Corporate Security Physical Security Information Security Business Continuity Emergency Management
ESTABLISHING A MANAGEMENT FRAMEWORK FOR SECURITY AND CONTROL
Technology is not the key issue in information systems security and control. The technology provides a foundation, but in the absence of intelligent management policies, even the best technology can be easily defeated. For instance, experts believe that over 90 percent of successful cyberattacks could have been prevented by technology available at the time. Inadequate human attention made these attacks so prevalent.
Protection of information resources requires a sound security policy and set of controls. ISO 17799, an international set of standards for security and control, provides helpful guidelines. It specifies best practices in information systems security and control, including security policy, business continuity planning, physical security, access control, compliance, and creating a security function within the organization.
Types of Information Systems Controls
Protection of information resources requires a well-designed set of controls. Computer systems are controlled by a combination of general controls and application controls. General controls govern the design, security, and use of computer programs and the security of data files in general throughout the organization�s information technology infrastructure. On the whole, general controls apply to all computerized applications and consist of a combination of hardware, software, and manual procedures that create an overall control environment. Application controls are specific controls unique to each computerized application, such as payroll or order processing. They consist of controls applied from the business functional area of a particular system and from programmed procedures.
GENERAL CONTROLS
General controls include software controls, physical hardware controls, computer operations controls, data security controls, controls over the systems implementation process, and administrative controls. Table 10-3 describes the functions of each type of control.
TABLE 10-3 General Controls
APPLICATION CONTROLS
Application controls include both automated and manual procedures that ensure that only authorized data are completely and accurately processed by that application. Application controls can be classified as (1) input controls, (2) processing controls, and (3) output controls.
Input controls check data for accuracy and completeness when they enter the system. There are specific input controls for input authorization, data conversion, data editing, and error handling. Processing controls establish that data are complete and accurate during updating. Run control totals, computer matching, and programmed edit checks are used as processing controls. Output controls ensure that the results of computer processing are accurate, complete, and properly distributed. Table 10-4 provides more detailed examples of each type of application control.
TABLE 10-4 Application Controls
Not all of the application controls discussed here are used in every information system. Some systems require more of these controls than others, depending on the importance of the data and the nature of the application.
Risk Assessment
Before an organization commits resources to controls, it must know which assets require protection and the extent to which these assets are vulnerable. A risk assessment helps answer these questions and also helps the firm determine the most cost-effective set of controls for protecting assets.
A risk assessment determines the level of risk to the firm if a specific activity or process is not properly controlled. Business managers working with information systems specialists can determine the value of information assets, points of vulnerability, the likely frequency of a problem, and the potential for damage. For example, if an event is likely to occur no more than once a year, with a maximum of a $1,000 loss to the organization, it would not be feasible to spend $20,000 on the design and maintenance of a control to protect against that event. However, if that same event could occur at least once a day, with a potential loss of more than $300,000 a year, $100,000 spent on a control might be entirely appropriate.
Table 10-5 illustrates sample results of a risk assessment for an online order processing system that processes 30,000 orders per day. The likelihood of each exposure occurring over a one-year period is expressed as a percentage. The next column shows the highest and lowest possible loss that could be expected each time the exposure occurred and an average loss calculated by adding the highest and lowest figures together and dividing by 2. The expected annual loss for each exposure can be determined by multiplying the average loss by its probability of occurrence.
TABLE 10-5 Online Order Processing Risk Assessment
This risk assessment shows that the probability of a power failure occurring in a oneyear period is 30 percent. Loss of order transactions while power is down could range from $5,000 to $200,000 (averaging $102,500) for each occurrence, depending on how long processing is halted. The probability of embezzlement occurring over a yearly period is about 5 percent, with potential losses ranging from $1,000 to $50,000 (and averaging $25,500) for each occurrence. User errors have a 98 percent chance of occurring over a yearly period, with losses ranging from $200 to $40,000 (and averaging $20,100) for each occurrence. Once the risks have been assessed, system builders can concentrate on the control points with the greatest vulnerability and potential for loss. In this case, controls should focus on ways to minimize the risk of power failures and user errors because anticipated annual losses are highest for these areas.
One problem with risk assessment and other methods for quantifying security costs and benefits is that organizations do not always know the precise probability of threats occurring to their information systems, and they may not be able to quantify the impact of such events accurately. Nevertheless, some effort to anticipate, budget for, and control direct and indirect security costs will be appreciated by management (Mercuri, 2003).
