SlideShare una empresa de Scribd logo

Mis

M
misecho
EmpresarialesTecnología
1 de 21
TECHNOLOGICAL SAFEGUARDS •There are six commonly used methods in which technology is employed to safeguard information systems
PHYSICAL ACCESS RESTRICTIONS • Organizations can prevent unauthorized access to information systems by keeping stored information safe and allowing access only to those employees who need it to do their jobs. • The most common form of authentication is the use of passwords, which are effective only if chosen carefully and changed frequently. • Access is usually limited by making it dependent on one of the following: – Something You Have: Keys, picture identification cards, smart cards – Something You Know: passwords, PINs, answers to secret questions – Something You Are: fingerprints, voice patterns, biometrics
PHYSICAL ACCESS RESTRICTIONS • Biometrics is a form of authentication used to govern access to systems, data, and/or facilities. With biometrics, employees may be identified by fingerprints, retinal patterns, or other bodily characteristics. • A virtual private network (VPN) is a network connection that is constructed dynamically within an existing network—often called a secure tunnel—in order to connect users or nodes. For example, a number of companies and software solutions enable you to create VPNs within the Internet as the medium for transporting data. These systems use authentication and encryption and other security mechanisms to ensure that only authorized users can access the VPN and that the data cannot be intercepted and compromised; this practice of creating an encrypted “tunnel” to send secure (private) data over the (public) Internet is known as tunneling. For example, Washington State University requires VPN software to be used when connecting remotely to the campus network or e-mail system or when using the on-campus wireless LAN.
FIREWALLS
ENCRYPTION • When you do not have access to a secure channel for sending information over a wired or wireless network, encryption is the best bet for keeping snoopers out. Encryption is the process of encoding messages before they enter the network or airwaves, then decoding them at the receiving end of the transfer so that the intended recipients can read or hear them. The process works because if you scramble messages before you send them, eavesdroppers who might intercept them cannot decipher them without the decoding key. Implementing encryption on a large scale, such as on a busy Web site, requires a third
VIRUS MONITORING AND PREVENTION • Purchase and install antivirus software, then update frequently to be sure you are protected against new viruses. • Do not use flash drives, disks, or shareware from unknown or suspect sources and be equally careful when downloading material from the Internet, making sure that the source is reputable. • Delete without opening any e-mail message received from an unknown source. Be especially wary of opening attachments. • Do not blindly open e-mail attachments, even if they come from a known source. Many viruses are spread without the sender’s knowledge, so it is better to check with the sender before opening a potentially unsafe attachment. • If your computer system contracts a virus, report the infection to your school or company’s IT department so that appropriate measures can be taken.
AUDIT-CONTROL SOFTWARE • Audit-control software is used to keep track of computer activity so that auditors can spot suspicious activity and take action. Any user leaves electronic footprints that auditors can trace. Audit- control software helps creating an audit trail, a record showing who has used a computer system and how it was used.
SECURE DATA CENTERS
SECURE DATA CENTERS: SECURING THE FACILITIES • INFRASTRUCTURE Backup Sites – duplication. A cold backup site is nothing more than an empty warehouse with all necessary connections for power and communication but nothing else. In the case of a disaster, a company has to first set up all necessary equipment, ranging from office furniture to Web servers. A hot backup site is a fully equipped backup facility, having everything from office chairs to a one-to-one replication of the most current data. Further, hot backup sites also have a redundant backup of the data so that the business processes are interrupted as little as possible. To achieve this redundancy, all data are mirrored on separate servers. • Redundant Data Centers – separation. Often, companies choose to replicate their data centers in multiple locations. Events such as a hurricane can damage systems that are located across town from each other. Thus, even if the primary infrastructure is located in-house, it pays to have a backup located in a different geographic area to minimize the risk of a disaster happening to both systems.
HUMAN SAFEGUARDS
HUMAN SAFEGUARDS • In addition to the technological safeguards, there are various human safeguards that can help to safeguard information systems, specifically ethics, laws, and effective management. Educating potential users at an early age as to what constitutes appropriate behavior can help, but unethical users will undoubtedly always remain a problem for those wanting to maintain IS security. Additionally, there are numerous federal and state laws against unauthorized use of networks and computer systems. Unfortunately, individuals who want unauthorized access to networks and computer systems usually find a way to exploit them; often, after the fact, laws are enacted to prohibit that activity in the future.
COMPUTER FORENSICS • As computer crime has gone mainstream, law enforcement has had to become much more sophisticated in their computer crime investigations. Computer forensics is the use of formal investigative techniques to evaluate digital information for judicial review. Most often, computer forensics experts evaluate various types of storage devices to find traces of illegal activity or to gain evidence in related but non-computer crimes. In fact, in most missing- person or murder cases today, investigators immediately want to examine the victim’s computer for clues or evidence. Organizations and governments are increasingly utilizing honeypots to proactively gather intelligence to improve their defenses or to catch cybercriminals. A honeypot is a computer, data, or network site that is designed to be enticing to hackers so as to detect, deflect, or counteract illegal activity. Some criminals, for example, have special “booby-trap” programs running on computers to destroy evidence if someone other than the criminal uses the machine. Using special software tools, computer forensics experts can often restore data that have been deleted from a computer’s hard drive. Additionally, beyond human and technological safeguards, the quality of information security in any organization depends on effective management. Managers must continuously check for security problems, recognize that holes in security exist, and take appropriate action.
MANAGING IS SECURITY
