Session__03%203UP%20course

Session__03%203UP%20course - Please purchase PDFcamp...

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Please purchase PDFcamp Printer on http://www.verypdf.com/ to remove this watermark. Welcome to … ADMS 2511 Management Information Systems, Unit 3 I. Splettstoesser-Hogeterp (Ish) Email: [email protected] Voicemail: 416 736 2100 x 20472 PODS: get your overheads loaded up and your video links ready please. Copyright I. Splettstoess er-Ho geterp , 2009 1 If you did not do so last week, please make yourself a name tag please: these will be used to track your attendance If you were not here last week, you will also need to sign up for a POD group that is not presenting today (and did not present last week) POD groups, please come and collect your name tags CORRECTIONS TO COURSE OUTLINE: POD1 AND POD 2, PLEASE COME TO SEE ME: IF YOU HAVE NOT YET STARTED WORKING ON THE NEXT CASE, THERE IS A SWITCH NEEDED. THANKS. Copyright I. Splettstoess er-Ho geterp , 2009 2 Unit 3 Learning Objectives Examine IT ethical issues, practice ethical analysis and consider identity theft Describe the control layers used to categorize operational practices Relate IT threats and risks to mitigation (i.e. controls) Copyright I. Splettstoess er-Ho geterp , 2009 3 1 Please purchase PDFcamp Printer on http://www.verypdf.com/ to remove this watermark. A framework for ethical issues (Table 3.1, p. 65) Privacy Accuracy Property Accessibility TIP: DEFINE AND PROVIDE EXAMPLES OF THE FOUR CATEGORIES OF ETHICAL ISSUES. Copyright I. Splettstoess er-Ho geterp , 2009 4 Privacy mega-horrors: Payment processor (Heartland Payment Systems) breach disclosed January 2009; More than 100 million credit and debit cards could be affected (itbusiness.ca, Vijayan, Jan 22/09) Method: multiple planted software Compare to TJX (2007, 46 million cards) Jan 2009: Monster’s database hacked Copyright I. Splettstoess er-Ho geterp , 2009 5 Accuracy problem results in loot: Three extra zeros on a bank loan resulted in receiving $10 million (not $10,000) in New Zealand The applicants took $2.6 million and ran (May 2009, Toronto Star, Lilley) Have you ever experienced a bank error? Copyright I. Splettstoess er-Ho geterp , 2009 6 2 Please purchase PDFcamp Printer on http://www.verypdf.com/ to remove this watermark. Phishing for cash (property): Fake bank emails or web sites, even a fake Canada Revenue Agency refund phish! (itbusiness.ca, Jan 20, 2009, Jackson) Confidential data can also be sold from stolen laptops or USB keys, i.e. data theft Copyright I. Splettstoess er-Ho geterp , 2009 7 Accessibility successes and failures: Facebook materials ordered disclosed for automobile accident lawsuit (Mar 14, 2009, Toronto Star, Tyler) Ryerson student data available online unencrypted (Feb 24, 2009, Metro, Cdn Press) Computer ‘junkie’ warned a school about a potential bombing (March 21, 2009, Toronto Star, Chung) Copyright I. Splettstoess er-Ho geterp , 2009 8 Privacy in Canada: PIPEDA (Personal Information Protection and Electronic Documents Act, 2004) – 9. Individual access Ten basic principles: – 10. Challenging – 1. Accountability compliance – 2. Identifying purposes POD Activity: List five – 3. Consent privacy problems to – 4. Limiting s hare w i th the c l as s . collection Relate each to one of – 5. Limiting use, these ten principles. disclosure and retention WHERE IS YOUR – 6. Accuracy INFORMATION KEPT? – 7. Safeguards – 8. Openness Copyright I. Splettstoesser-Hogeterp, 9 2009 3 Please purchase PDFcamp Printer on http://www.verypdf.com/ to remove this watermark. CANADA: Treasury Board: Management of Information Technology Security Standard Provides standards for federal deputy ministers and department heads The IT departments will be responsible for implementing the procedures and processes to meet the standards If systems are broken into, affects confidence of Canadians Copyright I. Splettstoess er-Ho geterp , 2009 10 Six Step Approach to solve an ethical dilemma (Source: Auditing and Other Assurance Services, 10th ed., p. 35) 1. Obtain the relevant facts 2. Identify the ethical issues from the facts 3. Determine who is affected by the outcome and how 4. Identify reasonable alternative actions 5. Identify consequences of each alternative 6. Decide on appropriate action Copyright I. Splettstoess er-Ho geterp , 2009 11 Security Co Database Question Problem: Last week, you purchased a used computer from a friend who is a recently retired security company officer. Upon using the computer, you found several large files that seem to contain data about the activities and profiles of hundreds of people in your city. PODS: Use the ethical framework to decide what you should do. TIP: DESCRIBE EACH STEP OF THE ETHICAL FRAMEWORK AND BE ABLE TO APPLY IT TO A CASE. Copyright I. Splettstoess er-Ho geterp , 2009 12 4 Please purchase PDFcamp Printer on http://www.verypdf.com/ to remove this watermark. Privacy policy guidelines: a sampler (Table 3.2, p. 68) Guidelines such as these – Codify requirements for employees – Provide a standard set of procedures – Help protect organizations from litigation – Can be used as a measurement tool if disciplinary action is required Copyright I. Splettstoess er-Ho geterp , 2009 13 Case – Click Fraud, p. 103 POD 4 will