2. Content
• Security
• Testing
• Error deduction
• Controls
• IS vulnerability
• Disaster Management
• Computer crimes
• Securing the web
• Intranet and wireless
networks
• Software audit
• Ethics in IT
• User interface and reporting
2MSM-MBA Even Semester 2020
3. Introduction
• Information system have become ubiquitous in
the organizational world
• Information system often contain data that are
sensitive, personal and private about people and
must be protected from inquiring and
unauthorized eyes
• Providing security –major concern for managers
3MSM-MBA Even Semester 2020
4. Objectives of Information security
1. To control the loss of assets
2. To ensure the integrity and reliability of
data
3. To improve the efficiency or effectiveness
of IS application
4MSM-MBA Even Semester 2020
5. What is risk? (Information
Management)
• Various dangers to information systems and
the people, hardware, software, data and
other assets
• Dangers include natural disasters, thieves,
industrial spies, disgruntled employees,
computer viruses, accidents and poorly
trained or naïve employees
MSM-MBA Even Semester 2020 5
6. Risks, threats and vulnerabilities
• Potential risk refers to potential monetary losses,
whether those losses are direct or indirect
• EDP auditors use the term “Threat”.They refer to
people, actions, events or other situations that
could trigger losses
• Vulnerabilities – they mean flaws, problems or
other conditions that make a system, open to
threats
MSM-MBA Even Semester 2020 6
7. Assessing risks
• Risk – uncertainties (event); EDP auditors estimate potential loss in
several ways
• Method – probability of occurrence of loss (risk assessment)
• 2 basic questions asked? – 1. if loss. How an organization would
respond
2. cost of response be?
• The manager – should access-potential loss – from the lack of
availability or existence of a data file, key information, system, people,
In- house developed software and other information systems assets
MSM-MBA Even Semester 2020 7
8. Control measures
• Controls – countermeasures to threats
• Tools that are used to counter risks from people,
actions, events or situations – can threaten IS
• Prevent – the threat of unauthorized access to
sensitive data
• Controls – used to identify, prevent and reduce risk
and to recover from actual losses.
MSM-MBA Even Semester 2020 8
9. • Classifies in many ways as follows:
1. Physical control – controls that use physical
protection measures (e.g.) locking that door of
computer facilities
2. Electronic controls – electronic measures to
identify or prevent threats (e.g.) Intruder
detection, Id’s, password, biometric protection
MSM-MBA Even Semester 2020 9
Contd…
10. 3. Software controls – program code controls used in IS
applications to identify, prevent or recover from
errors, unauthorized access and other threats
(e.g.) Programming code (encryption and decryption)
4. Management controls – result from setting,
implementing, and enforcing policies and procedures
(e.g.) need to take back up or archive their data at
regular intervals
MSM-MBA Even Semester 2020 10
11. Common threats to information
management
• - number of threats are common to computer
system and need the special attention from manager
1. Natural disasters – such as fire, floods, water
damages, earth quakes, landslides , hurricanes,
winds and storm damages
Security plans – 1. disaster prevention 2. disaster
containment 3. disaster recovery
MSM-MBA Even Semester 2020 11
Contd…
12. 2. Employee errors – carelessness or poor employee
training may cause threat to information system.
(e.g.) incorrect entry of data, formatting of hard
disk accidentally instead of pen drive, not
checking for logical
3. Computer crime, fraud and abuse – computer
crime is hard to find at the time of occurrence
MSM-MBA Even Semester 2020 12
Contd…
13. People or employee working inside organization may
be malicious
- Cause damage by gaining access to computer
facilities, systems, software and data to commit a
variety of computer crimes.
3. Computer crimes – stealing data, damaging or
vandalizing illegally or committing fraud
MSM-MBA Even Semester 2020 13
Contd…
14. 4. Industrial Espionage – the theft of an organizational
data by competitors – “Industrial Espionage” or
“Economic Espionage”
5. Hacking – Sometimes called “Cracking – because the
person cracks the log-in codes and sequences of system.
- unauthorized entry by a person into computer system
or network
Hackers – who illegally gain access to the computer
systems
MSM-MBA Even Semester 2020 14
Contd…
15. 6.Toll fraud – toll charges are cheated
7. ComputerViruses – real threat to computer systems
A computer virus is a hidden program that inserts itself into
a computer system and starts attack it.
programs to detect the viruses – called as “Antivirus
programs”
8. Hardware theft andVandalism – theft of hardware's (hard
disk, CD’s like storage devices) or damages caused by
vandalism
MSM-MBA Even Semester 2020 15
Contd…
16. 9. Software piracy – the software
publishers association (SPA) holds
that “any reproduction of a copyright
program is theft”
software piracy levies a much higher
toll
MSM-MBA Even Semester 2020 16
Contd…
17. 10. Privacy violations – (Privacy – defined as the
capacity of individual or organizations to control
information
privacy means rights of individuals or
organizations have the ability to access, examine
and correct the data.