DEVELOPING AN IS SECURITY PLAN • Risk Analysis. – Determine the value of electronic information – Assess threats to confidentiality, integrity, and availability of information – Determine which computer operations are most vulnerable to security breaches – Assess current security policies – Recommend changes to existing practices and/or policies that will improve computer security • Policies and Procedures. Once risks are assessed, a plan should be formulated that details what action will be taken if security is breached. – Information Policy. Outlines how sensitive information will be handled, stored, trans- mitted, and destroyed. – Security Policy. Explains technical controls on all organizational computer systems, such as access limitations, audit-control software, and firewalls. – Use Policy. Outlines the organization’s policy regarding appropriate use of in-house computer systems. – Backup Policy. Explains requirements for backing up information. – Account Management Policy. Lists procedures for adding new users to systems and removing users who have left the organization. – Incident Handling Procedures. Lists procedures to follow when handling a security breach. – Disaster Recovery Plan. Lists all the steps an organization will take to restore computer operations in case of a natural or deliberate disaster.
DISASTER PLANNING
DESIGNING THE RECOVERY PLAN • When planning for disaster, two objectives should be considered by an organization: recovery time and recovery point objectives. – Recovery time objectives specify the maximum time allowed to recover from a catastrophic event. Having completely redundant systems minimizes the recovery time and are best suited for mission-critical applications, such as e- commerce transaction servers. For other applications, such as data mining, while important, the recovery time can be longer without disrupting primary business processes. – Recovery point objectives specify how current the backup data should be. Imagine that your computer’s hard drive crashes while you are working on a term paper. Luckily, you recently backed up your data. Would you prefer the last backup to be a few days old, or would you rather have the last backup include your most recent changes to the term paper? Having completely redundant systems that mirror the data helps to minimize (or even avoid) data loss in the event of a catastrophic failure.
RESPONDING TO A SECURITY BREACH • Organizations that have developed a comprehensive IS security plan have the ability to rapidly respond to any type of security breach to their IS resources or to a natural disaster. In addition to restoring lost data using backups, common responses to a security breach include performing a new risk audit and implementing a combination of additional (more secure) safeguards. Additionally, when intruders are discovered, organizations can contact local law enforcement agencies and the FBI for assistance in locating and prosecuting them. Several online organizations issue bulletins to alert organizations and individuals to possible software vulnerabilities or attacks based on reports from organizations when security breaches occur.
THE STATE OF SYSTEMS SECURITY MANAGEMENT • Financial fraud attacks result in the greatest financial losses for organizations; other significant costs were due to viruses, data theft, unauthorized access, and denial-of-service attacks. • Relatively few organizations (about 29 percent) report computer intrusions to law enforcement because of various fears, such as how negative publicity would hurt stock values or how competitors might gain an advantage over news of a security incident. • Most organizations do not outsource security activities. • Nearly all organizations conduct routine and ongoing security audits. • The majority of organizations believed security training of employees is important, but most respondents said their organization did not spend enough on security training.
INFORMATION SYSTEMS CONTROLS, AUDITING, AND THE SARBANES- OXLEY ACT • Preventive controls • Detective controls • Corrective controls
IS AUDITING • Analyzing the IS controls should be an ongoing process for organizations. However, often it can be beneficial for organizations to periodically have an external entity review the controls so as to uncover any potential problems. An information systems audit, often performed by external auditors, can help organizations assess the state of their IS controls to determine necessary changes and to help ensure the information systems’ availability, confidentiality, and integrity. The response to the strengths and weaknesses identified in the IS audit is often determined by the potential risks an organization faces. Testing all controls under all possible conditions is very inefficient and often infeasible. Thus, auditors frequently rely on computer-assisted auditing tools, or specific software that tests applications and data using test data or simulations. In addition to using specific auditing tools, auditors use audit sampling procedures to assess the controls, enabling the audit to be conducted in the most cost-effective manner. Once the audit has been performed and sufficient evidence has been gathered, reports are issued to the organization.
THE SARBANES-OXLEY ACT • Another major factor that has contributed to a high demand for IS auditors is the need to comply with government regulations, most notably the Sarbanes-Oxley Act of 2002 (S-OX). Formed as a reaction to large-scale accounting scandals that led to the downfall of corporations such as WorldCom and Enron, S- OX addresses primarily the accounting side of organizations. According to S-OX, companies have to demonstrate that there are controls in place to prevent misuse or fraud, controls to detect any potential problems, and effective measures to correct any problems. The IS architecture plays a key role in S-OX compliance, given that many controls are IS based, providing capabilities to detect information exceptions and to provide a management trail for tracing exceptions. However, S-OX itself barely addresses IS controls specifically; rather, it addresses general processes and practices, leaving companies wondering how to comply with the guidelines put forth in the act. Further, it is often cumbersome and time consuming for organizations to identify the relevant systems to be audited for S-OX compliance. Thus, many organizations find it easier to review their entire IS infrastructure, following objectives set forth in guidelines such as the control objectives for information and related technology (COBIT)—a set of best practices that helps organizations both maximize the benefits from their IS infrastructure and establish appropriate controls. Another issue faced by organizations because of S-OX is the requirement to preserve evidence to document compliance and for potential lawsuits. Failure to present such documents in the case of litigious activity can lead to severe fines being imposed on companies and their executives, and courts usually will not accept the argument that a message could not be located.

