Đang tải... (xem toàn văn)
Lesson Information security management present the content: threats to information security; senior management’s security role; data safeguards are available; should organizations respond to security incidents.
Lecture 11: Information Security Management Nga.lethiquynh@ueh.edu.vn http://mis.ueh.edu.vn/blog/ Study questions Q1: What are the threats to information security? Q2: What is senior management’s security role? Q3 What technical safeguards are available? Q4 What data safeguards are available? Q5 What human safeguards are available? Q6 How should organizations respond to security Incidents? BUSINESS INFORMATION SYSTEMS Q1: What are the threats to information security? BUSINESS INFORMATION SYSTEMS Threats to information security ► Sources of Threats? ► human error and mistakes: ► ► ► accidental problems caused by both employees and nonemployees ► poorly written application programs and poorly designed procedures ► physical accidents malicious human activity ► employees and former employees who intentionally destroy data ► Hackers natural events and disasters ► fires, floods, hurricanes, earthquakes, tsunamis, avalanches, and other acts of nature BUSINESS INFORMATION SYSTEMS Threats to information security ► Types of Security Problems? Source: Textbook [1], page 409 BUSINESS INFORMATION SYSTEMS Threats to information security ► Unauthorized Data Disclosure ► ► ► Pretexting: when someone deceives by pretending to be someone else Phishing: uses pretexting via email Spoofing: another term for someone pretending to be someone else ► ► IP spoofing: occurs when an intruder uses another site’s IP address as if it were that other site ► Email spoofing: a synonym for phishing Sniffing: intercepting computer communications ► Drive-by sniffers: take computers with wireless connections through an area and search for unprotected wireless networks BUSINESS INFORMATION SYSTEMS Threats to information security ► Incorrect Data Modification ► Procedures incorrectly designed or not followed ► Increasing a customer’s discount or incorrectly modifying employee’s salary ► Placing incorrect data on company the Web site ► Improper internal controls on systems ► System errors ► Faulty recovery actions after a disaster BUSINESS INFORMATION SYSTEMS Threats to information security Faulty Service • Incorrect data modification • Systems working incorrectly • Procedural mistakes • Programming • IT errors installation errors • Usurpation • Denial of service (unintentional) • Denial-of-service attacks (intentional) BUSINESS INFORMATION SYSTEMS Threats to information security - Loss of Infrastructure • Human • Theft accidents and terrorist events • Disgruntled • Natural disasters • Advanced ► or terminated employee Persistent Threat (APT) Sophisticated, possibly long-running computer hack perpetrated by large, well-funded organizations BUSINESS INFORMATION SYSTEMS What Are the Components of an Organization’s Security Program? ► components ► senior-management involvement ► establish the security policy ► manage risk by balancing the costs and benefits of the security program ► Safeguards: protections against security threats ► organization’s planned response to security incidents BUSINESS INFORMATION SYSTEMS 10 18 Digital Signatures Source: Textbook [1], page 423 BUSINESS INFORMATION SYSTEMS Malware Protection ► ► ► ► ► A virus is a computer program that replicates itself Trojan horses are viruses that masquerade as useful programs or files A worm is a virus that propagates using the Internet or other computer network Spyware programs are installed on the user’s computer without the user’s knowledge or permission Adware: ► ► similar to spyware watch user activity and produce pop-up ads BUSINESS INFORMATION SYSTEMS 19 Malware Protection Antivirus and antispyware programs Scan frequently Update malware definitions Open email attachments only from known sources Install software updates Browse only reputable Internet neighborhoods BUSINESS INFORMATION SYSTEMS 20 21 Q4 What data safeguards are available? BUSINESS INFORMATION SYSTEMS Data safeguards Source: Textbook [1], page 427 BUSINESS INFORMATION SYSTEMS 22 23 Q5 What human safeguards are available? BUSINESS INFORMATION SYSTEMS 24 Human safeguards Source: Textbook [1], page 429 BUSINESS INFORMATION SYSTEMS Account Administration ► Account Management Standards for new user accounts, modification of account permissions, and removal of accounts that are not needed ► Password Management Users should change passwords frequently ► Help Desk Policies BUSINESS INFORMATION SYSTEMS 25 Sample Account Acknowledgment Form Source: Textbook [1], page 431 BUSINESS INFORMATION SYSTEMS 26 Systems Procedures Source: Textbook [1], page 432 BUSINESS INFORMATION SYSTEMS 27 28 Q6 How should organizations respond to security Incidents? BUSINESS INFORMATION SYSTEMS How should organizations respond to security Incidents? Source: Textbook [1], page 435 BUSINESS INFORMATION SYSTEMS 29 Summary Q1: What are the threats to information security? Q2: What is senior management’s security role? Q3 What technical safeguards are available? Q4 What data safeguards are available? Q5 What human safeguards are available? Q6 How should organizations respond to security Incidents? BUSINESS INFORMATION SYSTEMS 30 Additional Resources ► 2017-Ransomeware ‘WannaCry’ attack explained ► 2017-Impact of WannaCry BUSINESS INFORMATION SYSTEMS 31 ... organizations respond to security Incidents? BUSINESS INFORMATION SYSTEMS Q1: What are the threats to information security? BUSINESS INFORMATION SYSTEMS Threats to information security ► Sources of... nature BUSINESS INFORMATION SYSTEMS Threats to information security ► Types of Security Problems? Source: Textbook [1], page 409 BUSINESS INFORMATION SYSTEMS Threats to information security ► Unauthorized... [1], page 411 BUSINESS INFORMATION SYSTEMS 11 12 Q2: What is senior management? ??s security role? BUSINESS INFORMATION SYSTEMS Senior management? ??s security role ► establish the security policy ► What