Course Code: 19MBA511B Course Title: Management Information Systems Session 7 - 8 - 9

Course Code: 19MBA511B
Course Title: Management Information Systems

Session 7_8_9 : Ethical and Social issues in the Digital Firm,
Goals of information security, Risks to information systems, Security
measures, Authentication and Encryption, Digital Signatures and Digital
Certificates
Course Leader:
Ms. Shilpa R.G.
Email: shilparg.ms.mc@msruas.ac.in
1
Faculty of Management and Commerce © Ramaiah University of Applied Sciences
Session Objectives
At the end of this session, student will be able to:

• Discuss the primary goals of information security
• Discuss the information security challenges in E-Enterprises
• Illustrate the various types of cyber attacks on networked

systems
• Design an organisational framework for security and control
2
Session Contents
• Goals of information security
• Risks to information systems
• Risks to online operations
• Controls, Security measures
• Authentication and Encryption
• Digital Signatures and Digital Certificates
3
Session Contents
• Business recovery plan
• MIS and security challenges
• Security and control procedures for information

systems
4
Challenges of Technology and Management
• Rapid technological change
• Exploding applications and data
• Growth in business management understanding of

technology
• Frequent external shocks
5
Contemporary Security Challenges and
Vulnerabilities
6
Faculty
Faculty
of Management
of Management
andand
Commerce
Commerce @Ramaiah University
©M. S. Ramaiah of Applied
University Sciences
of Applied Sciences
Internet Vulnerabilities
• Use of fixed Internet addresses through use of cable

modems or DSL
• Lack of encryption with most Voice over IP (VoIP)
• Widespread use of e-mail and instant messaging (IM)
7
Faculty
Faculty
of Management
of Management
andand
Commerce
University Sciences
of Applied Sciences
Wireless Security Challenges
• Radio frequency bands are easy to scan
• The service set identifiers (SSID) identifying the access

points broadcast multiple times
8
Faculty
Faculty
of Management
of Management
andand
Commerce
University Sciences
of Applied Sciences
Malicious Software: Viruses, Worms, and Spyware
Hackers and Cybervandalism
• Computer viruses, worms,
• Spyware
• Identity theft, phishing
• Cyber terrorism and Cyber warfare
• Vulnerabilities from internal threats (employees);

software flaws
9
Faculty
Faculty
of Management
of Management
andand
Commerce
University Sciences
of Applied Sciences
Goals of Information Security
• Reduce the risk of systems and organisations ceasing operations
• Maintain information confidentiality
• Ensure the integrity and reliability of data resources
• Ensure the uninterrupted availability of data resources and online

operations
• Ensure compliance with national security laws and privacy policies

and laws
10
Risks to Information Systems
Risks to Hardware
• Natural disasters (Fire, Earthquake, Floods)
• Vandalism (Damage, Failure of System)
Risks to Applications and Data
• Theft of information, Identity theft
• Data alteration, data destruction, and Web

defacement (damage)
11
Risks to Information Systems
Computer viruses, worms, and logic bombs
• Virus:- A program that replicates by attaching itself to other
programs.
• Worm:- Program that spreads copies of itself throughout a network

or the internet without a host program.
• Logic bomb:- Dormant (hidden) code added to software and

triggered at a predetermined time or predetermined event
e.g. An employee might put code in program to destroy important files if his or
her name is ever removed from payroll file)
12
Threats to Information Security
• Human errors
• Damage by employees
• Misuse of computer systems
• Computer based fraud
• Hackers
13
Components of Information Security
• Confidentiality
• Integrity
• Availability
14
Security Issues
• Destruction
• Deletion
• Bugs Infection
• Theft
• Corruption
The security challenges need to be met on three fronts:

 Prevention
 Limitation
 Protection
15
Business value of Security and Control
• Inadequate security and control may create serious legal

liability
• Businesses must protect not only their own information assets

but also those of customers, employees, and business partners.
Failure to do so can lead to costly litigation for data exposure or
theft
• A sound security and control framework that protects business

information assets can thus produce a high return on
investment
16
Faculty
Faculty
of Management
of Management
andand
Commerce
University Sciences
of Applied Sciences
Establishing a Management Framework for
Security and Control
Types of Information Systems Controls
General controls:
• Software and hardware
• Computer operations
• Data security
• Systems implementation process
17
Faculty
Faculty
of Management
of Management
andand
Commerce
University Sciences
of Applied Sciences
Application controls:
• Input
• Processing
• Output
18
Faculty
Faculty
of Management
of Management
andand
Commerce
University Sciences
of Applied Sciences
Security Profiles for a Personnel System
19
Faculty
Faculty
of Management
of Management
andand
Commerce
University Sciences
of Applied Sciences
Ensuring Business Continuity
• Disaster recovery planning: Plans for restoration of computing and

