8-13
Define and describe the following: security policy, acceptable use policy, and
identity management.
A security policy consists of statements ranking information risks, identifying
acceptable security goals, and identifying the mechanisms for achieving these goals.
The security policy drives policies determining acceptable use of the firm’s
information resources and which members of the company have access to its
information assets.
An acceptable use policy (AUP) defines acceptable uses of the firm’s information
Explain how information systems auditing promotes security and control.
Comprehensive and systematic MIS auditing organizations determine the
effectiveness of security and controls for their information systems. An MIS audit
8-4 What are the most important tools and technologies for safeguarding
information resources?
Name and describe three authentication methods.
Authentication refers to the ability to know that a person is who he or she claims to
8-14
be. Some methods are described below:
• What you know: Passwords known only to the authorized users.
• What you have:
Describe the roles of firewalls, intrusion detection systems, and antivirus
software in promoting security.
A firewall is a combination of hardware and software that controls the flow of
incoming and outgoing network traffic. Firewalls prevent unauthorized users from
accessing internal networks. They protect internal systems by monitoring packets for
the wrong source or destination, or by offering a proxy server with no access to the
Explain how encryption protects information.
Encryption, the coding and scrambling of messages, is a widely used technology for
securing electronic transmissions over the Internet and over Wi-Fi networks.
Encryption offers protection by keeping messages or packets hidden from the view of
8-15
Describe the role of encryption and digital certificates in a public key
infrastructure.
Digital certificates combined with public key encryption provide further protection of
electronic transactions by authenticating a user’s identify. Digital certificates are data
Distinguish between disaster recovery planning and business continuity
planning.
Disaster recovery planning devises plans for the restoration of computing and
communications services after they have been disrupted by an event such as an
earthquake, flood, or terrorist attack. Disaster recovery plans focus primarily on the
Identify and describe the security problems posed by cloud computing.
Accountability and responsibility for protection of sensitive data reside with the
company owning that data even though it’s stored offsite. The company needs to
make sure its data are protected at a level that meets corporate requirements. The
company should stipulate to the cloud provider how its data are stored and processed
8-16
Describe measures for improving software quality and reliability.
Using software metrics and rigorous software testing are two measure for improving
software quality and reliability.
Software metrics are objective assessments of the system in the form of quantified
measurements. Metrics allow an information systems department and end users to
jointly measure the performance of a system and identify problems as they occur.
Metrics must be carefully designed, formal, objective, and used consistently.
Examples of software metrics include:
Early, regular, and thorough testing will contribute significantly to system quality.
Testing can prove the correctness of work but also uncover errors that always exist in
software. Testing can be accomplished through the use of:
• Walkthroughs: A review of a specification or design document by a small
group of people.
Discussion Questions
8-5 Security isn’t simply a technology issue, it’s a business issue. Discuss.
Student answers to this question will vary.
8-6 If you were developing a business continuity plan for your company, where
would you start? What aspects of the business would the plan address?
Student answers to this question will vary.
8-7 Suppose your business had an e-commerce Web site where it sold goods and
accepted credit card payments. Discuss the major security threats to this Web site
and their potential impact. What can be done to minimize these threats?
Student answers to this question will vary.
8-17
Hands-On MIS Projects
Management Decision Problems
8-8 Reloaded Games: operates online game sites that accommodate millions of players
at once and played simultaneously by people all over the world. Prepare a security
analysis for this Internet-based business. What kinds of threats should it anticipate? What
would be their impact on the business? What steps can it take to prevent damage to its
Web sites and continuing operations?
Threats include:
• Hackers and crackers
• File sharing over peer-to-peer networks
Steps the company can take to prevent damage include:
• Access controls: prevent improper access to all of the organization’s systems by
unauthorized insiders and outsiders.
• Firewalls: prevent unauthorized users from accessing private networks.
8-9 Security analysis statistics: Analyze high risk, medium risk, and low risk
vulnerabilities by type of computing platform.
8-18
SECURITY VULNERABILITIES BY TYPE OF COMPUTING PLATFORM
PLATFORM
NUMBER OF
COMPUTERS
HIGH
RISK
MEDIUM
RISK
LOW
RISK
TOTAL
VULNERABILITIES
Windows Server (corporate
applications)
1
11
37
19
67
Windows Vista Ultimate
(high-level
administrators)
3
56
242
87
1155
Linux (e-mail and
printing services)
1
3
154
2
12
299
78
778
98
255
Potential impact of the security problems for each computing platform
• High risk vulnerabilities: Misuse of passwords allows hackers, crackers, and
employees to access specific systems and files and steal data or change
application programs; nonauthorized users could change applications or enter
corrupt or faulty data; unauthorized programs could corrupt data or programs.
If you only have one information systems specialist in charge of security, which
platforms should you address first in trying to eliminate these vulnerabilities? Second?