Recomendados

Mis
MisMis
Mismisecho
 
Chapter 10, part 1
Chapter 10, part 1Chapter 10, part 1
Chapter 10, part 1misecho
 
2.5 safety and security of data in ict systems 13 12-11
2.5 safety and security of data in ict systems 13 12-112.5 safety and security of data in ict systems 13 12-11
2.5 safety and security of data in ict systems 13 12-11mrmwood
 
Insider threats - Lessons from Snowden (ISF UK Chapter)
Insider threats - Lessons from Snowden (ISF UK Chapter)Insider threats - Lessons from Snowden (ISF UK Chapter)
Insider threats - Lessons from Snowden (ISF UK Chapter)Huntsman Security
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security ManagementJonathan Coleman
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingDaniel P Wallace
 
SECURITY AND CONTROL
SECURITY AND CONTROLSECURITY AND CONTROL
SECURITY AND CONTROLshinydey
 
cyber forensics
cyber forensicscyber forensics
cyber forensicsAmbuj Kumar
 

Recomendados

Mis
MisMis
Mismisecho
 
Chapter 10, part 1
Chapter 10, part 1Chapter 10, part 1
Chapter 10, part 1misecho
 
2.5 safety and security of data in ict systems 13 12-11
2.5 safety and security of data in ict systems 13 12-112.5 safety and security of data in ict systems 13 12-11
2.5 safety and security of data in ict systems 13 12-11mrmwood
 
Insider threats - Lessons from Snowden (ISF UK Chapter)
Insider threats - Lessons from Snowden (ISF UK Chapter)Insider threats - Lessons from Snowden (ISF UK Chapter)
Insider threats - Lessons from Snowden (ISF UK Chapter)Huntsman Security
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security ManagementJonathan Coleman
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingDaniel P Wallace
 
SECURITY AND CONTROL
SECURITY AND CONTROLSECURITY AND CONTROL
SECURITY AND CONTROLshinydey
 
cyber forensics
cyber forensicscyber forensics
cyber forensicsAmbuj Kumar
 
4.content (computer forensic)
4.content (computer forensic)4.content (computer forensic)
4.content (computer forensic)JIEMS Akkalkuwa
 
12 security policies
12 security policies12 security policies
12 security policiesSaqib Raza
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsdeaneal
 
Computer forensic
Computer forensicComputer forensic
Computer forensicibraheem ogundele
 
How to Build a Successful Incident Response Program
How to Build a Successful Incident Response ProgramHow to Build a Successful Incident Response Program
How to Build a Successful Incident Response ProgramResilient Systems
 
Incident response process
Incident response processIncident response process
Incident response processBhupeshkumar Nanhe
 
The Adam - A process model for digital forensic practice
The Adam - A process model for digital forensic practiceThe Adam - A process model for digital forensic practice
The Adam - A process model for digital forensic practiceDr. Richard Adams
 
Information security
Information security Information security
Information security razendar79
 
SEC440: Incident Response Plan
SEC440: Incident Response PlanSEC440: Incident Response Plan
SEC440: Incident Response PlanThomas Christopher Ty
 
Fusing digital forensics, electronic discovery and incident response
Fusing digital forensics, electronic discovery and incident responseFusing digital forensics, electronic discovery and incident response
Fusing digital forensics, electronic discovery and incident responseDr. Richard Adams
 
Računalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidenteRačunalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidenteDamir Delija
 
Computer Security Policy D
Computer Security Policy DComputer Security Policy D
Computer Security Policy Dguest34b014
 
Lecture 4,5, 6 comp forensics 19 9-2018 basic security
Lecture 4,5, 6 comp forensics 19 9-2018 basic securityLecture 4,5, 6 comp forensics 19 9-2018 basic security
Lecture 4,5, 6 comp forensics 19 9-2018 basic securityAlchemist095
 
Computer Security Policy
Computer Security PolicyComputer Security Policy
Computer Security Policyeverestsky66
 
Case study on Physical devices used in Computer forensics.
Case study on Physical devices used in Computer forensics.Case study on Physical devices used in Computer forensics.
Case study on Physical devices used in Computer forensics.Vishal Tandel
 
Information management
Information managementInformation management
Information managementDeepak John
 
GRRCON 2013: Imparting security awareness to all levels of users
GRRCON 2013: Imparting security awareness to all levels of usersGRRCON 2013: Imparting security awareness to all levels of users
GRRCON 2013: Imparting security awareness to all levels of usersJoel Cardella
 
