 |
VU
Information
System (CS507)
LESSON
31
Control
Adjustment
This
phase involves determining whether any controls
can be designed, implemented, operated.
The cost
of
devising controls should not exceed the
expected potential benefit being
enchased and the
potential
loss
being avoided. The above decision
takes into account consideration of
various factors like
personal
judgment of the
situation, any information gained on
desired/non-existing controls during the
previous
phases,
seeking demands of users for
an ideal control
environment.
Existing
controls should not be totally discarded
while adjusting controls. They can either
be terminated
totally
due to the threats not being
there any more and
existence of better controls either modified
for
betterment.
This phase should consider the
security to be cost effective, and
integrated.
31.1
Security
to be cost effective
IT
Guideline on security issued by
IFAC states:
"Different
levels and types of security
may be required to address the risks to
information. Security
levels
and
associated costs must be compatible
with the value of the
information."
An organization
should consider various factors to
make security cost effective.
These factors include
criticality
of information assets, devising
safeguards, cost of implementation of
safe guards, an
optimum
balance
between the harm arising
from a security breach and
the costs associated with the
safeguards.
Level of
integration of security
There should be
harmonization of security systems
with information systems.
This would help
achieving
consistency
in the security framework. Where
information systems have
some level of integration, the
security
system should have a corresponding level of
integration by accepting the level
of
communication
and interaction which is allowable in the
IS itself.
31.2
Roles
& Responsibility
For
security to be effective, it is imperative that
individual roles, responsibilities are
clearly communicated
and
understood by all. Organizations must assign
security related functions in the
appropriate manner to
nominated
employees. Responsibilities to consider
include:
1. Executive
Management -- assigned
overall responsibility for the security
of information;
2. Information
Systems Security Professionals --
responsible
for the design,
implementation,
management, and review of the
organization's security
policy,
standards,
measures, practices, and
procedures;
3. Data
Owners -- responsible
for determining sensitivity or classification
levels of the data as
well
as maintaining accuracy and integrity of
the data resident on the information
system;
Process
Owners -- responsible
for ensuring that appropriate
security, consistent with
the
4.
organization's
security policy, is embedded in
their information
systems;
Technology
providers -- responsible
for assisting with the
implementation of information
5.
security;
Users
-- responsible
for following the procedures
set out in the organization's security
policy;
6.
and
7.
Information
Systems Auditors -- responsible
for providing independent assurance
to
management on
the appropriateness of the security
objectives.
137
VU
Information
System (CS507)
31.3
Report
Preparation
It is the
final phase. The report
documents the findings of the review and
makes recommendations.
The
critical
part is to get the management
accepted the importance of exposures
identified. It is the
responsibility of
the security administrator to prove the
possibility and benefits of the
safeguards being
recommended.
Meaning
of threat
In
literal terms, an expression of an
intention to inflict pain, injury,
evil, or punishment, and an
indication
of
impending danger or harm. Threat in
day to day life is defined
as an unwanted (deliberate or
accidental)
event
that may result in harm to
an asset. Often, a threat is exploiting
one or more known
vulnerabilities.
Identification
of threats
Threats
can be identified on the basis of
nature of Threat which can either be
accidental-natural
occurrences/force
major, or deliberate-intentional act of
harm or on the basis of sources of threat
which
can
either be internal-threat caused within
the organization, or external-threat from some
one outside the
organization.
31.4
Types of Threat
Threats
can be divided in to two broad
categories
1.
Physical threat
This
refers to the damage caused to the
physical infrastructure of the information
systems.
Examples
are natural disasters (Fire, earth
quake, flood), pollution,
energy variations and
physical
Intrusion.
2.
Logical
This
refers to damage caused to the
software and data without
physical presence. Examples
are
viruses
and worms, logical intrusion commonly
referred to as hacking.
Physical
threats
The
risks of physical damage
render the computer hardware becomes
useless due to the
damage
caused
to it by natural disasters (Fire, earth
quake, flood), pollution-Dust,
energy Variations.
Reasonable
measures should be taken to avoid
undesirable consequences.
Frequency/Probability of
such
past occurrences should be established
for suitable remedial
measures to be taken.
Energy
Variations
They
can disrupt not only the
hardware but also the operational
systems and applications
systems.
The
total power needs of an organization need
to be carefully assessed and provided
for. Power
supply
must be monitored to ascertain the
range of voltage fluctuations and take
suitable steps to
upgrade
voltage control equipment.
