Session__03 - Welcome to … ADMS 2511 Management ADMS...

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Welcome to … ADMS 2511 Management ADMS Information Systems, Unit 3 Information I. Splettstoesser­Hogeterp (Ish) Email: ingrids@yorku.ca Voicemail: 416 736 2100 x 20472 PODS: get your overheads loaded up and your video links ready please. Copyright I. Splettstoesser­Hogeterp, 2009 Copyright I. Splettstoesser­Hogeterp, 2009 1 If you did not do so last week, please make If yourself a name tag please: these will be used to track your attendance used If you were not here last week, you will also need to sign up for a POD group that is not presenting today (and did not present last week) POD groups, please come and collect your name tags CORRECTIONS TO COURSE OUTLINE: POD1 AND POD 2, PLEASE COME TO SEE ME: IF YOU HAVE NOT YET STARTED WORKING ON THE NEXT CASE, THERE IS A SWITCH NEEDED. THANKS. Copyright I. Splettstoesser­Hogeterp, 2009 Copyright I. Splettstoesser­Hogeterp, 2009 2 Unit 3 Learning Objectives Examine IT ethical issues, practice ethical analysis and consider identity theft Describe the control layers used to categorize operational practices Relate IT threats and risks to mitigation (i.e. controls) Copyright I. Splettstoesser­Hogeterp, 2009 Copyright I. Splettstoesser­Hogeterp, 2009 3 A framework for ethical issues framework (Table 3.1, p. 65) (Table Privacy Accuracy Property Accessibility TIP: DEFINE AND PROVIDE EXAMPLES OF THE FOUR CATEGORIES OF ETHICAL ISSUES. Copyright I. Splettstoesser­Hogeterp, 2009 Copyright I. Splettstoesser­Hogeterp, 2009 4 Privacy mega-horrors: Privacy Payment processor (Heartland Payment processor (Heartland Payment Systems) breach disclosed January 2009; More than 100 million credit and debit cards could be affected (itbusiness.ca, Vijayan, Jan 22/09) Method: multiple planted software Compare to TJX (2007, 46 million cards) Jan 2009: Monster’s database hacked Copyright I. Splettstoesser­Hogeterp, 2009 Copyright I. Splettstoesser­Hogeterp, 2009 5 Accuracy problem results in loot: Three extra zeros on a bank loan resulted in receiving $10 million (not $10,000) in New Zealand The applicants took $2.6 million and ran (May 2009, Toronto Star, Lilley) Have you ever experienced a bank error? Copyright I. Splettstoesser­Hogeterp, 2009 Copyright I. Splettstoesser­Hogeterp, 2009 6 Phishing for cash (property): Fake bank emails or web sites, even a fake Canada Revenue Agency refund phish! (itbusiness.ca, Jan 20, 2009, Jackson) Confidential data can also be sold from stolen laptops or USB keys, i.e. data theft Copyright I. Splettstoesser­Hogeterp, 2009 Copyright I. Splettstoesser­Hogeterp, 2009 7 Accessibility successes and Accessibility failures: failures: Facebook materials ordered disclosed for automobile accident lawsuit (Mar 14, 2009, Toronto Star, Tyler) Ryerson student data available online unencrypted (Feb 24, 2009, Metro, Cdn Press) Computer ‘junkie’ warned a school about a potential bombing (March 21, 2009, Toronto Star, Chung) Copyright I. Splettstoesser­Hogeterp, 2009 Copyright I. Splettstoesser­Hogeterp, 2009 8 Privacy in Canada: PIPEDA (Personal Privacy Information Protection and Electronic Documents Act, 2004) 2004) – 9. Individual access Ten basic principles: – 10. Challenging – 1. Accountability compliance – 2. Identifying purposes – 3. Consent POD Activity: List five – 4. Limiting collection privacy problems to share – 5. Limiting use, with the class. Relate disclosure and each to one of these ten retention principles. – 6. Accuracy – 7. Safeguards WHERE IS YOUR INFORMATION KEPT? – 8. Openness Copyright I. Splettstoesser­Hogeterp, 2009 Copyright I. Splettstoesser­Hogeterp, 2009 9 CANADA: Treasury Board: Management of CANADA: Information Technology Security Standard Information Provides standards for federal deputy ministers and department heads The IT departments will be responsible for implementing the procedures and processes to meet the standards If systems are broken into, affects confidence of Canadians Copyright I. Splettstoesser­Hogeterp, 2009 Copyright I. Splettstoesser­Hogeterp, 2009 10 Six Step Approach to solve an Six ethical dilemma (Source: Auditing and Other Assurance Services, 10th ed., p. 35) Assurance 1. Obtain the relevant facts 2. Identify the ethical issues from the facts 3. Determine who is affected by the outcome and how 4. Identify reasonable alternative actions 5. Identify consequences of each alternative 6. Decide on appropriate action Copyright I. Splettstoesser­Hogeterp, 2009 Copyright I. Splettstoesser­Hogeterp, 2009 11 Security Co Database Question Problem: Last week, you purchased a used computer from a friend who is a recently retired security company officer. Upon using the computer, you found several large files that seem to contain data about the activities and profiles of hundreds of people in your city. PODS: Use the ethical framework to decide what you should do. TIP: DESCRIBE EACH STEP OF THE ETHICAL FRAMEWORK AND BE ABLE TO APPLY IT TO A CASE. Copyright I. Splettstoesser­Hogeterp, 2009 Copyright I. Splettstoesser­Hogeterp, 2009 12 Privacy policy guidelines: a sampler Privacy (Table 3.2, p. 68) (Table Guidelines such as these – Codify requirements for employees – Provide a standard set of procedures – Help protect organizations from litigation – Can be used as a measurement tool if disciplinary action is required Copyright I. Splettstoesser­Hogeterp, 2009 Copyright I. Splettstoesser­Hogeterp, 2009 13 Case – Click Fraud, p. 103 POD 4 will present