Http://dn58412/IS531/IS531_SP15.html Lecture 12 Information Security and Confidentiality (Chapter...
-
Upload
patience-reynolds -
Category
Documents
-
view
217 -
download
0
Transcript of Http://dn58412/IS531/IS531_SP15.html Lecture 12 Information Security and Confidentiality (Chapter...
http://www.csun.edu/~dn58412/IS531/IS531_SP15.html
Lecture 12Information Security and
Confidentiality (Chapter 12)
1. Privacy, confidentiality, information privacy, and information security and the relationships among them.
2. How information system security affects privacy, confidentiality, and security.
3. The significance of security for information integrity
4. Potential threats to system security and information.
5. Security measures to protect informationIS 531 : Lecture 12 2
Learning ObjectivesLearning Objectives
Security ConcernSecurity Concern• Information security and confidentiality of
personal information represent major concerns in today’s society amidst growing reports of stolen and compromised information.
• Globalization and increased use of internet• Evolving technology and intrusion techniques• Information must be protected through a
combination of electronic and manual methods
IS 531 : Lecture 12 3
Information SecurityInformation Security
• The protection of information against threats to its integrity, inadvertent disclosure, or availability determines the survivability of a system
IS 531 : Lecture 12 4
PrivacyPrivacy
• Freedom from intrusion, or control over the exposure of self or of personal information
• The right to determine what information is collected, how it is used, and the ability to review collected information for accuracy and security
IS 531 : Lecture 12 5
ConfidentialityConfidentiality
• The protection of healthcare information is mandated by the Health Insurance Portability and Accountability Act (HIPAA) and the Joint Commission requirements.
• Must not disclose patient-related information without consent
• Share info only with the parties requiring it for client treatment
• Mostly due to careless communication in a public area or with appropriate person
IS 531 : Lecture 12 6
Information/Data Information/Data PrivacyPrivacy
• The storage and disclosure/dissemination of personally identifiable information
• The right to choose the conditions and extent to which information and beliefs are shared
• The right to ensure accuracy of information collected
IS 531 : Lecture 12 7
ConsentConsent
• The process by which an individual authorizes healthcare personnel to process his or her information based on an informed understanding of how this information will be used
• Entails making the individual aware of risks to privacy and measures to protect it
IS 531 : Lecture 12 8
Information System SecurityInformation System Security
• Ongoing protection of both information stored in the system and the system itself from threats or disruption
• Primary goals :– Protection of client confidentiality– Protection of information integrity– Timely availability of information when
needed
IS 531 : Lecture 12 9
Security PlanningSecurity Planning
• Safeguard against: – Downtime– Breeches in confidentiality– Loss of consumer confidence– Cybercrime– Liability– Lost productivity
• Ensure compliance with HIPAA
IS 531 : Lecture 12 10
Steps to SecuritySteps to Security
• Assessment of risks and assets• An organizational plan• A “culture” of security• The establishment and enforcement of
policies
IS 531 : Lecture 12 11
Threats to System Security Threats to System Security and Informationand Information
• Human threats– Thieves– Hackers and crackers– Denial of service attacks– Terrorists– Viruses, worms– Revenge attacks– Pirated Web sites
IS 531 : Lecture 12 12
Threats to System Security Threats to System Security and Information …and Information …
• On-site threats– Poor password management– Compromised device– Human error– Unauthorized insider access– Flooding site– Power fluctuations
• Fires and natural disasters
IS 531 : Lecture 12 13
Security Measures Security Measures
• Firewalls—barrier created from software and hardware
• Antivirus and spyware detection• User sign-on and passwords or other
means of identity management• Access on a need-to-know basis • Automatic sign-off• Physical restrictions to system access
IS 531 : Lecture 12 14
AuthenticationAuthentication
• Process of determining whether someone is who he or she claims to be
• Methods: – access codes, – logon passwords, – digital certificates, – public or private keys used for
encryption– biometric measures
IS 531 : Lecture 12 15
PasswordPassword• String of alphanumeric characters to type in
for system access• Inexpensive but not the most effective
means of authentication• Do:
– Choose 8-12 character passwords– Avoid obvious passwords– Using the first characters of your favorites verses
/ sayings.– Including special characters, lower and upper
cases, numbers .
IS 531 : Lecture 12 16
Password …Password …
• Don’t: – Post or write down passwords.– Leave computers or applications running
when not in use.– Re-use the same password for different
systems.– Use the browser “save password” feature.
• Never share passwords.• Change password frequently
IS 531 : Lecture 12 17
BiometricsBiometrics
• Identification based on a unique biological trait– fingerprint– voice – iris pattern / retinal scan– hand geometry / palmprint– face recognition– etc…
IS 531 : Lecture 12 18
Antivirus SoftwareAntivirus Software
• Computer programs that can locate and eradicate viruses and other malicious programs from memory sticks, storage devices, individual computers, and networks
• Detect and eliminate malwares / spywares that install themselves without the user’s permission to collect passwords, PIN numbers, account numbers then send them to another party
IS 531 : Lecture 12 19
Antivirus SoftwareAntivirus Software
IS 531 : Lecture 12 20
Source : http://anti-virus-software-review.toptenreviews.com/
Proper Handling and Disposal Proper Handling and Disposal
• Acceptable uses• Audit trails to monitor access• Encourage review for accuracy• Establish controls for information use after-
hours and off-site• Shred or use locked receptacles for the
disposal of items containing personal health information
IS 531 : Lecture 12 21
Implications for Mobile Implications for Mobile ComputingComputing
• Shared responsibility for information and information system security
• Devices are easily stolen.• Devices should require authentication and
encryption to safeguard information security.
• Devices should never be left where information may be seen by unauthorized viewers.
• Verify wireless networks before use.
IS 531 : Lecture 12 22
FirewallFirewall
IS 531 : Lecture 12 23
Physical vs. Logical Physical vs. Logical Access / ControlsAccess / Controls
IS 531 : Lecture 12 24
EncryptionEncryption
IS 531 : Lecture 12 25
I S 5 3 1 01001001 01010011 00110101 00110011 00110001
10010101 00110011 01010011 00110011 00010100
01101010 11001100 10101100 11001100 11101011
Binary CodesASCII (American Standard Code for Information Interchange) : 8 bits EBCDIC (Extended Binary-Coded Decimal Interchange Code ) : 16 bitsUnicode : 32 bits and more
EncodingEncoding
IS 531 : Lecture 12 26
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
DROPBOX TONIGHT
F G H I J K L M N O P Q R S T U V W X Y Z A B C D E
IWTUGTC YTSNLMY
Normal sequence :
Encoded sequence :
Message :
Encoded message :
Public KeysPublic Keys
IS 531 : Lecture 12 27
ReferencesReferences
• CMU - Security 101 (2011)http
://www.cmu.edu/iso/aware/presentation/security101-v2.pdf
• CMU - Governing for Enterprise Security (2005)https://resources.sei.cmu.edu/asset_files/TechnicalNote/2005_004_001_14513.pdf
IS 531 : Lecture 12 28