- causes huge damage by unwanted people access
a sensitive data or information
MSM-MBA Even Semester 2020 17
Contd…
18. 11. Program bugs – defects in
programming code.Vendor provide
“patches” to the bugs in software
programs
- cause serious problem to the system
by causing sudden irreversible crashes
MSM-MBA Even Semester 2020 18
19. Protecting Information Systems
• “prevention is better than cure”
- Need to identify the potential risks and consider the use
of controls for the information systems
1. Securing Information system facilities:
Facilities for information system include the building
and rooms –furniture, hardware, software and
documents.
MSM-MBA Even Semester 2020 19
Contd…
20. - need to consider employing controls to prevent,
reduce or eliminate the threats or reduce loss.
- Should take physical security measures even in
the crisis situations.
Disaster recovery plan – the set of alternative
backups and storage triggered on the event of
unexpected disasters
MSM-MBA Even Semester 2020 20
Contd…
21. 3. Securing communication system:
Communication systems provide many benefits for users
such as the ability to share data and printers
Encryption- major tool for protecting information systems –
process of exceeding data.
E-Commerce safety - the customers’ sensitive financial
information such as credit card and debit card is under the
risk of theft and misuse by criminals. So the encryption
needed
MSM-MBA Even Semester 2020 21
Contd…
22. Firewalls – when a organization connects to
external networks, the connectivity
increases the risk that an organization’s
internal information system will be
accessed by potential intruders or invaders
to reduce these risks from external sources
– “Firewalls” used
MSM-MBA Even Semester 2020 22
Contd…
23. • Network auditing software - can identity and
prevent many types of problems in local or
wide area networks
• The software is usually of 2 types: activity
logs, which record all log in attempt, failed or
successful and network scanning software –
looks for flaws or holes in network security
MSM-MBA Even Semester 2020 23
24. Securing Database Information
system
• Massive amounts of organizational data re stored
today in electronic databases on computer systems
• Consider the importance of the financial
accounting database information stores in very
sensitive
• When database data – restricted called “Trusted
systems”
MSM-MBA Even Semester 2020 24
25. Securing information system
applications
• Important method of preventing security problems is to
acquire secure applications or to build them from the
ground up.
The make or buy decision: to consider for design options
• Pros and cons – for decision making
• The decision making can be done by taking various
factors into consideration:
MSM-MBA Even Semester 2020 25
Contd…
26. 1. Testing software – evaluate before making
purchase
2. Appropriateness – is it necessary to carry on the
business processes
3. Stability – shouldn’t contains bugs and crash
4. Security features – features should satisfy
company requirements
5. Access and update security – frequent updation
and adding more features.
MSM-MBA Even Semester 2020 26
Contd…
27. 6. Input controls: ensure the accuracy of data
7. Process controls: ensure the proper
functioning
8. Output Controls: protecting and storing of
data output
Securing the information – important to
prevent the potential harms
MSM-MBA Even Semester 2020 27
28. Disaster Management
• Disaster Management planning (DMP) – plan of
action to recover from the impact on the
information systems
• Collapsed or dysfunctional – need to recover
• Specifies the procedure the procedure of recovery
action when disaster occurs
MSM-MBA Even Semester 2020 28
Contd…
29. DMP process
MSM-MBA Even Semester 2020 29
Step 1: • Identify Critical Business Processes
Step 2:
• Assess the Business risk – Probability, risk exposure
Step 3:
• Impact of damage of target entity
Step 4:
• Identify the life saving data, files, software, applications, packages, hardware, servers and databases
Step 5:
• Segregate the need in 2 classes
Step 6:
• Prepare a plan of bridging
Step 7
• Ensure all risks are suitably covered by appropriate insurance policies
Step 8:
• Authority, rights of decision and action in the event of disaster
Step 9:
• Test DMR plan once a year
30. Advantages:
1. Forecasting
2. Provide response
measures
3. Provide recovery
measures
4. Provide sense of
ownership
5. Empowers people
Disadvantages:
1. Reluctance to expose
vulnerabilities
2. Unavailability of
resources
3. Improper public
awareness
MSM-MBA Even Semester 2020 30
31. Testing
• Successful test – one finds error
• The output of the test run should match the
expected results
Objectives of testing:
1.To ensure the proper functioning of systems
2.To ensure user’s requirement; system meet
3.To verify the proper use of control
4.To verify the inputs and outputs correct
5.To make sure the errors not crept in.
