SlideShare a Scribd company logo

Secure

Download as PPT, PDF
Dhani Ahmad
Dhani Ahmad

The document discusses security and ethics issues related to information management in government offices. It provides an overview of areas that need to be addressed to ensure proper policies and procedures are in place, including security, privacy, intellectual property, appropriate use, and social impacts of technology. The summary discusses how the office needs to have security policies, privacy protections, and records of compliance in order to be prepared for an upcoming audit and allow the director to enjoy an upcoming vacation without concerns.

Related slideshows

The information security audit
The information security auditThe information security audit
The information security audit
 
is_1_Introduction to Information Security
is_1_Introduction to Information Securityis_1_Introduction to Information Security
is_1_Introduction to Information Security
 
To situation awareness theory
To situation awareness theoryTo situation awareness theory
To situation awareness theory
 
1 of 13
Ron Briggs UT-Dallas Ethics and Security in Information Management • You run the Dallas County office of DHS. Its Monday morning of the week before you take-off on a two week vacation.You are reading your mail. There is a letter from the Information Systems division of the Office of the State Auditor. They will be visiting you three weeks from today to: “review policies and procedures with respect to information security and ethics” • do you break into a cold sweat, or say ‘no sweat, we are in good shape’ • what needs to be in place in order for you to enjoy a care free vacation!?
Ron Briggs UT-Dallas The Ethical Issues in IT • responsibility, accountability, and liability – snow storm, roof collapses, people lose money • privacy and open records – is gov. e-mail private or a public record? • intellectual property: trade secrets, copyright, patents – more than controlling software copying • appropriate use and ethical behavior – avoid even the appearance of inpropriety • equity, access, and social impact – the digital divide: is IT widening social and economic divisions? • personal protection and health – safety hazards in the workplace Security is central to at least the first three. Ethics is fundamental to the second three.
Ron Briggs UT-Dallas Security Problem Areas Its not a question of if, but of when! – disasters strike (17%--includes equipment) » external natural/manmade disasters – disks, etc. fail » internal equipment failures – staff screw-up (50%) – employees abuse (14%) – hackers/viruses attack (5%) – criminals conspire (14%--mostly internal) – somebody sues (Numbers refer to one estimate of losses, by source)
Ron Briggs UT-Dallas The Response • prevention, prevention, prevention • detection • prosecution/suing The majority of problems are internal not external! Your biggest problem is trusted staff messing up! Prosecution & suing are after the fact. They won’t prevent the problem (or save your job)! It’s not luck, its planning!
Ron Briggs UT-Dallas Basic Concepts: responsibility, accountability, liability Responsibility: the personal issue accepting the inherent costs and obligations of the decisions you make Accountability: the institutional issue the ability to determine who took the responsible (or irresponsible!) action Liability: the legal issue the ability to recover for the damage done to individuals or organizations through a system of due process
Ron Briggs UT-Dallas The Three Dimensions of Security • Confidentiality – assuring that legally protected data is not disclosed to the public • Integrity – assuring that info. is correct and protected from unauthorized alteration • Availability – assuring that data is available to support the agency’s mission and operations » information recoverable » operations continuable
