1. TECHNOLOGICAL
SAFEGUARDS
•There are six commonly used methods in which
technology is employed to safeguard information
systems
2. PHYSICAL ACCESS
RESTRICTIONS
• Organizations can prevent unauthorized
access to information systems by keeping
stored information safe and allowing access
only to those employees who need it to do
their jobs.
• The most common form of authentication is
the use of passwords, which are effective only
if chosen carefully and changed frequently.
• Access is usually limited by making it
dependent on one of the following:
– Something You Have: Keys, picture identification
cards, smart cards
– Something You Know: passwords, PINs, answers
to secret questions
– Something You Are: fingerprints, voice patterns,
biometrics
3. PHYSICAL ACCESS
RESTRICTIONS
• Biometrics is a form of authentication used to govern access to systems, data, and/or facilities. With biometrics, employees
may be identified by fingerprints, retinal patterns, or other bodily characteristics.
• A virtual private network (VPN) is a network connection that is constructed dynamically within an existing network—often
called a secure tunnel—in order to connect users or nodes. For example, a number of companies and software solutions
enable you to create VPNs within the Internet as the medium for transporting data. These systems use authentication and
encryption and other security mechanisms to ensure that only authorized users can access the VPN and that the data
cannot be intercepted and compromised; this practice of creating an encrypted “tunnel” to send secure (private) data over
the (public) Internet is known as tunneling. For example, Washington State University requires VPN software to be used
when connecting remotely to the campus network or e-mail system or when using the on-campus wireless LAN.
5. ENCRYPTION
• When you do not have access to a secure channel for sending information over a wired or
wireless network, encryption is the best bet for keeping snoopers out. Encryption is the
process of encoding messages before they enter the network or airwaves, then decoding
them at the receiving end of the transfer so that the intended recipients can read or hear
them. The process works because if you scramble messages before you send them,
eavesdroppers who might intercept them cannot decipher them without the decoding key.
Implementing encryption on a large scale, such as on a busy Web site, requires a third
6. VIRUS MONITORING AND
PREVENTION
• Purchase and install antivirus software, then update frequently to be sure
you are protected against new viruses.
• Do not use flash drives, disks, or shareware from unknown or suspect
sources and be equally careful when downloading material from the
Internet, making sure that the source is reputable.
• Delete without opening any e-mail message received from an unknown
source. Be especially wary of opening attachments.
• Do not blindly open e-mail attachments, even if they come from a known
source. Many viruses are spread without the sender’s knowledge, so it is
better to check with the sender before opening a potentially unsafe
attachment.
• If your computer system contracts a virus, report the infection to your
school or company’s IT department so that appropriate measures can be
taken.
7. AUDIT-CONTROL SOFTWARE
• Audit-control software is used to keep track of
computer activity so that auditors can spot
suspicious activity and take action. Any user leaves
electronic footprints that auditors can trace. Audit-
control software helps creating an audit trail, a
record showing who has used a computer system
and how it was used.
9. SECURE DATA CENTERS:
SECURING THE FACILITIES
• INFRASTRUCTURE
Backup Sites – duplication. A cold backup site is nothing
more than an empty warehouse with all necessary
connections for power and communication but nothing
else. In the case of a disaster, a company has to first set
up all necessary equipment, ranging from office
furniture to Web servers. A hot backup site is a fully
equipped backup facility, having everything from office
chairs to a one-to-one replication of the most current
data. Further, hot backup sites also have a redundant
backup of the data so that the business processes are
interrupted as little as possible. To achieve this
redundancy, all data are mirrored on separate servers.
• Redundant Data Centers – separation. Often,
companies choose to replicate their data centers in
multiple locations. Events such as a hurricane can
damage systems that are located across town from
each other. Thus, even if the primary infrastructure is
located in-house, it pays to have a backup located in a
different geographic area to minimize the risk of a
disaster happening to both systems.
11. HUMAN SAFEGUARDS
• In addition to the technological safeguards, there are various
human safeguards that can help to safeguard information systems,
specifically ethics, laws, and effective management. Educating
potential users at an early age as to what constitutes appropriate
behavior can help, but unethical users will undoubtedly always
remain a problem for those wanting to maintain IS security.
Additionally, there are numerous federal and state laws against
unauthorized use of networks and computer systems.
Unfortunately, individuals who want unauthorized access to
networks and computer systems usually find a way to exploit
them; often, after the fact, laws are enacted to prohibit that activity
in the future.
12. COMPUTER FORENSICS
• As computer crime has gone mainstream, law enforcement has had to become much more
sophisticated in their computer crime investigations. Computer forensics is the use of formal
investigative techniques to evaluate digital information for judicial review. Most often,
computer forensics experts evaluate various types of storage devices to find traces of illegal
activity or to gain evidence in related but non-computer crimes. In fact, in most missing-
person or murder cases today, investigators immediately want to examine the victim’s
computer for clues or evidence. Organizations and governments are increasingly utilizing
honeypots to proactively gather intelligence to improve their defenses or to catch
cybercriminals. A honeypot is a computer, data, or network site that is designed to be enticing
to hackers so as to detect, deflect, or counteract illegal activity. Some criminals, for example,
have special “booby-trap” programs running on computers to destroy evidence if someone
other than the criminal uses the machine. Using special software tools, computer forensics
experts can often restore data that have been deleted from a computer’s hard drive.
Additionally, beyond human and technological safeguards, the quality of information security in
any organization depends on effective management. Managers must continuously check for
security problems, recognize that holes in security exist, and take appropriate action.