MSM-MBA Even Semester 2020 31
32. Types of Testing
1. Unit testing – method by which individual units of
source codes are tested
2. Integration testing – systematic technique for
constructing the program structure
- to ensure that this modules combine together
correctly to achieve a product that meets its
specification
MSM-MBA Even Semester 2020 32
Contd…
33. 3.Validation testing - validation succeeds
when software functions as expected.
(2 types of alpha testing – software tested
by customer under supervision of
developer)
Beta testing – software tested by customer
without the supervision of developer.
MSM-MBA Even Semester 2020 33
Contd…
34. 4. System testing – behavior of whole
system/ product is tested
- development of project or product
5. Acceptance testing – to establish
confidence in the system
- most often focused on a validation type
testing
MSM-MBA Even Semester 2020 34
35. Error Detection
- Software errors are unavoidable and they are
easily penetrate into programs
- Error detection techniques are the techniques of
software development, software quality
assurance (SQA), software verification, validation
and testing
- To locate anomalies in software products
MSM-MBA Even Semester 2020 35
36. Classes of Error detection techniques
1. Static analysis:
- code walkthrough
- code inspection
2. Dynamic analysis:
while in execution or process
3. Formal analysis:
mathematical technique
MSM-MBA Even Semester 2020 36
37. Error Detection in phases of life cycle
1. Requirements – analysis of what is needed?
2. Design – Well design for requirements specified
3. Implementation – made possible in reality
4. Test – involves different types of testing – ensure proper
functioning
5. Installation and checkout – placing in the right area and validate
it
6. Operation and maintenance – working of system and check it
for future too.
MSM-MBA Even Semester 2020 37
38. Securing the web, intranets and
wireless networks
• Need of protecting the internet
Internet Security standards:
TCP/IP(Transmission control protocol/Internet protocol)
standards
Internet means that security must be addressed deliberately
and aggressively in internet standards
1. Point to point tunneling protocol
2. core four standards (IP,TCP, user diagram protocol and
internet control message)
MSM-MBA Even Semester 2020 38
39. Types of Internet Security
• 1 st layer – network layer security (Border
security)
1. Virus scanning
2. Firewalls
3. Intrusion
4. Virtual Private networks (VPN)
5. Denial of service protection
MSM-MBA Even Semester 2020 39
Contd…
40. 2nd layer – proof of identity (Authentication)
1. Username/Password
2. Password synchronization
3. Public key
4.Tokens
5. Biometrics
6. Single sign-on
MSM-MBA Even Semester 2020 40
Contd…
41. • 3rd layer – permission based on identity
(Authorization)
1. User/group permissions
2. Enterprise directories
3. Enterprise user administration
4. Rules based access control
MSM-MBA Even Semester 2020 41
42. Border Security Tools
1. Firewall – A firewall is a system or group of systems, that
enforces an access control policy between two networks
2. Virus control – penetration of harmful and malicious
viruses can be prevented by “Anti-virus
program”/”Antivirus software”.
3. Intrusion detection- Intrusion is an illegal part act of
entering, seizing or taking possession of another’s
property
MSM-MBA Even Semester 2020 42
Contd…
43. • An Intrusion Detection System (IDS) –
software and/or hardware designed to
detect unwanted attempts at
accessing, manipulating and/or
disabling of computer systems mainly
through a network
MSM-MBA Even Semester 2020 43
44. Functions of Intrusion Detection
1. Network Intrusion detection system (NIDS) – is an
independent platform which identifies intrusions
by examining network traffic and monitors
multiple hosts
2. Protocol based Intrusion detection system (PIDS) –
it consists of a system or agent that would
typically sit at the front end of a server, monitoring
and analyzing the communication protocol
between connected device and the server
MSM-MBA Even Semester 2020 44
Contd…
45. 3. Application protocol based intrusion detection system (APIDS):
Consists of a system or agent that would typically sit within
a group of servers, monitoring and analyzing the communication
on application specific protocols
4. Host-based intrusion detection system (HIDS):
Consists of an agent on a host which identifies intrusion by
analyzing system calls, application logs, file system modifications.
5. Hybrid Intrusion detection system:
Combines two or more approaches
MSM-MBA Even Semester 2020 45
Contd…
46. • Denial of service (DOS): preventing denial of service
attacks on the internet network
• Virtual private network (VPN): uses a public network to
connect remote sites or users together
• Authentication: Authentication is the process by which the
identity of an entity is established
• Authorization: process of determining the user’s level of
access – whether a user has a right to perform certain
actions
MSM-MBA Even Semester 2020 46
47. Authorization models
1. Passwords : login credentials created and used
General guidelines for passwords:
1. Should not be name, place or easily guessed
2. Should be 6 to 8 characters at least
3. Should contain mixture of letters, numbers and special
characters
4. Change the “Password” frequently
5. Do not use same password for all accounts
MSM-MBA Even Semester 2020 47
Contd…
48. 2.Tokens: can be a software or hardware
- prevent against from the passive attacks and instant reply
attacks
3. Single sign-on
Single sign-on programs allow a user to authenticate one time
and there after be able to access additional network resources
and systems
4. Encryption
Way to protect data and other computer network resources
especially on the internets, intranets and extranets.