Ron Briggs UT-Dallas Strategies for Security • security policy/procedures – physical security: » people: locks, cameras, exit/entry monitoring, » water: basement, pipes » electricity: surge, UPS » structures: no prefabs! – system access control : logon – database security systems and record/attribute level control – data management policies (which must be known and followed) » data ownership and responsibility assignation » data classification: confidential, sensitive, public • error control – program development: independent user testing – data entry » one time input/automated source capture » validation rules » duplicate data entry for verification – journalling: tracking all accesses and changes by userID, date, time, etc. (audit trail) – hardware/network/database monitoring: spotting trouble ahead of time. (alarm) – data audits • disaster recovery – back-ups: on-site & off-site – mirroring/fault tolerant systems – hot sites/cold sites
Ron Briggs UT-Dallas Computer Systems v. Manual System Is vulnerability increased? • information is more highly concentrated, easier to gather and more difficult to control • potentially accessed by many more people. • tools simplify and speed up copy/deletion of large quantities • no paper back-up; cannot be replicated manually. • complex and invisible: difficult to test, audit or detect change. • more processing steps therefore more error possibilities.
Ron Briggs UT-Dallas Trade-offs • security versus information access » internal v. external » need-to-know » data as power • security versus convenience » diminishing returns • security versus service: risk assessment » probabilty of occurrence » institutional impact/cost of failure Decisions for upper management, not IT folks!
1Ron Briggs UT-Dallas Ethics and Appropriate Use Dealing with personal business (e-mail, phones, etc.) • No financial gain or commercial purpose • direct costs re-imbursed (e.g. long distance charges) • does not impeded agency operations (e.g tie up scare dial-in ports or slow response time) • consumes incidental amounts of employee time (the coffee break test) Dealing with vendors • no personal gain, incl. family and friends (the tee shirt test) • all have the opportunity to be included • follow required procedures e.g. open bidding For the public sector, it’s a matter of law. For the private sector, it’s determined by policy.
1Ron Briggs UT-Dallas Network Security: Needs applications – e-mail – e-forms (internal business) – edi (eletronic data interchange: external business) management needs – minimum manual intervention – audit trails – status and alarms – immediate and comprehensive revocation user needs – access control – user transparency data needs – confidentiality (secret) – integrity (secure: no change) – authenticity (sender known) – non-repudiation (delivery confirmed) Security concerns intensify.
1Ron Briggs UT-Dallas Network Security: Methods Network – closed network – perimeter security (firewalls) – object protection User Access – passwords (n times) – smart cards (one time) – user identification (fingerprint; eyeballs) User exchange – encryption (for confidentiality and integrity) » clipper chip / back door – public/private keys (for authenticity)
1Ron Briggs UT-Dallas The Special Case of Telecom Security Telephone Fraud--$2 billion plus per year Examples: • card sharps • shoulder surfing • dumpster diving • sweet talk codes/lines • hacking • internal trouble Do you even know it? Personal use •illegal for gov. •costly for private sector Watch out for: •international •1-900