communications disrupted by an event such as an earthquake, flood, or
terrorist attack
• Business continuity planning: Plans for handling mission-critical
functions if systems go down
20
Faculty
Faculty
of Management
of Management
andand
Commerce
University Sciences
of Applied Sciences
Security Measures
Firewalls
• Defense against unauthorized access to systems over the
Internet
• Controls communication between a trusted network and the

“untrusted” Internet
• Role is to control access to internal network sought by the

user
• Proxy Server: Represents another server for all information

requests and acts as a buffer
21
Security Measures
22
A Corporate Firewall
23
Faculty
Faculty
of Management
of Management
andand
Commerce
University Sciences
of Applied Sciences
Authentication and Encryption
• Keeps communications secret
• Authentication: the process of ensuring the identity of the

person sending the message
• Encryption: coding a message into a form unreadable to an

interceptor. Algorithm converts normal text into cipher text.
• Uses pair of public and private key unique to sender and

receiver to secure the communication
• Decryption coverts cipher text to normal text
24
Authentication and Encryption
25
Public Key Encryption
26
Faculty
Faculty
of Management
of Management
andand
Commerce
University Sciences
of Applied Sciences
Digital Signatures and Digital Certificates
• Digital Signatures:- Digital code attached to the

communication, helps to verify origin and sender
• Digital Certificates:- Data files constructed specifically

to establish the identity of the user before user is
allowed to proceed in the transaction processing
27
28
29
Role of Manager in Information Security
• To have effective information security in place managers need to align
information security with management objectives
• Manager should eliminate the hierarchical layers between the

functional managers who have historically viewed information security
as a technologic issue and not an management issue
• The best practices for handling information in MIS include:-

Adaptation of a comprehensive information security and privacy policy
Storing of sensitive personal data in secure MIS and providing

appropriate encryption
30
Role of Manager in Information Security
• Building of document destruction capabilities into the

office infrastructure
• Conducting regular information security practice training

for all employees
• Conducting privacy walkthroughs and making spot checks

on proper information handling
• The raising of information security awareness among staff

and ensuring that employees are aware of the companies
security policies 31
Information Security program for MIS
To moderate risk following control strategies should be
recommended in designing an MIS
• Administrative
• Logical
• Physical
• Security classification for information
• Access control
• Cryptography
• Defense in depth 32
Controls
• Effective controls provide information system security like accuracy,
integrity and safety on information system activities and resources
• Controls can minimize errors, fraud, and destruction in the

internetworked information systems that interconnect today’s end
users and organisations
• Effective controls provide quality assurance for information systems
• Three major types of controls must be developed to ensure the quality

and security of information systems
 Information system controls
 Procedural controls
 Facility controls
33
Facility Controls
• Facility controls are methods that protect an organisation’s computing
and network facilities and their contents from loss or destruction
• Computer networks and computer centers are subject to hazards as

accident, natural disasters, sabotage, vandalism, unauthorised use,
destruction and theft of resources
• Various safeguards and control procedures are necessary to protect

the hardware, software, network and vital data resources of a
company
34
Facility Controls
The controls are:-
• Network security
• Firewalls
• Physical protection controls
• Biometric controls
35
Procedural Controls
• Procedural controls are methods that specify how an organisation’s

computer and network resources should be operated for maximum
security
• Ensure the accuracy and integrity of computer network operations and

system development activities
• The controls are:-
 Standard procedures and documentation
 Authorization requirements
36
Controls
37
Information System controls
• Information system controls are methods and devices that attempt to
ensure the accuracy, validity and propriety of information system
activities
• Controls must be developed to ensure proper data entry, processing

techniques, storage methods and information output
• Designed to monitor and maintain the quality and security of the

input, processing, output and storage activities of any information
system.
38
Information System controls
The controls are:-
• Input controls
• Processing controls
• Hardware controls
• Software controls
• Output controls
• Storage controls
39
Controls
• Program Robustness and Data Entry Controls

• Provide a clear and sound interface with the user
• Menus and limits (restrictions)

