Ch.5 It Security, Crime, Compliance, and Continuity Lecture 4.
-
Upload
annabella-lynch -
Category
Documents
-
view
213 -
download
1
Transcript of Ch.5 It Security, Crime, Compliance, and Continuity Lecture 4.
Ch.5 It Security, Crime, Compliance, and Continuity
Lecture 4
5.1 Protecting Data and Business Operations
5-2
IT security: the protection of data, systems,networks, and operations.
Technology defenses are necessary, but they’re not sufficient because protecting data and business op-erations also involves:
• Implementing and enforcing acceptable use policies (AUPs).
• Complying with government regulations and laws.
• Making data available 24x7 while restricting access.
• Promoting secure and legal sharing of information.
IT Security Principles
5-3
Know Your Enemy and Your Risks
• IT security risks are business risks
• Threats range from high-tech exploits to gain ac-cess to a company’s networks to non-tech tactics such as stealing laptops or items of value. Com-mon examples:
– Malware (malicious software): viruses, worms, trojan horses, spyware, and disruptive or destructive programs
– insider error or action, either intentional or uninten-tional.
– Fraud
– Fire, flood, or other natural disasters
5-4
IT at Work 5.1 $100 Million Data Breach
• May 2006: a laptop and external hard drive be-longing to the U.S. Dept of Veterans Affairs (VA) were stolen during a home burglary.
• Data on 26.5 million veterans and spouses had been stored in plaintext.
• VA Secretary Jim Nicholson testified before Congress that it would cost at least $10 million just to inform veterans of the security breach.
• Total cost of data breach: $100 million
5-5
Risks• Cloud computing• Social networks• Phishing• Search engine manipulation• Money laundering• Organized crime• Terrorist financing
5-6
IT Security Defense-in-Depth Model
5-7
5.2 IS Vulnerabilities and Threats
• Unintentional– human error– environmental hazards– computer system failure
• Intentional– hacking– malware – manipulation
5-8
5-9
Figure 5.4 How a computer virus can spread
Malware and Botnet De-fenses• Anti-virus software
• Firewalls
• Intrusion detection systems (IDS)
• Intrusion prevention systems (IPS)
5-10
5.4 IT and Network Secu-rity
Objectives of a defense strategy
1. Prevention and deterrence
2. Detection
3. Containment (minimize loses, damage con-
trol)
4. Recovery
5. Correction
6. Awareness and compliance
5-11
Major categories of general controls
• physical controls
• access controls
• biometric controls
• communication network controls
• administrative controls
• application controls
• endpoint security and control
5-12
5-13
Figure 5.7 Intelligent agents
5.5 Network Security
5-14
Figure 5.8 Three layers of network security measures
Ethical issues
• Implementing security programs raises many ethical issues.
• Handling the privacy versus security dilemma is tough.
• Ethical and legal obligations that may require compa-nies to “invade the privacy” of employees and monitor their actions.
• Under the doctrine of duty of care, senior managers and directors have a obligation to use reasonable care to protect the company’s business operations.
5-15