MSM-MBA Even Semester 2020 48
49. Software Audit
• Software audit – process of checking
each computer in the organization and
listing the software packages installed
• Investigation of the software installed or
the computers in an organization with
the purpose of ensuring that it is all legal
and authorized
MSM-MBA Even Semester 2020 49
50. Objectives of software audit
• Software audit – process of checking each
computer in the organization and listing the
software package installed
• Investigation of the software installed or the
computers in organization with the purpose
of ensuring that it is all legal an authorized
MSM-MBA Even Semester 2020 50
51. Objectives of software audit
1. Organization’s standards, process and systems
and/or plans – adequate to enable organization
to meet its policies, requirements and objectives
2. Comply with standards
3. Organization’s standards, process and systems
4. Resources include people and non human
resources
MSM-MBA Even Semester 2020 51
52. Audit roles and responsibilities
1. Client
2. Auditor Management
3. Auditors
4. Auditee management
5. Lead auditor
6. Escort
MSM-MBA Even Semester 2020 52
53. Types of software audit
1. Classification by participant – Internal
audit and External audit
2. Classification by action – System audit,
process audit and product audit
3. Special purpose audit – follow up and
desk audits
MSM-MBA Even Semester 2020 53
54. Software Audit process
MSM-MBA Even Semester 2020 54
Step 1: • Initiation
Step 2: • Planning
Step 3: • Preparation
Step 4: • Execution
Step 5: • Reporting
Step 6: • Corrective action and follow up
55. Ethics in IT
• Ethics is a study principles and practices which guides to
decide whether the action taken is morally right or wrong
• About values and human behavior
Ethical responsibility of business professionals:
1. Natural Law
2. Utilititarianism
3. Respect for person
4. Ethical values
MSM-MBA Even Semester 2020 55
56. Ethical guidelines
1. Obligation to management:
• Keep personal knowledge upto date and insure that
proper expertise is available when needed
• Share knowledge with others
• Not misuse of authority entrusted
• Not take advantage of lack of knowledge of others
• Not misrepresented or with hold information
MSM-MBA Even Semester 2020 56
Contd…
57. 2. Obligation to members:
• Be honest in all professional relationships
• Take appropriate action in regard to any illegal or
unethical practices
• Attempt to share special knowledge
• Cooperate with others in achieving
• Don’t use the ignorance of other’s as favor understanding
MSM-MBA Even Semester 2020 57
58. Ethics to overcome vulnerability
1. Vulnerability Assessment:
It is a periodic process that works on a system to
identify, track and manage the repair of vulnerabilities
on the system
Vulnerability assessment does a health check of the
system
It is an essential security process and best practice for
well being of the system
MSM-MBA Even Semester 2020 58
Contd…
59. • Vulnerability scanning:
System and network scanning for
vulnerabilities is an automated process where
a scanning program send network traffic to all
or selected computers in the network and
expects to receive return traffic that will
indicate whether those computers have
known vulnerabilities
MSM-MBA Even Semester 2020 59
60. User Interface
• An interface - common boundary
between user and computer system
application
• User interface – (1) Input (2) process and
control (3) Output and maintenance (4)
testing
MSM-MBA Even Semester 2020 60
61. Types of Interface
1. Natural Language Interfaces
2. Question Answer Interfaces
3. Menu driven Interfaces
4. Form-fill interfaces
5. Command Language Interfaces
6. Graphical user Interface
MSM-MBA Even Semester 2020 61
62. Reporting
• Report is a business document that contains only
predefined data
• Passive document for reading or viewing data
• Good report design effort and attention in detail
• The ability to enable large numbers of people to easily
access real time enterprise information and transform
it into richly formatted reports
MSM-MBA Even Semester 2020 62
63. Reporting (Characteristics)
1. Reports should be attractive and easy to understand
2. Managers sometimes judge an entire project by the quality of
reports received
3. Reports must include information that user needs
4. Report with too little information is of no value
5. Too much information can make a report confusing and difficult
to understand
6. The essential goal when designing reports is to match the report
to the user’s specific information needs
MSM-MBA Even Semester 2020 63
64. Types of Reporting
1. Detail reports
2.Exception reports
3. Summary reports
MSM-MBA Even Semester 2020 64