Energy variations
can be of various
types.
Surges
or spikes
sudden increase in power supply
Sags
or brown outs
sudden decrease in power supply
Black
outs Total
Loss of power or power failure whether
scheduled or un-scheduled
There
can be various remedies to
avoid the damages caused by the power
variations. Un-interruptible
power
supplies (UPS) can be used
to help avoid the turning on
and off of electrical
equipment.
Voltage
regulators and circuit
breakers can also be used to
avoid undesirable
results.
The
design of security system
must also provide for the
total loss of power. Certain
systems
should
not fail and should keep
working in case of total
loss. Power doors can be
deactivated
manually,
should the staff want to exit manually. Alarms
and fire extinguisher systems should
not fail
in the
even of total power
loss.
138
Table of Contents:
- Need for information, Sources of Information: Primary, Secondary, Tertiary Sources
- Data vs. Information, Information Quality Checklist
- Size of the Organization and Information Requirements
- Hierarchical organization, Organizational Structure, Culture of the Organization
- Elements of Environment: Legal, Economic, Social, Technological, Corporate social responsibility, Ethics
- Manual Vs Computerised Information Systems, Emerging Digital Firms
- Open-Loop System, Closed Loop System, Open Systems, Closed Systems, Level of Planning
- Components of a system, Types of Systems, Attributes of an IS/CBIS
- Infrastructure: Transaction Processing System, Management Information System
- Support Systems: Office Automation Systems, Decision Support Systems, Types of DSS
- Data Mart: Online Analytical Processing (OLAP), Types of Models Used in DSS
- Organizational Information Systems, Marketing Information Systems, Key CRM Tasks
- Manufacturing Information System, Inventory Sub System, Production Sub System, Quality Sub system
- Accounting & Financial Information Systems, Human Resource Information Systems
- Decision Making: Types of Problems, Type of Decisions
- Phases of decision-making: Intelligence Phase, Design Phase, Choice Phase, Implementation Phase
- Planning for System Development: Models Used for and Types of System Development Life-Cycle
- Project lifecycle vs. SDLC, Costs of Proposed System, Classic lifecycle Model
- Entity Relationship Diagram (ERD), Design of the information flow, data base, User Interface
- Incremental Model: Evaluation, Incremental vs. Iterative
- Spiral Model: Determine Objectives, Alternatives and Constraints, Prototyping
- System Analysis: Systems Analyst, System Design, Designing user interface
- System Analysis & Design Methods, Structured Analysis and Design, Flow Chart
- Symbols used for flow charts: Good Practices, Data Flow Diagram
- Rules for DFD’s: Entity Relationship Diagram
- Symbols: Object-Orientation, Object Oriented Analysis
- Object Oriented Analysis and Design: Object, Classes, Inheritance, Encapsulation, Polymorphism
- Critical Success Factors (CSF): CSF vs. Key Performance Indicator, Centralized vs. Distributed Processing
- Security of Information System: Security Issues, Objective, Scope, Policy, Program
- Threat Identification: Types of Threats, Control Analysis, Impact analysis, Occurrence of threat
- Control Adjustment: cost effective Security, Roles & Responsibility, Report Preparation
- Physical vs. Logical access, Viruses, Sources of Transmissions, Technical controls
- Antivirus software: Scanners, Active monitors, Behavior blockers, Logical intrusion, Best Password practices, Firewall
- Types of Controls: Access Controls, Cryptography, Biometrics
- Audit trails and logs: Audit trails and types of errors, IS audit, Parameters of IS audit
- Risk Management: Phases, focal Point, System Characterization, Vulnerability Assessment
- Control Analysis: Likelihood Determination, Impact Analysis, Risk Determination, Results Documentation
- Risk Management: Business Continuity Planning, Components, Phases of BCP, Business Impact Analysis (BIA)
- Web Security: Passive attacks, Active Attacks, Methods to avoid internet attacks
- Internet Security Controls, Firewall Security SystemsIntrusion Detection Systems, Components of IDS, Digital Certificates
- Commerce vs. E-Business, Business to Consumer (B2C), Electronic Data Interchange (EDI), E-Government
- Supply Chain Management: Integrating systems, Methods, Using SCM Software
- Using ERP Software, Evolution of ERP, Business Objectives and IT
- ERP & E-commerce, ERP & CRM, ERP– Ownership and sponsor ship
- Ethics in IS: Threats to Privacy, Electronic Surveillance, Data Profiling, TRIPS, Workplace Monitoring