Healthcare Cyber Security Webinar
Healthcare Cyber Security WebinarHealthcare Cyber Security Webinar
Healthcare Cyber Security WebinarHealthCareManagement
 
Network Security: Physical security
Network Security: Physical security Network Security: Physical security
Network Security: Physical security lalithambiga kamaraj
 
13.02 Network Security
13.02 Network Security13.02 Network Security
13.02 Network SecurityAnjan Mahanta
 
security and system mainatance
security and system mainatancesecurity and system mainatance
security and system mainatanceKudzi Chikwatu
 
Ch15 power point
Ch15 power pointCh15 power point
Ch15 power pointbodo-con
 

Más contenido relacionado

La actualidad más candente

4.content (computer forensic)
4.content (computer forensic)4.content (computer forensic)
4.content (computer forensic)JIEMS Akkalkuwa
 
12 security policies
12 security policies12 security policies
12 security policiesSaqib Raza
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsdeaneal
 
How to Build a Successful Incident Response Program
How to Build a Successful Incident Response ProgramHow to Build a Successful Incident Response Program
How to Build a Successful Incident Response ProgramResilient Systems
 
The Adam - A process model for digital forensic practice
The Adam - A process model for digital forensic practiceThe Adam - A process model for digital forensic practice
The Adam - A process model for digital forensic practiceDr. Richard Adams
 
Information security
Information security Information security
Information security razendar79
 
Fusing digital forensics, electronic discovery and incident response
Fusing digital forensics, electronic discovery and incident responseFusing digital forensics, electronic discovery and incident response
Fusing digital forensics, electronic discovery and incident responseDr. Richard Adams
 
Računalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidenteRačunalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidenteDamir Delija
 
Computer Security Policy D
Computer Security Policy DComputer Security Policy D
Computer Security Policy Dguest34b014
 
Lecture 4,5, 6 comp forensics 19 9-2018 basic security
Lecture 4,5, 6 comp forensics 19 9-2018 basic securityLecture 4,5, 6 comp forensics 19 9-2018 basic security
Lecture 4,5, 6 comp forensics 19 9-2018 basic securityAlchemist095
 
Computer Security Policy
Computer Security PolicyComputer Security Policy
Computer Security Policyeverestsky66
 
Case study on Physical devices used in Computer forensics.
Case study on Physical devices used in Computer forensics.Case study on Physical devices used in Computer forensics.
Case study on Physical devices used in Computer forensics.Vishal Tandel
 
Information management
Information managementInformation management
Information managementDeepak John
 
GRRCON 2013: Imparting security awareness to all levels of users
GRRCON 2013: Imparting security awareness to all levels of usersGRRCON 2013: Imparting security awareness to all levels of users
GRRCON 2013: Imparting security awareness to all levels of usersJoel Cardella
 
Network Security: Physical security
Network Security: Physical security Network Security: Physical security
Network Security: Physical security lalithambiga kamaraj
 
13.02 Network Security
13.02 Network Security13.02 Network Security
13.02 Network SecurityAnjan Mahanta
 

La actualidad más candente (20)

4.content (computer forensic)
4.content (computer forensic)4.content (computer forensic)
4.content (computer forensic)
 
12 security policies
12 security policies12 security policies
12 security policies
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Computer forensic
Computer forensicComputer forensic
Computer forensic
 
How to Build a Successful Incident Response Program
How to Build a Successful Incident Response ProgramHow to Build a Successful Incident Response Program
How to Build a Successful Incident Response Program
 
Incident response process
Incident response processIncident response process
Incident response process
 
The Adam - A process model for digital forensic practice
The Adam - A process model for digital forensic practiceThe Adam - A process model for digital forensic practice
The Adam - A process model for digital forensic practice
 
Information security
Information security Information security
Information security
 
SEC440: Incident Response Plan
SEC440: Incident Response PlanSEC440: Incident Response Plan
SEC440: Incident Response Plan
 
Fusing digital forensics, electronic discovery and incident response
Fusing digital forensics, electronic discovery and incident responseFusing digital forensics, electronic discovery and incident response
Fusing digital forensics, electronic discovery and incident response
 
Računalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidenteRačunalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidente
 
Computer Security Policy D
Computer Security Policy DComputer Security Policy D
Computer Security Policy D
 
Lecture 4,5, 6 comp forensics 19 9-2018 basic security
Lecture 4,5, 6 comp forensics 19 9-2018 basic securityLecture 4,5, 6 comp forensics 19 9-2018 basic security
Lecture 4,5, 6 comp forensics 19 9-2018 basic security
 
Computer Security Policy
Computer Security PolicyComputer Security Policy
Computer Security Policy
 
Case study on Physical devices used in Computer forensics.
Case study on Physical devices used in Computer forensics.Case study on Physical devices used in Computer forensics.
Case study on Physical devices used in Computer forensics.
 
