & visitors ▪ Use biometric access controls Threats & Controls- I
  • 20. Software & Packages Threats; Theft, Corruption, Unauthorized use & changes ▪ Controls: ▪ Physical Access Controls ▪ Authority & usage rights ▪ Separate change management system ▪ Biometric access controls ▪ Store Duplicates/backups (Mirror image) in other location Threats & Controls- II
  • 21. Data & Information Threats; Corruption, Unauthorized access & use, Theft ▪ Controls: ▪ Backups ▪ Access controls ▪ Antivirus software ▪ Entry controls ▪ Biometric controls ▪ Authority & Rights structure ▪ Signing privacy & confidentiality contracts Threats & Controls- III
  • 22. Network Security Threats: Unauthorized entry & usage ▪ Controls: ▪ Fire wall, Proxy servers ▪ Redundant lines for as alternative route ▪ Access controls ▪ Encryption/ Decryption ▪ Biometric controls Threats & Controls- IV
  • 23. ▪ General controls: ▪ Audit of security systems ▪ Maintaining logs and taking reviews ▪ Designing fault tolerant systems ▪ Signing of privacy/confidentiality bonds ▪ Appoint DB administrator ▪ Appoint System administrator ▪ Exposing employees to threats & controls, its impact and their role & responsibilities Threats & Controls- V
  • 24. E- Business Environment: ▪ Use of Internet/Intranet/Extranet ▪ Web based application development Security controls: ▪ Firewall/Proxy servers: Prevention of unauthorized access ▪ Use of Cryptology: Prevent exposure to unauthorized recipient ▪ Authentication: Use of Public/ Private keys for authenticity ▪ Message Integrity: Ensuring that message is not corrupted ▪ Digital signature: Confirmation of sender’s authenticity Information Security in E-Business
  • 25. Order value is Rs.20 million. Message Encrypt By code Order value is Rs.20 million. Redro V Rs 0.02 noillim. Cipher Text Decrypt By code Order value is Rs.20 million. Order Value Is Rs 20 Milion Sender Receiver Encrypt code: One example Code rewrite in reverse order Encryption/Decryption Process
  • 26. ▪ Purpose: To ensure trust in electronic transaction, digital signature is used so that parties involved cannot deny its authenticity. ▪ Why Digital signature: Because it cannot be faked. It uses cryptography. They are legally accepted in a court. ▪ Use of Public KEY & Private key. Example: Bank locker has two keys One is of the banker (Public Key) Other is of locker owner (Private Key) Public keys are known to both parties while Private are secret to the holder Digital Signature
  • 28. Firewall: 1. It is essentially a filter dedicated to secure network from unauthorized entry or exit. 2. It is a set of software utilities which hold information security policy of the organization. 3. When entry to network is sought, it checks through the utilities the validity and authority of sender & receiver and the rights, and bars the access to network, if so required. 4. Firewall sits on the router of the network. Firewall for Network Security Internet/Intranet/Extranet
  • 29. 1. Malicious code ▪ Viruses : Attached to the program. ▪ Logic bombs: Installed in the system to execute when certain parameters are met. ▪ Trojan horses: Installed through freeware. 2. Nature of attacks ▪ Password attacks ▪ Insider attacks ▪ Sniffers: Network management tools ▪ Denial of service ▪ IP spoofing: Attacks on IP Address ▪ Hacking: Theft of information Threats to Network
  • 30. Types of disasters: ▪ Natural: Floods, Tornadoes, Hurricanes, Earthquakes ▪ Man made: Fire, leaks, Telephone/ cable interruptions, Explosions, Building collapse, Crashes, Civil disturbances Disaster Recovery Planning
  • 32. Recognition • Expresses the need • Has a concern for security. Awareness • Awareness Training • Informal procedures Understanding • Security planned • SMS in place Control Managed, Measured, Tracked, Improved. Adaptation • Continuous Evolution/Improvement • Threats anticipated & countered Level 1 Level 2 Level 3 Level 4 Level 5 Hierarchy of Secure Practices