ZeePedia buy college essays online


Information Systems

<<< Previous Control Adjustment: cost effective Security, Roles & Responsibility, Report Preparation Next >>>
 
img
VU
Information System (CS507)
LESSON 31
Control Adjustment
This phase involves determining whether any controls can be designed, implemented, operated. The cost
of devising controls should not exceed the expected potential benefit being enchased and the potential
loss being avoided. The above decision takes into account consideration of various factors like personal
judgment of the situation, any information gained on desired/non-existing controls during the previous
phases, seeking demands of users for an ideal control environment.
Existing controls should not be totally discarded while adjusting controls. They can either be terminated
totally due to the threats not being there any more and existence of better controls either modified for
betterment. This phase should consider the security to be cost effective, and integrated.
31.1
Security to be cost effective
IT Guideline on security issued by IFAC states:
"Different levels and types of security may be required to address the risks to information. Security levels
and associated costs must be compatible with the value of the information."
An organization should consider various factors to make security cost effective. These factors include
criticality of information assets, devising safeguards, cost of implementation of safe guards, an optimum
balance between the harm arising from a security breach and the costs associated with the safeguards.
Level of integration of security
There should be harmonization of security systems with information systems. This would help achieving
consistency in the security framework. Where information systems have some level of integration, the
security system should have a corresponding level of integration by accepting the level of
communication and interaction which is allowable in the IS itself.
31.2
Roles & Responsibility
For security to be effective, it is imperative that individual roles, responsibilities are clearly communicated
and understood by all. Organizations must assign security related functions in the appropriate manner to
nominated employees. Responsibilities to consider include:
1. Executive Management -- assigned overall responsibility for the security of information;
2. Information Systems Security Professionals --  responsible  for  the  design,
implementation, management, and review of the organization's security policy,
standards, measures, practices, and procedures;
3. Data Owners -- responsible for determining sensitivity or classification levels of the data as
well as maintaining accuracy and integrity of the data resident on the information system;
Process Owners -- responsible for ensuring that appropriate security, consistent with the
4.
organization's security policy, is embedded in their information systems;
Technology providers -- responsible for assisting with the implementation of information
5.
security;
Users -- responsible for following the procedures set out in the organization's security policy;
6.
and
7.
Information Systems Auditors -- responsible for providing independent assurance to
management on the appropriateness of the security objectives.
137
img
VU
Information System (CS507)
31.3
Report Preparation
It is the final phase. The report documents the findings of the review and makes recommendations. The
critical part is to get the management accepted the importance of exposures identified. It is the
responsibility of the security administrator to prove the possibility and benefits of the safeguards being
recommended.
Meaning of threat
In literal terms, an expression of an intention to inflict pain, injury, evil, or punishment, and an indication
of impending danger or harm. Threat in day to day life is defined as an unwanted (deliberate or accidental)
event that may result in harm to an asset. Often, a threat is exploiting one or more known vulnerabilities.
Identification of threats
Threats can be identified on the basis of nature of Threat which can either be accidental-natural
occurrences/force major, or deliberate-intentional act of harm or on the basis of sources of threat which
can either be internal-threat caused within the organization, or external-threat from some one outside the
organization.
31.4  Types of Threat
Threats can be divided in to two broad categories
1. Physical threat
This refers to the damage caused to the physical infrastructure of the information systems.
Examples are natural disasters (Fire, earth quake, flood), pollution, energy variations and physical
Intrusion.
2. Logical
This refers to damage caused to the software and data without physical presence. Examples are
viruses and worms, logical intrusion commonly referred to as hacking.
Physical threats
The risks of physical damage render the computer hardware becomes useless due to the damage
caused to it by natural disasters (Fire, earth quake, flood), pollution-Dust, energy Variations.
Reasonable measures should be taken to avoid undesirable consequences. Frequency/Probability of
