Transcript Management Information Systems

Management Information Systems
The Islamia University of Bahawalpur
Delivered by:
Tasawar Javed
Lecture 16
Information Security

Today’s talk

Information security




Information security management
Threats




Objectives of information security
Management of information security
Internal and external threats
Accidental and deliberate Acts
Types of Threats
Risks
Information Security

Information security

System Security


Secure their information resources, attention was focused almost
exclusively on protecting hard ware and data
Information Security

This term was used to describe the protection of both computer
and non computer equipment, facilities, data, and information from
misuse by unauthorised parties.
This broad definition includes such equipment as
copiers, fax machines, and all types of media, and paper
document
Information Security

Objectives of Information Security


Confidentiality
 Firm seeks to protect its data and information from
disclosure to unauthorized persons.
 Executive information systems, HRIS, & such
transaction processing systems as payroll, accounts
receivable, purchasing, and accounts payable are
especially critical in this regard.
Availability
 The purpose of firm’s information infrastructure is to
make its data and information available to those who are
authorized to use it. This objective is especially
important to information oriented systems such as
human resource information systems and executive
information systems.
Information Security

Integrity
 All of the information systems should provide an
accurate representation of the physical systems that
they represent
The firm’s information systems must protect the data and
information from misuse, but ensure its availability to
authorized users who can have confidence in its
accuracy
Information Security

Management of information Security



Management is not only expected to keep the
information resources secure, it is also expected
to keep the firm functioning after a disaster or
security breach.
ISM; express the activity of keeping information
resources secure
Business Continuity Management

The activity of keeping the firm and its information
resources functioning after a catastrophe
Information Security

Management of information Security


CISSO: Corporate information systems security officer
has been used for the person in the organization,
typically a member of the information systems unit, who
is responsible for the firm’s information systems security.
CIAO


Firms are trying to achieve an even higher level of security;
designated a Corporate Information Assurance Officer; who
will report to the CEO and manage an information
assurance unit.
The CIAO should possess the full range of security
certification and have a minimum of 10 years experience in
managing an information security facility
Information Security

Information Security Management

It consist on four steps




Identifying the threat
Define the risks
Establish and information security policy
Implementing the controls
The Term Risk Management has been coined to describe
this approach of basing the security of the firm’s
information resources on the risk that it faces
Information Security

RISK Mgmt
Identify
The
threats
Define
the
Risks
Establis
h an IS
policy
Impleme
nt the
controls
Information Security

Information security Management

Information Security Benchmark



A benchmark is a recommended level of performance
Security benchmark is a recommended level of security
that in normal circumstances should offer reasonable
protection against unauthorized intrusion.
These are defined by government and industry
association and reflect what those authorities believe to
be the components of a good information security
program.
Information Security

When a firm follow this approach, which we call
benchmark compliance, it is assumed that government
and industry authorities have done a good job of
considering the threats and risks and that the bench
marks offer good protection
Benchmark compliance
Benchmarks
Establis
h an ISP
Impleme
nt the
control
Information Security

Threats


Information security threat is a person,
organization, mechanism, or event that has
potential to inflict harm on the firm’s information
resources
Internal and External Threats

Internal includes not only employee, temporary
workers, consultants, contractors, and even
partners. External threats due to more intimate
knowledge of the system by the internal threats
Information Security

Accidental and deliberate Acts


Some threats are accidental; caused by persons
inside or outside the firm
Information security should be aimed at
preventing deliberate threats, it should also
eliminate or reduce the opportunity for accidental
damage
Information security

Types of threats

Virus


Trojan horse


Can neither replicate nor distribute itself; user produced it
as utility but when it is used then it produces unwanted
changes in the system’s functionality
Adware


Computer program that can replicate itself without being
observable to the user and embed copies of itself in other
programs and boot sectors
It generates intrusive advertising messages
Spyware

Gathers data from the user’s machines
Information Security

Risks




Unauthorized disclosure and theft
Unauthorized use
Unauthorized destruction and denial of services
Unauthorized modification

Thank you!!!
 Q&A