present this case Copyright I. Splettstoess er-Ho geterp , 2009 14 Break Copyright I. Splettstoess er-Ho geterp , 2009 15 5 Please purchase PDFcamp Printer on http://www.verypdf.com/ to remove this watermark. Categories of Controls Security is only one aspect of operational control Controls come in “layers” 1. Control Environment 2.General Controls 3. Application Controls 16 Copyright I. Splettstoess er-Ho geterp , 2009 Control Environment Encompasses management attitudes towards controls, as evidenced by management actions, as well as by stated policies that address – E th i c a l i s s u e s – Quality of supervision This is part of the organizational culture 17 Copyright I. Splettstoess er-Ho geterp , 2009 Figure 3.2 (p.86) and general controls What are examples of controls that we can see on this figure? Copyright I. Splettstoess er-Ho geterp , 2009 18 6 Please purchase PDFcamp Printer on http://www.verypdf.com/ to remove this watermark. Access controls help to prevent identify theft Using confidential information such as passwords, drivers licences or medical records to assume someone else’s identity The thief applies for credit cards, mortgages or passports Controls include: physical security, access security, and encryption Do you know of examples of identity theft? Copyright I. Splettstoess er-Ho geterp , 2009 19 Technology Guide 3 Protecting your identity If you have not read Tech Guide 3, do so n ow What is your risk level? Do you need to undertake the actions described in this Guide? POD 9 Video Copyright I. Splettstoess er-Ho geterp , 2009 20 Password controls are needed for all categories of controls Control Environment: – Policies that enforce the proper management of user codes and passwords General Control: – A security system that requires a user id and password to ‘log on’ Application Control: – Separate passwords for sensitive functions, e.g. employee raises or write off of customer accounts TIP: BE ABLE TO DESCRIBE EACH CATEGORY OF CONTROL AND PROVIDE AN EXAMPLE THAT CARRIES THROUGH EACH CONTROL LEVEL. Copyright I. Splettstoess er-Ho geterp , 2009 21 7 Please purchase PDFcamp Printer on http://www.verypdf.com/ to remove this watermark. Application Controls Controls that apply to individual functional areas (applications), e.g. payroll The text uses the categories: input, processing, output. It is more common to use the categories: accuracy, completeness, authorization, audit trail (documentation) for each of input, processing and output Copyright I. Splettstoess er-Ho geterp , 2009 22 Application Controls Examples Input: Edits that check for reasonable data ranges Processing: Automatically check that each line of an invoice adds to the total Output: Supervisor reviews payroll journal for unusual amounts before cheques are printed. Copyright I. Splettstoess er-Ho geterp , 2009 23 Case -- Blorney POD 5 will discuss this case Copyright I. Splettstoess er-Ho geterp , 2009 24 8 Please purchase PDFcamp Printer on http://www.verypdf.com/ to remove this watermark. Figure 3.1 (p. 73) Security threats Which of these risks have you encountered? Let’s turn to our text and review these risks Copyright I. Splettstoess er-Ho geterp , 2009 25 Matching threats/risks to controls Let’s take a look at some of the security threats described in Figure 3. 1 Match a control to the risk: what type of control is it and how does it prevent or deter the risk? Copyright I. Splettstoess er-Ho geterp , 2009 26 Business continuity planning (BCP) BCP – what is its purpose? – Have continuous availability? – Be able to recover in the event of a hardware or software failure? – Ens ure that c ri ti c al systems are available and operating? Copyright I. Splettstoess er-Ho geterp , 2009 27 9 Please purchase PDFcamp Printer on http://www.verypdf.com/ to remove this watermark. A real information systems disaster Bay Street, 10th floor mainframe computer centre was located just above the 9th floor microcomputer bullpen 9th floor was gutted by fire 300 people transferred the backup tapes to vehicles on the ground that ac te d as a temporary processing c e ntre Copyright I. Splettstoess er-Ho geterp , 2009 28 Framework for recovery planning 1. Management commitment 2. Ranking of business processes 3. Identify minimum resources required 4. Prepare a Data centre and a User plan 5. Test the plan (and keep it current) Copyright I. Splettstoess er-Ho geterp , 2009 29 Case – Don’t pay that ransom (p. 83) POD 6 will discuss this case Copyright I. Splettstoess er-Ho geterp , 2009 30 10 Please purchase PDFcamp Printer on http://www.verypdf.com/ to remove this watermark. Please return and sort your name tags by last name Within PODs, please sort your name tags by last name Return the name tags and the clips to the fr o n t I will initial your name tags on the back and they will be returned (by POD) next week POD groups – come a few minutes early next week so that you can load your presentation onto the computer before the class starts at 1 p.m. REMINDER: SEND ME VIDEOS NO LATER THAN SUNDAY AFTERNOON Copyright I. Splettstoess er-Ho geterp , 2009 31 11 ...
View Full Document

This note was uploaded on 10/04/2011 for the course ADMS 2511 taught by Professor Jiu during the Fall '09 term at York University.

Ask a homework question - tutors are online