this case Copyright I. Splettstoesser­Hogeterp, 2009 Copyright I. Splettstoesser­Hogeterp, 2009 14 Break Copyright I. Splettstoesser­Hogeterp, 2009 Copyright I. Splettstoesser­Hogeterp, 2009 15 Categories of Controls Security is only one aspect of operational control Controls come in “layers” 1. Control Environment 2.General Controls 3. Application Controls Copyright I. Splettstoesser­Hogeterp, 2009 Copyright I. Splettstoesser­Hogeterp, 2009 16 Control Environment Encompasses management attitudes towards controls, as evidenced by management actions, as well as by stated policies that address – Ethical issues – Quality of supervision This is part of the organizational culture Copyright I. Splettstoesser­Hogeterp, 2009 Copyright I. Splettstoesser­Hogeterp, 2009 17 Figure 3.2 (p.86) and general Figure controls controls What are examples of controls that we can see on this figure? Copyright I. Splettstoesser­Hogeterp, 2009 Copyright I. Splettstoesser­Hogeterp, 2009 18 Access controls help to prevent Access identify theft identify Using confidential information such as passwords, drivers licences or medical records to assume someone else’s identity The thief applies for credit cards, mortgages or passports Controls include: physical security, access security, and encryption Do you know of examples of identity theft? Copyright I. Splettstoesser­Hogeterp, 2009 Copyright I. Splettstoesser­Hogeterp, 2009 19 Technology Guide 3 Protecting your identity If you have not read Tech Guide 3, do so now What is your risk level? Do you need to undertake the actions described in this Guide? POD 9 Video Copyright I. Splettstoesser­Hogeterp, 2009 Copyright I. Splettstoesser­Hogeterp, 2009 20 Password controls are needed for Password all categories of controls all Control Environment: – Policies that enforce the proper management of user codes and passwords General Control: – A security system that requires a user id and password to ‘log on’ Application Control: – Separate passwords for sensitive functions, e.g. employee raises or write off of customer accounts TIP: BE ABLE TO DESCRIBE EACH CATEGORY OF CONTROL AND PROVIDE AN EXAMPLE THAT CARRIES THROUGH EACH CONTROL LEVEL. Copyright I. Splettstoesser­Hogeterp, 2009 Copyright I. Splettstoesser­Hogeterp, 2009 21 Application Controls Controls that apply to individual functional areas (applications), e.g. payroll The text uses the categories: input, processing, output. It is more common to use the categories: accuracy, completeness, authorization, audit trail (documentation) for each of input, processing and output Copyright I. Splettstoesser­Hogeterp, 2009 Copyright I. Splettstoesser­Hogeterp, 2009 22 Application Controls Examples Input: Edits that check for reasonable data ranges Processing: Automatically check that each line of an invoice adds to the total Output: Supervisor reviews payroll journal for unusual amounts before cheques are printed. Copyright I. Splettstoesser­Hogeterp, 2009 Copyright I. Splettstoesser­Hogeterp, 2009 23 Case -- Blorney POD 5 will discuss this case Copyright I. Splettstoesser­Hogeterp, 2009 Copyright I. Splettstoesser­Hogeterp, 2009 24 Figure 3.1 (p. 73) Security threats Which of these risks have you encountered? Let’s turn to our text and review these risks Copyright I. Splettstoesser­Hogeterp, 2009 Copyright I. Splettstoesser­Hogeterp, 2009 25 Matching threats/risks to controls Let’s take a look at some of the security threats described in Figure 3.1 Match a control to the risk: what type of control is it and how does it prevent or deter the risk? Copyright I. Splettstoesser­Hogeterp, 2009 Copyright I. Splettstoesser­Hogeterp, 2009 26 Business continuity planning (BCP) BCP – what is its purpose? – Have continuous availability? – Be able to recover in the event of a hardware or software failure? – Ensure that critical systems are available and operating? Copyright I. Splettstoesser­Hogeterp, 2009 Copyright I. Splettstoesser­Hogeterp, 2009 27 A real information systems disaster Bay Street, 10th floor mainframe computer centre was located just above the 9th floor microcomputer bullpen 9th floor was gutted by fire 300 people transferred the backup tapes to vehicles on the ground that acted as a temporary processing centre Copyright I. Splettstoesser­Hogeterp, 2009 Copyright I. Splettstoesser­Hogeterp, 2009 28 Framework for recovery planning 1. Management commitment 2. Ranking of business processes 3. Identify minimum resources required 4. Prepare a Data centre and a User plan 5. Test the plan (and keep it current) Copyright I. Splettstoesser­Hogeterp, 2009 Copyright I. Splettstoesser­Hogeterp, 2009 29 Case – Don’t pay that ransom (p. 83) POD 6 will discuss this case Copyright I. Splettstoesser­Hogeterp, 2009 Copyright I. Splettstoesser­Hogeterp, 2009 30 Please return and sort your name Please tags by last name tags Within PODs, please sort your name tags by last name Return the name tags and the clips to the front I will initial your name tags on the back and they will be returned (by POD) next week POD groups – come a few minutes early next week so that you can load your presentation onto the computer before the class starts at 1 p.m. REMINDER: SEND ME VIDEOS NO LATER THAN SUNDAY AFTERNOON Copyright I. Splettstoesser­Hogeterp, 2009 Copyright I. Splettstoesser­Hogeterp, 2009 31 ...
View Full Document

This note was uploaded on 10/04/2011 for the course ADMS 2511 taught by Professor Jiu during the Fall '09 term at York University.

Ask a homework question - tutors are online