The end product of risk assessment is a plan to minimize overall cost and maximize defenses. To decide which controls to use, information systems builders must examine various control techniques in relation to each other and to their relative cost-effectiveness. A control weakness at one point may be offset by a strong control at another. It may not be cost-effective to build tight controls at every point in the processing cycle if the areas of greatest risk are secure or if compensating controls exist elsewhere. The combination of all of the controls developed for a particular application determines the application�s overall level of control.
Security Policy
Firms must develop a coherent corporate policy that takes into account the nature of the risks, the information assets that need protecting, and the procedures and technologies required to address the risks, as well as implementation and auditing mechanisms.
A growing number of firms have established a formal corporate security function headed by a chief security officer (CSO). The security group educates and trains users, keeps management aware of security threats and breakdowns, and maintains the tools chosen to implement security. The chief security officer is responsible for enforcing the firm�s security policy.
A security policy consists of statements ranking information risks, identifying acceptable security goals, and identifying the mechanisms for achieving these goals. What are the firm�s most important information assets? Who generates and controls this information in the firm? What existing security policies are in place to protect the information? What level of risk is management willing to accept for each of these assets? Is it willing, for instance, to lose customer credit data once every 10 years? Or will it build a security edifice for credit card data that can withstand the once-in-ahundred-year disaster? Management must estimate how much it will cost to achieve this level of acceptable risk.
The security organization typically administers acceptable use policies and authorization policies. An acceptable use policy (AUP) defines acceptable uses of the firm�s information resources and computing equipment, including desktop and laptop computers, wireless devices, telephones, and the Internet. The policy should clarify company policy regarding privacy, user responsibility, and personal use of company equipment and networks. A good AUP defines unacceptable and acceptable actions for every user and specifies consequences for noncompliance.
Authorization policies determine differing levels of access to information assets for different levels of users. Authorization management systems establish where and when a user is permitted to access certain parts of a Web site or a corporate database. Such systems allow each user access only to those portions of a system that person is permitted to enter, based on information established by a set of access rules.
The authorization management system knows exactly what information each user is permitted to access as shown in Figure 10-5. This figure illustrates the security allowed for two sets of users of an online personnel database containing sensitive information, such as employees� salaries, benefits, and medical histories. One set of users consists of all employees who perform clerical functions, such as inputting employee data into the system. All individuals with this type of profile can update the system but can neither read nor update sensitive fields, such as salary, medical history, or earnings data. Another profile applies to a divisional manager, who cannot update the system but who can read all employee data fields for his or her division, including medical history and salary. These profiles are based on access rules supplied by business groups. The system illustrated in Figure 10-5 provides very fine grained security restrictions, such as allowing authorized personnel users to inquire about all employee information except that in confidential fields, such as salary or medical history.
FIGURE 10-5 Security profiles for a personnel system
These two examples represent two security profiles or data security patterns that might be found in a personnel system. Depending on the security profile, a user would have certain restrictions on access to various systems, locations, or data in an organization.
Ensuring Business Continuity
As companies increasingly rely on digital networks for their revenue and operations, they need to take additional steps to ensure that their systems and applications are always available. Many factors can disrupt the performance of a Web site, including denial of service attacks, network failure, heavy Internet traffic, and exhausted server resources. Computer failures, interruptions, and downtime translate into disgruntled customers, millions of dollars in lost sales, and the inability to perform critical internal transactions. Downtime refers to periods of time in which a system is not operational.
Firms such as those in the airline and financial services industries with critical applications requiring online transaction processing have traditionally used fault-tolerant computer systems for many years to ensure 100 percent availability. In online transaction processing, transactions entered online are immediately processed by the computer. Multitudinous changes to databases, reporting, and requests for information occur each instant.
Fault-tolerant computer systems contain redundant hardware, software, and power supply components that create an environment that provides continuous, uninterrupted service. Fault-tolerant computers contain extra memory chips, processors, and disk storage devices to back up a system and keep it running to prevent failure. They use special software routines or self-checking logic built into their circuitry to detect hardware failures and automatically switch to a backup device. Parts from these computers can be removed and repaired without disruption to the computer system.
Fault tolerance should be distinguished from high-availability computing. Both fault tolerance and high-availability computing are designed to maximize application and system availability. Both use backup hardware resources. However, high-availability computing helps firms recover quickly from a crash, whereas fault tolerance promises continuous availability and the elimination of recovery time altogether. High-availability computing environments are a minimum requirement for firms with heavy electronic commerce processing or for firms that depend on digital networks for their internal operations.
High-availability computing requires an assortment of tools and technologies to ensure maximum performance of computer systems and networks, including redundant servers, mirroring, load balancing, clustering, high-capacity storage, and good disaster recovery and business continuity plans. The firm�s computing platform must be extremely robust with scalable processing power, storage, and bandwidth.