Information management
Information managementInformation management
Information management
 
GRRCON 2013: Imparting security awareness to all levels of users
GRRCON 2013: Imparting security awareness to all levels of usersGRRCON 2013: Imparting security awareness to all levels of users
GRRCON 2013: Imparting security awareness to all levels of users
 
Healthcare Cyber Security Webinar
Healthcare Cyber Security WebinarHealthcare Cyber Security Webinar
Healthcare Cyber Security Webinar
 
Network Security: Physical security
Network Security: Physical security Network Security: Physical security
Network Security: Physical security
 
13.02 Network Security
13.02 Network Security13.02 Network Security
13.02 Network Security
 

Similar a Mis

security and system mainatance
security and system mainatancesecurity and system mainatance
security and system mainatanceKudzi Chikwatu
 
Ch15 power point
Ch15 power pointCh15 power point
Ch15 power pointbodo-con
 
Chapter 13
Chapter 13Chapter 13
Chapter 13bodo-con
 
In computer security, a vulnerability is a weakness which allows an .pdf
In computer security, a vulnerability is a weakness which allows an .pdfIn computer security, a vulnerability is a weakness which allows an .pdf
In computer security, a vulnerability is a weakness which allows an .pdfanandanand521251
 
How Medical Devices Risk Patient Safety and Security
How Medical Devices Risk Patient Safety and SecurityHow Medical Devices Risk Patient Safety and Security
How Medical Devices Risk Patient Safety and SecurityGreat Bay Software
 
LESSON_3_Maintain_Computer_Equipment_and_Systems.pptx
LESSON_3_Maintain_Computer_Equipment_and_Systems.pptxLESSON_3_Maintain_Computer_Equipment_and_Systems.pptx
LESSON_3_Maintain_Computer_Equipment_and_Systems.pptxmahaliacaraan
 
Seguridad web -articulo completo- ingles
Seguridad web -articulo completo- inglesSeguridad web -articulo completo- ingles
Seguridad web -articulo completo- inglesisidro luna beltran
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security conceptsG Prachi
 
Policy and procedure of hospitals
Policy and procedure of hospitalsPolicy and procedure of hospitals
Policy and procedure of hospitalsMohammed Alabdali
 
Cyber security awareness training by cyber security infotech(csi)
Cyber security awareness training by cyber security infotech(csi)Cyber security awareness training by cyber security infotech(csi)
Cyber security awareness training by cyber security infotech(csi)Cyber Security Infotech
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security madunix
 
FBI Memo on How to Protect Yourself from Ransomware
FBI Memo on How to Protect Yourself from RansomwareFBI Memo on How to Protect Yourself from Ransomware
FBI Memo on How to Protect Yourself from RansomwareDavid Sweigert
 
Cb12e basic ppt ch15
Cb12e basic ppt ch15Cb12e basic ppt ch15
Cb12e basic ppt ch15Eric
 
Chapter_5_Security_CC.pptx
Chapter_5_Security_CC.pptxChapter_5_Security_CC.pptx
Chapter_5_Security_CC.pptxLokNathRegmi1
 
3 ways to secure your law firm’s information and reputation
3 ways to secure your law firm’s information and reputation3 ways to secure your law firm’s information and reputation
3 ways to secure your law firm’s information and reputationNikec Solutions
 

Similar a Mis (20)

security and system mainatance
security and system mainatancesecurity and system mainatance
security and system mainatance
 
Ch15 power point
Ch15 power pointCh15 power point
Ch15 power point
 
Chapter 13
Chapter 13Chapter 13
Chapter 13
 
Presentation 10.pptx
Presentation 10.pptxPresentation 10.pptx
Presentation 10.pptx
 
In computer security, a vulnerability is a weakness which allows an .pdf
In computer security, a vulnerability is a weakness which allows an .pdfIn computer security, a vulnerability is a weakness which allows an .pdf
In computer security, a vulnerability is a weakness which allows an .pdf
 
Unit v
Unit vUnit v
Unit v
 
How Medical Devices Risk Patient Safety and Security
How Medical Devices Risk Patient Safety and SecurityHow Medical Devices Risk Patient Safety and Security
How Medical Devices Risk Patient Safety and Security
 
LESSON_3_Maintain_Computer_Equipment_and_Systems.pptx
LESSON_3_Maintain_Computer_Equipment_and_Systems.pptxLESSON_3_Maintain_Computer_Equipment_and_Systems.pptx
LESSON_3_Maintain_Computer_Equipment_and_Systems.pptx
 
Computer security
Computer securityComputer security
Computer security
 
Seguridad web -articulo completo- ingles
Seguridad web -articulo completo- inglesSeguridad web -articulo completo- ingles
Seguridad web -articulo completo- ingles
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security concepts
 
Policy and procedure of hospitals
Policy and procedure of hospitalsPolicy and procedure of hospitals
Policy and procedure of hospitals
 
Cyber security awareness training by cyber security infotech(csi)
Cyber security awareness training by cyber security infotech(csi)Cyber security awareness training by cyber security infotech(csi)
Cyber security awareness training by cyber security infotech(csi)
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security
 
security in is.pptx
security in is.pptxsecurity in is.pptx
security in is.pptx
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1
 
FBI Memo on How to Protect Yourself from Ransomware
FBI Memo on How to Protect Yourself from RansomwareFBI Memo on How to Protect Yourself from Ransomware
FBI Memo on How to Protect Yourself from Ransomware
 