such past occurrences should be established for suitable remedial measures to be taken.
Energy Variations
They can disrupt not only the hardware but also the operational systems and applications systems.
The total power needs of an organization need to be carefully assessed and provided for. Power
supply must be monitored to ascertain the range of voltage fluctuations and take suitable steps to
upgrade voltage control equipment.
Energy variations can be of various types.
Surges or spikes ­ sudden increase in power supply
Sags or brown outs ­ sudden decrease in power supply
Black outs ­ Total Loss of power or power failure whether scheduled or un-scheduled
There can be various remedies to avoid the damages caused by the power variations. Un-interruptible
power supplies (UPS) can be used to help avoid the turning on and off of electrical equipment.
Voltage regulators and circuit breakers can also be used to avoid undesirable results.
The design of security system must also provide for the total loss of power. Certain systems
should not fail and should keep working in case of total loss. Power doors can be deactivated
manually, should the staff want to exit manually. Alarms and fire extinguisher systems should not fail
in the even of total power loss.
138
Table of Contents:
  1. Need for information, Sources of Information: Primary, Secondary, Tertiary Sources
  2. Data vs. Information, Information Quality Checklist
  3. Size of the Organization and Information Requirements
  4. Hierarchical organization, Organizational Structure, Culture of the Organization
  5. Elements of Environment: Legal, Economic, Social, Technological, Corporate social responsibility, Ethics
  6. Manual Vs Computerised Information Systems, Emerging Digital Firms
  7. Open-Loop System, Closed Loop System, Open Systems, Closed Systems, Level of Planning
  8. Components of a system, Types of Systems, Attributes of an IS/CBIS
  9. Infrastructure: Transaction Processing System, Management Information System
  10. Support Systems: Office Automation Systems, Decision Support Systems, Types of DSS
  11. Data Mart: Online Analytical Processing (OLAP), Types of Models Used in DSS
  12. Organizational Information Systems, Marketing Information Systems, Key CRM Tasks
  13. Manufacturing Information System, Inventory Sub System, Production Sub System, Quality Sub system
  14. Accounting & Financial Information Systems, Human Resource Information Systems
  15. Decision Making: Types of Problems, Type of Decisions
  16. Phases of decision-making: Intelligence Phase, Design Phase, Choice Phase, Implementation Phase
  17. Planning for System Development: Models Used for and Types of System Development Life-Cycle
  18. Project lifecycle vs. SDLC, Costs of Proposed System, Classic lifecycle Model
  19. Entity Relationship Diagram (ERD), Design of the information flow, data base, User Interface
  20. Incremental Model: Evaluation, Incremental vs. Iterative
  21. Spiral Model: Determine Objectives, Alternatives and Constraints, Prototyping
  22. System Analysis: Systems Analyst, System Design, Designing user interface
  23. System Analysis & Design Methods, Structured Analysis and Design, Flow Chart
  24. Symbols used for flow charts: Good Practices, Data Flow Diagram
  25. Rules for DFDs: Entity Relationship Diagram
  26. Symbols: Object-Orientation, Object Oriented Analysis
  27. Object Oriented Analysis and Design: Object, Classes, Inheritance, Encapsulation, Polymorphism
  28. Critical Success Factors (CSF): CSF vs. Key Performance Indicator, Centralized vs. Distributed Processing
  29. Security of Information System: Security Issues, Objective, Scope, Policy, Program
  30. Threat Identification: Types of Threats, Control Analysis, Impact analysis, Occurrence of threat
  31. Control Adjustment: cost effective Security, Roles & Responsibility, Report Preparation
  32. Physical vs. Logical access, Viruses, Sources of Transmissions, Technical controls
  33. Antivirus software: Scanners, Active monitors, Behavior blockers, Logical intrusion, Best Password practices, Firewall
  34. Types of Controls: Access Controls, Cryptography, Biometrics
  35. Audit trails and logs: Audit trails and types of errors, IS audit, Parameters of IS audit
  36. Risk Management: Phases, focal Point, System Characterization, Vulnerability Assessment
  37. Control Analysis: Likelihood Determination, Impact Analysis, Risk Determination, Results Documentation
  38. Risk Management: Business Continuity Planning, Components, Phases of BCP, Business Impact Analysis (BIA)
  39. Web Security: Passive attacks, Active Attacks, Methods to avoid internet attacks
  40. Internet Security Controls, Firewall Security SystemsIntrusion Detection Systems, Components of IDS, Digital Certificates
  41. Commerce vs. E-Business, Business to Consumer (B2C), Electronic Data Interchange (EDI), E-Government
  42. Supply Chain Management: Integrating systems, Methods, Using SCM Software
  43. Using ERP Software, Evolution of ERP, Business Objectives and IT
  44. ERP & E-commerce, ERP & CRM, ERP Ownership and sponsor ship
  45. Ethics in IS: Threats to Privacy, Electronic Surveillance, Data Profiling, TRIPS, Workplace Monitoring