Third? Last? Why?
• First platform to protect: Windows Vista Ultimate (high-level
administrators)—administrators usually have access to areas that no other
users have. The tasks that administrators perform affect the core operations of
8-19
a system.
Identify the types of control problems illustrated by these vulnerabilities and explain the
measures that should be taken to solve them.
• General controls: Govern the design, security, and use of computer programs
and the security of data files in general throughout the organization’s information
technology infrastructure. General controls apply to all computerized applications
and consist of a combination of hardware, software, and manual procedures that
• Application controls: Specific controls unique to each computerized application,
such as payroll or order processing. They include both automated and manual
procedures that ensure that only authorized data are completely and accurately
processed by that application. Application controls can be classified as input
controls, processing controls, and output controls.
o Windows Server (corporate applications)
• Measures that should be taken to solve them include:
o Create a security policy and an acceptable use policy.
What does your firm risk by ignoring the security vulnerabilities identified?
8-20
Information systems are vulnerable to technical, organizational, and environmental
threats from internal and external sources. Managers at all levels must make system
security and reliability their number one priority. They must also impress upon all
employees how important security is throughout the system. There are several ways
the business value of security and control can be measured:
• The dollars a company spends to secure system
(Learning Objective 8.1: Why are information systems vulnerable to destruction,
error, and abuse? Learning Objective 8.2: What is the business value of security and
Improving Decision Making: Using Spreadsheet Software to Perform a Security
Risk Assessment
Software skills: Spreadsheet formulas and charts
Business skills: Risk assessment
8-10 Remind students that setting security policies and procedures really means
developing a plan for how to deal with computer security. One way to approach this task
is:
• Look at what you are trying to protect.
• Look at what you need to protect it from.
Reports should focus most on the last two steps, but the first three are critically important
to making effective decisions about security. One old truism in security is that the cost of
protecting yourself against a threat should be less than the cost of recovering if the threat
8-21
Written and oral communication, Analytical thinking, Reflective thinking, Application of
knowledge.)
Improving Decision Making: Evaluating Security Outsourcing Services
8-11 Software skills: Web browser and presentation software
Business skills: Evaluating business outsourcing services
• Present a brief summary of the arguments for and against outsourcing
computer security for your company.
• Select two firms that offer computer security outsourcing services, and
compare them and their services.
• Prepare an electronic presentation for management summarizing your
findings. Your presentation should make the case on whether or not your
company should outsource computer security. If you believe your company
should outsource, the presentation should identify which security
outsourcing service should be selected and justify your selection.
Your students will provide several pros and cons to outsourcing. Most of them will
conclude that the major pro would be a financial savings. As a con, they may say that
Collaboration and Teamwork Project
8-12. In MyMISLab, you will find a Collaboration and Teamwork Project dealing
with the concepts in this chapter. You will be able to use Google Drive, Google Docs,
Google Sites, Google +, or other open source collaboration tools to complete the
assignment.
Case Study: The Looming Threat Of Cyberwarfare
8-13 Is cyberwarfare a serious problem? Why or why not?
Cyberwarfare is becoming a very serious problem. Attacks have become much more
8-22
From September 2012 through March 2013, twelve U.S. financial institutions suffered
cyberattacks that eventually shut down their Web sites. The banks’ data centers had been
8-14 Assess the people, organizational, and technology factors responsible for this
problem.
People: Most attacks are the work of highly skilled professionals. However, when people
don’t take the problem seriously and constantly be on alert for infections, cyberattacks
can go unnoticed until it’s too late. In some cases, even though appropriate safeguards
were in place, people overrode them and opened a hole for the malware to enter systems.
Organization: It’s suspected that some of the cyberwarfare attacks have been
Technology: Tracing the identities of specific attackers through cyberspace is next to
impossible. Damage from the Stuxnet worm is irreparable and is believed to have delayed
8-15 What solutions are available for this problem? Do you think they will be
effective? Why or why not?
As data breaches rise in significance and frequency, the Obama administration and
Congress are proposing new legislation that would require firms to report data breaches
within specific time frames, and sets standards for data security.
8-23
An executive order signed by President Obama allows companies associated with the
There are other measures every organization, public and private can and should take to
secure their systems and information. Section 8.4, What are the most important tools and
technologies for safeguarding information resources?, of this chapter provides a list:
• Use appropriate identity management and authentication procedures and
processes.
Many security experts believe that U.S. cybersecurity is not well-organized. Cybercom
was activated in May 2010 in the hope of resolving the organizations tangle of agencies
8-16 Describe three spoofing tactics employed in identity theft using information
systems.
Visit MyMISLab for suggested answers.
8-17 Describe four reasons why mobile devices used in business are difficult to
secure.
Visit MyMISLab for suggested answers.