Cb12e basic ppt ch15
Cb12e basic ppt ch15Cb12e basic ppt ch15
Cb12e basic ppt ch15
 
Chapter_5_Security_CC.pptx
Chapter_5_Security_CC.pptxChapter_5_Security_CC.pptx
Chapter_5_Security_CC.pptx
 
3 ways to secure your law firm’s information and reputation
3 ways to secure your law firm’s information and reputation3 ways to secure your law firm’s information and reputation
3 ways to secure your law firm’s information and reputation
 

Último

Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03DallasHaselhorst
 
Organizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessOrganizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessSeta Wicaksana
 
APRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfAPRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfRbc Rbcua
 
Innovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfInnovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfrichard876048
 
Investment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy CheruiyotInvestment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy Cheruiyotictsugar
 
8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCRashishs7044
 
Market Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 EditionMarket Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 EditionMintel Group
 
8447779800, Low rate Call girls in Rohini Delhi NCR
8447779800, Low rate Call girls in Rohini Delhi NCR8447779800, Low rate Call girls in Rohini Delhi NCR
8447779800, Low rate Call girls in Rohini Delhi NCRashishs7044
 
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deckPitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deckHajeJanKamps
 
MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?Olivia Kresic
 
India Consumer 2024 Redacted Sample Report
India Consumer 2024 Redacted Sample ReportIndia Consumer 2024 Redacted Sample Report
India Consumer 2024 Redacted Sample ReportMintel Group
 
Digital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfDigital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfJos Voskuil
 
Future Of Sample Report 2024 | Redacted Version
Future Of Sample Report 2024 | Redacted VersionFuture Of Sample Report 2024 | Redacted Version
Future Of Sample Report 2024 | Redacted VersionMintel Group
 
Kenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby AfricaKenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby Africaictsugar
 
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City GurgaonCall Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaoncallgirls2057
 
8447779800, Low rate Call girls in Uttam Nagar Delhi NCR
8447779800, Low rate Call girls in Uttam Nagar Delhi NCR8447779800, Low rate Call girls in Uttam Nagar Delhi NCR
8447779800, Low rate Call girls in Uttam Nagar Delhi NCRashishs7044
 
Intro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdfIntro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdfpollardmorgan
 
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCRashishs7044
 
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCR8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCRashishs7044
 
Case study on tata clothing brand zudio in detail
Case study on tata clothing brand zudio in detailCase study on tata clothing brand zudio in detail
Case study on tata clothing brand zudio in detailAriel592675
 

Último (20)

Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03
 
Organizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessOrganizational Structure Running A Successful Business
Organizational Structure Running A Successful Business
 
APRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfAPRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdf
 
Innovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfInnovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdf
 
Investment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy CheruiyotInvestment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy Cheruiyot
 
8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR
 
Market Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 EditionMarket Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 Edition
 
8447779800, Low rate Call girls in Rohini Delhi NCR
8447779800, Low rate Call girls in Rohini Delhi NCR8447779800, Low rate Call girls in Rohini Delhi NCR
8447779800, Low rate Call girls in Rohini Delhi NCR
 
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deckPitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
 
MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?
 
India Consumer 2024 Redacted Sample Report
India Consumer 2024 Redacted Sample ReportIndia Consumer 2024 Redacted Sample Report
India Consumer 2024 Redacted Sample Report
 
Digital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfDigital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdf
 
Future Of Sample Report 2024 | Redacted Version
Future Of Sample Report 2024 | Redacted VersionFuture Of Sample Report 2024 | Redacted Version
Future Of Sample Report 2024 | Redacted Version
 
Kenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby AfricaKenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby Africa
 
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City GurgaonCall Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaon
 
8447779800, Low rate Call girls in Uttam Nagar Delhi NCR
8447779800, Low rate Call girls in Uttam Nagar Delhi NCR8447779800, Low rate Call girls in Uttam Nagar Delhi NCR
8447779800, Low rate Call girls in Uttam Nagar Delhi NCR
 
Intro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdfIntro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdf
 
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
 
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCR8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
 
Case study on tata clothing brand zudio in detail
Case study on tata clothing brand zudio in detailCase study on tata clothing brand zudio in detail
Case study on tata clothing brand zudio in detail
 