• Backup
 Periodic duplication of all data
• Access Controls
• Ensure that only authorized people can gain access to systems and
files
• Access codes and passwords

40
Controls
• Atomic Transactions
 Ensures that transaction data are recorded properly in all the

pertinent (related) files to ensure integrity
• Audit Trails
 Built into an IS so that transactions can be traced to people,

times, and authorization information
41
Controls
42
Internal Control Objectives
• Management Responsibility
 The establishment and maintenance of a system of internal
control is the responsibility of management
• Reasonable Assurance
 The cost of achieving the objectives of internal control should
not outweigh its benefits
• Methods of Data Processing

 The techniques of achieving the objectives will vary with
different types of technology 43
Limitations of Internal Controls
• Possibility of honest errors
• Circumvention via collusion
• Management override
• Changing conditions especially in companies with

high growth
44
Two Types of IT controls
General controls—Pertain to the entity-wide computer environment
• Examples: Controls over the data center, organisation databases,

systems development, and program maintenance
Application controls—Ensure the integrity of specific systems
• Examples: Controls over sales order processing, accounts payable,

and payroll applications
45
Summary
• Information Security (IS) is designed to protect the confidentiality,
integrity and availability of computer system data from those with
malicious intentions
• Information security handles risk management
• To have effective information security in place managers need to

align information security with management objectives
• Destruction, Deletion, Bugs Infection, Theft and Corruption are

security issues in e-enterprises
46
Summary
• The successful Information Security Manager should:
 Perform security risk analysis and risk management
 Perform security tests
 Manage internal audits on information security processes, controls and
systems
• Information system controls are methods and devices that attempt to

ensure the accuracy, validity and propriety of information system
activities
• Different types of Information System controls are Input controls,

Processing controls, Hardware controls, Software controls, Output
controls and Storage controls
47

Course Code: 19MBA511B Course Title: Management Information Systems Session 7 - 8 - 9

Uploaded by

Copyright:

Available Formats

You might also like

Course Code: 19MBA511B Course Title: Management Information Systems Session 7 - 8 - 9

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Course Code: 19MBA511B Course Title: Management Information Systems Session 7 - 8 - 9

Uploaded by

Copyright:

Available Formats

Course Code: 19MBA511B

Course Title: Management Information Systems

At the end of this session, student will be able to:

• Discuss the information security challenges in E-Enterprises

• Illustrate the various types of cyber attacks on networked

• Design an organisational framework for security and control

• Risks to information systems

• Risks to online operations

• Controls, Security measures

• Authentication and Encryption

• Digital Signatures and Digital Certificates

• Business recovery plan

• MIS and security challenges

• Security and control procedures for information

• Rapid technological change

• Exploding applications and data

• Growth in business management understanding of

• Frequent external shocks

• Use of fixed Internet addresses through use of cable

• Lack of encryption with most Voice over IP (VoIP)

• Widespread use of e-mail and instant messaging (IM)

• Radio frequency bands are easy to scan

• The service set identifiers (SSID) identifying the access

• Computer viruses, worms,

• Identity theft, phishing

• Cyber terrorism and Cyber warfare

• Vulnerabilities from internal threats (employees);

• Reduce the risk of systems and organisations ceasing operations

• Maintain information confidentiality

• Ensure the integrity and reliability of data resources

• Ensure the uninterrupted availability of data resources and online

• Ensure compliance with national security laws and privacy policies

• Natural disasters (Fire, Earthquake, Floods)

• Vandalism (Damage, Failure of System)

Risks to Applications and Data

• Theft of information, Identity theft

• Data alteration, data destruction, and Web

• Worm:- Program that spreads copies of itself throughout a network

• Logic bomb:- Dormant (hidden) code added to software and

• Misuse of computer systems

• Computer based fraud

The security challenges need to be met on three fronts:

• Inadequate security and control may create serious legal

• Businesses must protect not only their own information assets

• A sound security and control framework that protects business

• Software and hardware

• Systems implementation process

Ensuring Business Continuity

• Disaster recovery planning: Plans for restoration of computing and

• Controls communication between a trusted network and the

• Role is to control access to internal network sought by the

• Proxy Server: Represents another server for all information

• Keeps communications secret

• Authentication: the process of ensuring the identity of the

• Encryption: coding a message into a form unreadable to an

• Uses pair of public and private key unique to sender and

• Decryption coverts cipher text to normal text

• Digital Signatures:- Digital code attached to the