14. DEVELOPING AN IS SECURITY
PLAN
• Risk Analysis.
– Determine the value of electronic information
– Assess threats to confidentiality, integrity, and availability of information
– Determine which computer operations are most vulnerable to security breaches
– Assess current security policies
– Recommend changes to existing practices and/or policies that will improve computer security
• Policies and Procedures. Once risks are assessed, a plan should be formulated that details what action will be taken if
security is breached.
– Information Policy. Outlines how sensitive information will be handled, stored, trans- mitted, and destroyed.
– Security Policy. Explains technical controls on all organizational computer systems, such as access limitations, audit-control software, and
firewalls.
– Use Policy. Outlines the organization’s policy regarding appropriate use of in-house computer systems.
– Backup Policy. Explains requirements for backing up information.
– Account Management Policy. Lists procedures for adding new users to systems and removing users who have left the organization.
– Incident Handling Procedures. Lists procedures to follow when handling a security breach.
– Disaster Recovery Plan. Lists all the steps an organization will take to restore computer operations in case of a natural or deliberate
disaster.
16. DESIGNING THE RECOVERY
PLAN
• When planning for disaster, two objectives should be considered by an
organization: recovery time and recovery point objectives.
– Recovery time objectives specify the maximum time allowed to recover from a
catastrophic event. Having completely redundant systems minimizes the
recovery time and are best suited for mission-critical applications, such as e-
commerce transaction servers. For other applications, such as data mining, while
important, the recovery time can be longer without disrupting primary business
processes.
– Recovery point objectives specify how current the backup data should be.
Imagine that your computer’s hard drive crashes while you are working on a
term paper. Luckily, you recently backed up your data. Would you prefer the last
backup to be a few days old, or would you rather have the last backup include
your most recent changes to the term paper? Having completely redundant
systems that mirror the data helps to minimize (or even avoid) data loss in the
event of a catastrophic failure.
17. RESPONDING TO A SECURITY
BREACH
• Organizations that have developed a comprehensive IS security
plan have the ability to rapidly respond to any type of security
breach to their IS resources or to a natural disaster. In addition to
restoring lost data using backups, common responses to a security
breach include performing a new risk audit and implementing a
combination of additional (more secure) safeguards. Additionally,
when intruders are discovered, organizations can contact local law
enforcement agencies and the FBI for assistance in locating and
prosecuting them. Several online organizations issue bulletins to
alert organizations and individuals to possible software
vulnerabilities or attacks based on reports from organizations
when security breaches occur.
18. THE STATE OF SYSTEMS SECURITY
MANAGEMENT
• Financial fraud attacks result in the greatest financial losses for organizations; other significant costs were
due to viruses, data theft, unauthorized access, and denial-of-service attacks.
• Relatively few organizations (about 29 percent) report computer intrusions to law enforcement because
of various fears, such as how negative publicity would hurt stock values or how competitors might gain an
advantage over news of a security incident.
• Most organizations do not outsource security activities.
• Nearly all organizations conduct routine and ongoing security audits.
• The majority of organizations believed security training of employees is important, but most respondents
said their organization did not spend enough on security training.
19. INFORMATION SYSTEMS CONTROLS,
AUDITING, AND THE SARBANES-
OXLEY ACT
• Preventive controls
• Detective controls
• Corrective controls
20. IS AUDITING
• Analyzing the IS controls should be an ongoing process for organizations.
However, often it can be beneficial for organizations to periodically have an
external entity review the controls so as to uncover any potential problems. An
information systems audit, often performed by external auditors, can help
organizations assess the state of their IS controls to determine necessary changes
and to help ensure the information systems’ availability, confidentiality, and
integrity. The response to the strengths and weaknesses identified in the IS audit is
often determined by the potential risks an organization faces. Testing all controls
under all possible conditions is very inefficient and often infeasible. Thus, auditors
frequently rely on computer-assisted auditing tools, or specific software that tests
applications and data using test data or simulations. In addition to using specific
auditing tools, auditors use audit sampling procedures to assess the controls,
enabling the audit to be conducted in the most cost-effective manner. Once the
audit has been performed and sufficient evidence has been gathered, reports are
issued to the organization.
21. THE SARBANES-OXLEY ACT
• Another major factor that has contributed to a high demand for IS auditors is the need to comply with
government regulations, most notably the Sarbanes-Oxley Act of 2002 (S-OX). Formed as a reaction to
large-scale accounting scandals that led to the downfall of corporations such as WorldCom and Enron, S-
OX addresses primarily the accounting side of organizations. According to S-OX, companies have to
demonstrate that there are controls in place to prevent misuse or fraud, controls to detect any potential
problems, and effective measures to correct any problems. The IS architecture plays a key role in S-OX
compliance, given that many controls are IS based, providing capabilities to detect information exceptions
and to provide a management trail for tracing exceptions. However, S-OX itself barely addresses IS controls
specifically; rather, it addresses general processes and practices, leaving companies wondering how to comply
with the guidelines put forth in the act. Further, it is often cumbersome and time consuming for
organizations to identify the relevant systems to be audited for S-OX compliance. Thus, many organizations
find it easier to review their entire IS infrastructure, following objectives set forth in guidelines such as the
control objectives for information and related technology (COBIT)—a set of best practices that helps
organizations both maximize the benefits from their IS infrastructure and establish appropriate controls.
Another issue faced by organizations because of S-OX is the requirement to preserve evidence to
document compliance and for potential lawsuits. Failure to present such documents in the case of litigious
activity can lead to severe fines being imposed on companies and their executives, and courts usually will
not accept the argument that a message could not be located.