Mis

  • 1. TECHNOLOGICAL SAFEGUARDS •There are six commonly used methods in which technology is employed to safeguard information systems
  • 2. PHYSICAL ACCESS RESTRICTIONS • Organizations can prevent unauthorized access to information systems by keeping stored information safe and allowing access only to those employees who need it to do their jobs. • The most common form of authentication is the use of passwords, which are effective only if chosen carefully and changed frequently. • Access is usually limited by making it dependent on one of the following: – Something You Have: Keys, picture identification cards, smart cards – Something You Know: passwords, PINs, answers to secret questions – Something You Are: fingerprints, voice patterns, biometrics
  • 3. PHYSICAL ACCESS RESTRICTIONS • Biometrics is a form of authentication used to govern access to systems, data, and/or facilities. With biometrics, employees may be identified by fingerprints, retinal patterns, or other bodily characteristics. • A virtual private network (VPN) is a network connection that is constructed dynamically within an existing network—often called a secure tunnel—in order to connect users or nodes. For example, a number of companies and software solutions enable you to create VPNs within the Internet as the medium for transporting data. These systems use authentication and encryption and other security mechanisms to ensure that only authorized users can access the VPN and that the data cannot be intercepted and compromised; this practice of creating an encrypted “tunnel” to send secure (private) data over the (public) Internet is known as tunneling. For example, Washington State University requires VPN software to be used when connecting remotely to the campus network or e-mail system or when using the on-campus wireless LAN.
  • 5. ENCRYPTION • When you do not have access to a secure channel for sending information over a wired or wireless network, encryption is the best bet for keeping snoopers out. Encryption is the process of encoding messages before they enter the network or airwaves, then decoding them at the receiving end of the transfer so that the intended recipients can read or hear them. The process works because if you scramble messages before you send them, eavesdroppers who might intercept them cannot decipher them without the decoding key. Implementing encryption on a large scale, such as on a busy Web site, requires a third
  • 6. VIRUS MONITORING AND PREVENTION • Purchase and install antivirus software, then update frequently to be sure you are protected against new viruses. • Do not use flash drives, disks, or shareware from unknown or suspect sources and be equally careful when downloading material from the Internet, making sure that the source is reputable. • Delete without opening any e-mail message received from an unknown source. Be especially wary of opening attachments. • Do not blindly open e-mail attachments, even if they come from a known source. Many viruses are spread without the sender’s knowledge, so it is better to check with the sender before opening a potentially unsafe attachment. • If your computer system contracts a virus, report the infection to your school or company’s IT department so that appropriate measures can be taken.
  • 7. AUDIT-CONTROL SOFTWARE • Audit-control software is used to keep track of computer activity so that auditors can spot suspicious activity and take action. Any user leaves electronic footprints that auditors can trace. Audit- control software helps creating an audit trail, a record showing who has used a computer system and how it was used.
  • 9. SECURE DATA CENTERS: SECURING THE FACILITIES • INFRASTRUCTURE Backup Sites – duplication. A cold backup site is nothing more than an empty warehouse with all necessary connections for power and communication but nothing else. In the case of a disaster, a company has to first set up all necessary equipment, ranging from office furniture to Web servers. A hot backup site is a fully equipped backup facility, having everything from office chairs to a one-to-one replication of the most current data. Further, hot backup sites also have a redundant backup of the data so that the business processes are interrupted as little as possible. To achieve this redundancy, all data are mirrored on separate servers. • Redundant Data Centers – separation. Often, companies choose to replicate their data centers in multiple locations. Events such as a hurricane can damage systems that are located across town from each other. Thus, even if the primary infrastructure is located in-house, it pays to have a backup located in a different geographic area to minimize the risk of a disaster happening to both systems.
  • 11. HUMAN SAFEGUARDS • In addition to the technological safeguards, there are various human safeguards that can help to safeguard information systems, specifically ethics, laws, and effective management. Educating potential users at an early age as to what constitutes appropriate behavior can help, but unethical users will undoubtedly always remain a problem for those wanting to maintain IS security. Additionally, there are numerous federal and state laws against unauthorized use of networks and computer systems. Unfortunately, individuals who want unauthorized access to networks and computer systems usually find a way to exploit them; often, after the fact, laws are enacted to prohibit that activity in the future.
  • 12. COMPUTER FORENSICS • As computer crime has gone mainstream, law enforcement has had to become much more sophisticated in their computer crime investigations. Computer forensics is the use of formal investigative techniques to evaluate digital information for judicial review. Most often, computer forensics experts evaluate various types of storage devices to find traces of illegal activity or to gain evidence in related but non-computer crimes. In fact, in most missing- person or murder cases today, investigators immediately want to examine the victim’s computer for clues or evidence. Organizations and governments are increasingly utilizing honeypots to proactively gather intelligence to improve their defenses or to catch cybercriminals. A honeypot is a computer, data, or network site that is designed to be enticing to hackers so as to detect, deflect, or counteract illegal activity. Some criminals, for example, have special “booby-trap” programs running on computers to destroy evidence if someone other than the criminal uses the machine. Using special software tools, computer forensics experts can often restore data that have been deleted from a computer’s hard drive. Additionally, beyond human and technological safeguards, the quality of information security in any organization depends on effective management. Managers must continuously check for security problems, recognize that holes in security exist, and take appropriate action.