More Related Content

Secure

  • 1. Ron Briggs UT-Dallas Ethics and Security in Information Management • You run the Dallas County office of DHS. Its Monday morning of the week before you take-off on a two week vacation.You are reading your mail. There is a letter from the Information Systems division of the Office of the State Auditor. They will be visiting you three weeks from today to: “review policies and procedures with respect to information security and ethics” • do you break into a cold sweat, or say ‘no sweat, we are in good shape’ • what needs to be in place in order for you to enjoy a care free vacation!?
  • 2. Ron Briggs UT-Dallas The Ethical Issues in IT • responsibility, accountability, and liability – snow storm, roof collapses, people lose money • privacy and open records – is gov. e-mail private or a public record? • intellectual property: trade secrets, copyright, patents – more than controlling software copying • appropriate use and ethical behavior – avoid even the appearance of inpropriety • equity, access, and social impact – the digital divide: is IT widening social and economic divisions? • personal protection and health – safety hazards in the workplace Security is central to at least the first three. Ethics is fundamental to the second three.
  • 3. Ron Briggs UT-Dallas Security Problem Areas Its not a question of if, but of when! – disasters strike (17%--includes equipment) » external natural/manmade disasters – disks, etc. fail » internal equipment failures – staff screw-up (50%) – employees abuse (14%) – hackers/viruses attack (5%) – criminals conspire (14%--mostly internal) – somebody sues (Numbers refer to one estimate of losses, by source)
  • 4. Ron Briggs UT-Dallas The Response • prevention, prevention, prevention • detection • prosecution/suing The majority of problems are internal not external! Your biggest problem is trusted staff messing up! Prosecution & suing are after the fact. They won’t prevent the problem (or save your job)! It’s not luck, its planning!
  • 5. Ron Briggs UT-Dallas Basic Concepts: responsibility, accountability, liability Responsibility: the personal issue accepting the inherent costs and obligations of the decisions you make Accountability: the institutional issue the ability to determine who took the responsible (or irresponsible!) action Liability: the legal issue the ability to recover for the damage done to individuals or organizations through a system of due process
  • 6. Ron Briggs UT-Dallas The Three Dimensions of Security • Confidentiality – assuring that legally protected data is not disclosed to the public • Integrity – assuring that info. is correct and protected from unauthorized alteration • Availability – assuring that data is available to support the agency’s mission and operations » information recoverable » operations continuable
  • 7. Ron Briggs UT-Dallas Strategies for Security • security policy/procedures – physical security: » people: locks, cameras, exit/entry monitoring, » water: basement, pipes » electricity: surge, UPS » structures: no prefabs! – system access control : logon – database security systems and record/attribute level control – data management policies (which must be known and followed) » data ownership and responsibility assignation » data classification: confidential, sensitive, public • error control – program development: independent user testing – data entry » one time input/automated source capture » validation rules » duplicate data entry for verification – journalling: tracking all accesses and changes by userID, date, time, etc. (audit trail) – hardware/network/database monitoring: spotting trouble ahead of time. (alarm) – data audits • disaster recovery – back-ups: on-site & off-site – mirroring/fault tolerant systems – hot sites/cold sites
  • 8. Ron Briggs UT-Dallas Computer Systems v. Manual System Is vulnerability increased? • information is more highly concentrated, easier to gather and more difficult to control • potentially accessed by many more people. • tools simplify and speed up copy/deletion of large quantities ��� no paper back-up; cannot be replicated manually. • complex and invisible: difficult to test, audit or detect change. • more processing steps therefore more error possibilities.
  • 9. Ron Briggs UT-Dallas Trade-offs • security versus information access » internal v. external » need-to-know » data as power • security versus convenience » diminishing returns • security versus service: risk assessment » probabilty of occurrence » institutional impact/cost of failure Decisions for upper management, not IT folks!
  • 10. 1Ron Briggs UT-Dallas Ethics and Appropriate Use Dealing with personal business (e-mail, phones, etc.) • No financial gain or commercial purpose • direct costs re-imbursed (e.g. long distance charges) • does not impeded agency operations (e.g tie up scare dial-in ports or slow response time) • consumes incidental amounts of employee time (the coffee break test) Dealing with vendors • no personal gain, incl. family and friends (the tee shirt test) • all have the opportunity to be included • follow required procedures e.g. open bidding For the public sector, it’s a matter of law. For the private sector, it’s determined by policy.
  • 11. 1Ron Briggs UT-Dallas Network Security: Needs applications – e-mail – e-forms (internal business) – edi (eletronic data interchange: external business) management needs – minimum manual intervention – audit trails – status and alarms – immediate and comprehensive revocation user needs – access control – user transparency data needs – confidentiality (secret) – integrity (secure: no change) – authenticity (sender known) – non-repudiation (delivery confirmed) Security concerns intensify.
  • 12. 1Ron Briggs UT-Dallas Network Security: Methods Network – closed network – perimeter security (firewalls) – object protection User Access – passwords (n times) – smart cards (one time) – user identification (fingerprint; eyeballs) User exchange – encryption (for confidentiality and integrity) » clipper chip / back door – public/private keys (for authenticity)
  • 13. 1Ron Briggs UT-Dallas The Special Case of Telecom Security Telephone Fraud--$2 billion plus per year Examples: • card sharps • shoulder surfing • dumpster diving • sweet talk codes/lines • hacking • internal trouble Do you even know it? Personal use •illegal for gov. •costly for private sector Watch out for: •international •1-900