Load balancing distributes large numbers of access requests across multiple servers. The requests are directed to the most available server so that no single device is overwhelmed. If one server starts to get swamped, requests are forwarded to another server with more capacity.
Mirroring uses a backup server that duplicates all the processes and transactions of the primary server. If the primary server fails, the backup server can immediately take its place without any interruption in service. However, server mirroring is very expensive because each server must be mirrored by an identical server whose only purpose is to be available in the event of a failure.
High-availability clustering links two computers together so that the second computer can act as a backup to the primary computer. If the primary computer fails, the second computer picks up its processing without any pause in the system. (Computers can also be clustered together as a single computing resource to speed up processing.)
Researchers are exploring ways to make computing systems recover even more rapidly when mishaps occur, an approach called recovery-oriented computing. This work includes designing systems that can recover quickly and implementing capabilities and tools to help operators pinpoint the sources of faults in multicomponent systems and easily correct their mistakes (Fox and Patterson, 2003).
BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING
Disaster recovery planning devises plans for the restoration of computing and communications services after they have been disrupted by an event such as an earthquake, flood, or terrorist attack. Disaster recovery plans focus primarily on the technical issues involved in keeping systems up and running, such as which files to back up and the maintenance of backup computer systems or disaster recovery services.
For example, MasterCard maintains a duplicate computer center in Kansas City, Missouri, to serve as an emergency backup to its primary computer center in St. Louis. Rather than build their own backup facilities, many firms contract with disaster recovery firms, such as Comdisco Disaster Recovery Services in Rosemont, Illinois, and SunGard Recovery Services, headquartered in Wayne, Pennsylvania. These disaster recovery firms provide hot sites housing spare computers at locations around the country where subscribing firms can run their critical applications in an emergency.
Business continuity planning focuses on how the company can restore business operations after a disaster strikes. The business continuity plan identifies critical business processes and determines action plans for handling mission-critical functions if systems go down.
Business managers and information technology specialists need to work together on both types of plans to determine which systems and business processes are most critical to the company. They must conduct a business impact analysis to identify the firm�s most critical systems and the impact a systems outage would have on the business. Management must determine the maximum amount of time the business can survive with its systems down and which parts of the business must be restored first.
The Window on Management describes how business continuity planning is conducted at Deutsche Bank. This global financial institution cannot afford to have critical operations disrupted by computer failures. It has both disaster recovery facilities and a business continuity plan in place and prepares employees for its execution.
SECURITY OUTSOURCING
Many companies such as Wesfarmers, described in the chapter-opening case, lack the resources or expertise to provide a secure high-availability computing environment on their own. They can outsource many security functions to managed security service providers (MSSPs) that monitor network activity and perform vulnerability testing and intrusion detection. Guardent, Counterpane, VeriSign, and Symantec are leading providers of MSSP services.
The Role of Auditing in the Control Process
How does management know that information systems security and controls are effective? To answer this question, organizations must conduct comprehensive and systematic audits. An MIS audit identifies all of the controls that govern individual information systems and assesses their effectiveness. To accomplish this, the auditor must acquire a thorough understanding of operations, physical facilities, telecommunications, security systems, security objectives, organizational structure, personnel, manual procedures, and individual applications.
The auditor usually interviews key individuals who use and operate a specific information system concerning their activities and procedures. Security, application controls, overall integrity controls, and control disciplines are examined. The auditor should trace the flow of sample transactions through the system and perform tests, using, if appropriate, automated audit software.
Security audits should review technologies, procedures, documentation, training, and personnel. A very thorough audit will even simulate an attack or disaster to test the response of the technology, information systems staff, and business employees.
The audit lists and ranks all control weaknesses and estimates the probability of their occurrence. It then assesses the financial and organizational impact of each threat. Figure 10-6 is a sample auditor�s listing of control weaknesses for a loan system. It includes a section for notifying management of such weaknesses and for management�s response. Management is expected to devise a plan for countering significant weaknesses in controls.
FIGURE 10-6 Sample auditor�s list of control weaknesses
This chart is a sample page from a list of control weaknesses that an auditor might find in a loan system in a local commercial bank. This form helps auditors record and evaluate control weaknesses and shows the results of discussing those weaknesses with management, as well as any corrective actions taken by management.
willoughbyandeight.blogspot.com
Source: https://paginas.fe.up.pt/~acbrito/laudon/ch10/chpt10-3fulltext.htm
0 Response to "Corporate Security Physical Security Information Security Business Continuity Emergency Management"
Post a Comment