  • 14. DEVELOPING AN IS SECURITY PLAN • Risk Analysis. – Determine the value of electronic information – Assess threats to confidentiality, integrity, and availability of information – Determine which computer operations are most vulnerable to security breaches – Assess current security policies – Recommend changes to existing practices and/or policies that will improve computer security • Policies and Procedures. Once risks are assessed, a plan should be formulated that details what action will be taken if security is breached. – Information Policy. Outlines how sensitive information will be handled, stored, trans- mitted, and destroyed. – Security Policy. Explains technical controls on all organizational computer systems, such as access limitations, audit-control software, and firewalls. – Use Policy. Outlines the organization’s policy regarding appropriate use of in-house computer systems. – Backup Policy. Explains requirements for backing up information. – Account Management Policy. Lists procedures for adding new users to systems and removing users who have left the organization. – Incident Handling Procedures. Lists procedures to follow when handling a security breach. – Disaster Recovery Plan. Lists all the steps an organization will take to restore computer operations in case of a natural or deliberate disaster.
  • 16. DESIGNING THE RECOVERY PLAN • When planning for disaster, two objectives should be considered by an organization: recovery time and recovery point objectives. – Recovery time objectives specify the maximum time allowed to recover from a catastrophic event. Having completely redundant systems minimizes the recovery time and are best suited for mission-critical applications, such as e- commerce transaction servers. For other applications, such as data mining, while important, the recovery time can be longer without disrupting primary business processes. – Recovery point objectives specify how current the backup data should be. Imagine that your computer’s hard drive crashes while you are working on a term paper. Luckily, you recently backed up your data. Would you prefer the last backup to be a few days old, or would you rather have the last backup include your most recent changes to the term paper? Having completely redundant systems that mirror the data helps to minimize (or even avoid) data loss in the event of a catastrophic failure.
  • 17. RESPONDING TO A SECURITY BREACH • Organizations that have developed a comprehensive IS security plan have the ability to rapidly respond to any type of security breach to their IS resources or to a natural disaster. In addition to restoring lost data using backups, common responses to a security breach include performing a new risk audit and implementing a combination of additional (more secure) safeguards. Additionally, when intruders are discovered, organizations can contact local law enforcement agencies and the FBI for assistance in locating and prosecuting them. Several online organizations issue bulletins to alert organizations and individuals to possible software vulnerabilities or attacks based on reports from organizations when security breaches occur.
  • 18. THE STATE OF SYSTEMS SECURITY MANAGEMENT • Financial fraud attacks result in the greatest financial losses for organizations; other significant costs were due to viruses, data theft, unauthorized access, and denial-of-service attacks. • Relatively few organizations (about 29 percent) report computer intrusions to law enforcement because of various fears, such as how negative publicity would hurt stock values or how competitors might gain an advantage over news of a security incident. • Most organizations do not outsource security activities. • Nearly all organizations conduct routine and ongoing security audits. • The majority of organizations believed security training of employees is important, but most respondents said their organization did not spend enough on security training.
  • 19. INFORMATION SYSTEMS CONTROLS, AUDITING, AND THE SARBANES- OXLEY ACT • Preventive controls • Detective controls • Corrective controls
  • 20. IS AUDITING • Analyzing the IS controls should be an ongoing process for organizations. However, often it can be beneficial for organizations to periodically have an external entity review the controls so as to uncover any potential problems. An information systems audit, often performed by external auditors, can help organizations assess the state of their IS controls to determine necessary changes and to help ensure the information systems’ availability, confidentiality, and integrity. The response to the strengths and weaknesses identified in the IS audit is often determined by the potential risks an organization faces. Testing all controls under all possible conditions is very inefficient and often infeasible. Thus, auditors frequently rely on computer-assisted auditing tools, or specific software that tests applications and data using test data or simulations. In addition to using specific auditing tools, auditors use audit sampling procedures to assess the controls, enabling the audit to be conducted in the most cost-effective manner. Once the audit has been performed and sufficient evidence has been gathered, reports are issued to the organization.
  • 21. THE SARBANES-OXLEY ACT • Another major factor that has contributed to a high demand for IS auditors is the need to comply with government regulations, most notably the Sarbanes-Oxley Act of 2002 (S-OX). Formed as a reaction to large-scale accounting scandals that led to the downfall of corporations such as WorldCom and Enron, S- OX addresses primarily the accounting side of organizations. According to S-OX, companies have to demonstrate that there are controls in place to prevent misuse or fraud, controls to detect any potential problems, and effective measures to correct any problems. The IS architecture plays a key role in S-OX compliance, given that many controls are IS based, providing capabilities to detect information exceptions and to provide a management trail for tracing exceptions. However, S-OX itself barely addresses IS controls specifically; rather, it addresses general processes and practices, leaving companies wondering how to comply with the guidelines put forth in the act. Further, it is often cumbersome and time consuming for organizations to identify the relevant systems to be audited for S-OX compliance. Thus, many organizations find it easier to review their entire IS infrastructure, following objectives set forth in guidelines such as the control objectives for information and related technology (COBIT)—a set of best practices that helps organizations both maximize the benefits from their IS infrastructure and establish appropriate controls. Another issue faced by organizations because of S-OX is the requirement to preserve evidence to document compliance and for potential lawsuits. Failure to present such documents in the case of litigious activity can lead to severe fines being imposed on companies and their executives, and courts usually will not accept the argument that a message could not be located.

Notas del editor

  1. \n
  2. \n
  3. \n
  4. \n
  5. \n
  6. \n
  7. \n
  8. \n
  9. \n
  10. \n
  11. \n
  12. \n
  13. \n
  14. \n
  15. \n
  16. \n
  17. \n
  18. \n
  19. \n
  20. \n
  21. \n