• No results found

ORGANISATIONAL AND MANAGERIAL FRAMEWORK FOR SECURITY AND CONTROL

In document INSIDE COVER - BLANK (Page 153-157)

Information Systems Security and Control Contents

C. ORGANISATIONAL AND MANAGERIAL FRAMEWORK FOR SECURITY AND CONTROL

Risk Assessment

A risk assessment determines the level of risk to the firm if a specific activity or process is not properly protected or controlled. It involves determining the value of information

Page 152

resources, their points of vulnerability, the likely occurrence of a problem and the potential for damage.

Security risk analysis involves determining what needs to be protected, what it needs to be protected from and how to protect it and the level of protection that is justified. The aim is to make cost-effective decisions about what needs to be protected. There are two important elements of a risk analysis:

1. Identify the assets 2. Identify the threats.

The risk analysis process prioritises those assets that need to be protected based on the value of the asset, the probability of the threat, the likely impact of the threat in terms of potential loss and the estimated cost of protection. Once the risks have been prioritised the system builders can concentrate on the control point with the greatest vulnerability and potential for loss.

The following are a list of categories of assets that may need to be assessed:

 Hardware: keyboards, terminals, workstations, personal computers, laptops, printers, disk drives, communication lines, servers, routers, hubs etc.

 Software: source programs, object programs, utilities, diagnostic programs, operating systems, communication programs.

 Data: during execution, stored online, archived off-line, backups, audit logs, databases, and in-transit over communication links.

 People: users, internal IT professionals, external support organisations.

 Documentation: on programs, hardware, systems and local administrative procedures.

 Supplies: paper and digital storage media.

The end result of risk assessment is a plan to implement controls that minimise overall cost while maximise defences.

RISK MITIGATION

Risk mitigation is where the organisation takes specific steps against the risk. They can implement controls that are likely to reduce or eliminate the risk or they can develop some way of recovering the asset if a breach occurs.

The following are three risk mitigation strategies that an organisation could adopt:

 Risk acceptance - continuing without controls and accept any loss that occurs

 Risk limitation - implement some controls to reduce the risk

 Risk transference - use other means to compensate for possible loss like purchasing insurance

Security Policy, Acceptable Use Policy and Authorisation Policy

Larger firms typically have a formal corporate security function headed by a chief security officer (CSO). The security group educates and trains users, keeps management aware of

Page 153

security threats and breakdowns and maintains the tools chosen to implement security. The chief security officer is responsible for enforcing the firm's security policy.

A security policy contains a set of statements that rank information risks to a company. The policy will also specify what the acceptable security goals are and the level of risk that management are willing to accept. It should also identify how these goals will be achieved.

An acceptable use policy (AUP; also sometimes referred to as acceptable usage policy) defines what is considered to be acceptable uses of the firm‘s information resources. These resources would typically include computers, telephones, e-mail and the Internet. The policy should set out the company policy regarding privacy, user responsibility and personal use of company equipment.

New staff members will generally be expected to sign an AUP document before they are given access to the information systems. The AUP should also specify what sanctions will be applied if a user does not comply with the AUP.

Authorisation policy determines differing levels of access to information assets for different levels of users. Authorisation management systems establish where and when a user is permitted to access certain parts of a Web site or a corporate database.

Identity management is a much broader concept that includes business processes and tools to identify valid users of system and control access to the systems. It specifies the level of access the different categories of users have.

Ensuring Business Continuity

As companies increasingly rely on digital networks and systems for their business, they need to take added steps to ensure that their systems and applications are always available.

Downtime refers to periods of time in which a system is not operational. Several techniques can be used by companies to reduce downtime.

Fault Tolerant Systems

Fault Tolerant Systems are important in environments where interruption on processing has highly undesirable effects, such as in hospital information systems or in securities trading i.e.

where interruption to processing is not acceptable. These systems continue to operate after some of their processing components fails. Fault Tolerant Systems are built with redundant components; they generally include several processors in a multiprocessing configuration. If one of the processors fails, the other (or others) can provide degraded, yet effective, service.

High-Availability Computing

High-availability computing, although also designed to maximise application and system availability, helps firms recover quickly from a crash. Fault tolerance promises continuous availability and the elimination of recovery time altogether. High-availability computing environments are a minimum requirement for firms with heavy electronic commerce requirements.

Load Balancing

This involves distributing large numbers of access requests across multiple servers. The requests are directed to the most available server so that no single device is overwhelmed. If

Page 154

any server starts to get swamped access requests are forwarded to another server with more capacity.

Mirroring

Mirroring involves the use of a backup server that duplicates all the processes and transactions of the primary server. If for any reason the primary server fails the backup server can take its place without any interruption to service. This approach is quite expensive, because every server must be mirrored by an identical server, whose only purpose is to take its place in the event of a failure.

Recovery-Oriented Computing

Researchers are looking at ways to make computer systems recover more rapidly when mishaps occur. This approach, which is called recovery-oriented computing, involves designing computing systems to recover quickly from mishaps and putting in place capabilities and tools to help operators identify the source of the fault to allow the problem to be easily corrected.

Disaster Recovery Planning

Disaster recovery planning involves specifying plans for the restoration of computing and communications services after they have been disrupted by a natural event such as an earthquake, flood, or some human activity. Disaster recovery plans focus primarily on the technical issues involved in getting the systems up and running, such as which files to back up and the maintenance of backup computer systems and having backup telecommunications links in place.

With the increasing importance of information technology for the continuation of business critical functions, combined with the increasing need to have systems operational 24/7, the importance of protecting an organisations data and IT infrastructure in the event of a disruption has become an ever increasing business priority in recent years.

It is estimated that most large companies spend between 2% and 4% of their IT budget on disaster recovery planning, with the aim of avoiding larger losses in the event that the business cannot continue to function due to loss of IT infrastructure and data. Of companies that had a major loss of business data, up to half don‘t reopen, and a high percentage close within two years.

Business Continuity Planning

Business continuity planning focuses on how the company can restore business operations after a disaster occurs. The business continuity plan identifies critical business processes and sets out the actions to be taken to enable mission-critical functions to continue to operate after a disaster occurs and systems stop working.

MIS Audit

To check that its security and controls are effective, an organisation must conduct regular systematic audits. A MIS audit identifies all of the controls that govern individual information systems and assesses their effectiveness.

Page 155

The auditor must acquire a thorough understanding of the operations, physical facilities, telecommunications, control systems, data security objectives, organisational structure, personnel, manual procedures and individual applications of the company.

The auditor usually interviews key individuals, who use and operate the specific information system being audited, about their normal activities and procedures. The audit will examine the various controls that are in place. The auditor will typically trace the flow of sample transactions through the system. The output of the audit lists and ranks all control weaknesses and estimates the probability of threat occurring and estimates the financial and organisational impact of each threat. Management is expected to draw up a plan to address any major threats or weaknesses highlighted in the audit.

D. TOOLS AND TECHNOLOGIES FOR PROTECTING

In document INSIDE COVER - BLANK (Page 153-157)