8-15
ChoicePoint to implement new procedures to ensure that it provides
consumer reports only to legitimate businesses for lawful purposes, to
establish and maintain a comprehensive information security program, and
Legal and Regulatory Requirements for Electronic Records Management
Because so much of our personal and financial information is now maintained
electronically, the U.S. government is beginning to pass laws mandating how the data
will be protected from unauthorized or illegal misuse. Congress has passed several
measures outlining the requirements for electronic records management:
• HIPAA: Protects medical and health care data.
Electronic Evidence and Computer Forensics
Several things are happening in the corporate world that are changing the requirements
for how companies handle their electronic documents: 1) Companies are communicating
more and more with email and other forms of electronic transmissions, and 2) Courts are
8-16
Computer forensics is a growing field because of the increasing digitization of
documents and communications. Many people believe that just because they delete a file
Bottom Line: Regardless of where or how electronic transmissions were generated
or received, businesses are now responsible for making sure they are monitored,
stored, and available for scrutiny. These new requirements significantly change the
way businesses view their information resources.
8.3 Establishing a Framework for Security and Control
How do you help prevent some of the problems we’ve discussed? One of the best ways is
Information Systems Controls
Think about what a typical company does when it builds a new office building. From the
beginning of the design phase until the building is occupied, the company decides how
the physical security of the building and its occupants will be handled. It builds locks into
The two types of information system controls are:
• General controls: Software, physical hardware, computer operations, data
security, implementation process, and administrative. Table 8-4 describes each of
8-17
Risk Assessment
Companies and government systems constantly use risk assessment to determine weak
Security Policy
Companies spend a lot of money on physical security such as locks on doors or fences
around supply depots. They need to do the same thing for their information systems.
Identity management is one of the most important principles of a strong, viable security
policy. It includes:
• Business processes and software tools for identifying valid system users.
8-18
Figure 8-3 shows how an identity management system would limit access for two
different users.
Figure 8-3: Access Rules for a Personnel System
Disaster Recovery Planning and Business Continuity Planning
Floods, fires, hurricanes, even tsunamis, happen without a moment’s notice. Perhaps the
most important element of a successful system is a disaster recovery plan. Some firms,
The Role of Auditing
Companies audit their financial data using outside firms to make sure there aren’t any
discrepancies in their accounting processes. Perhaps they audit their supply systems on a
periodic basis to make sure everything is on the up-and-up. They should also audit their
8-19
Bottom Line: General and application controls help protect information systems.
Risk assessments help determine which assets require protection and how much
protection they need. Business continuity and disaster recovery planning are more
important than ever for businesses.
8.4 Technologies and Tools for Protecting Information
Resources
Let’s look at some of the ways a firm can help protect itself.
Identity Management and Authentication
Continuous headlines telling of hackers’ exploits in the past year should be enough to
convince every company of the need to install firewalls, identity management systems,
In corporate systems, it’s important to ensure authentication methods are in place so that
unauthorized users can’t gain access to the system and its data. Access can be granted in
one of three ways: something you know—passwords; something you have—tokens or
smart cards; something you are—biometric authentication.
Firewalls, Intrusion Detection Systems, and Antivirus Software
The four types of firewalls described in the text are:
• Packet filtering: Data packet header information is examined in isolation.
8-20
Intrusion Detection Systems
Firewalls can deter, but not completely prevent, network penetration from outsiders and
Antivirus and Antispyware Software
Whether you use a stand-alone PC or your computer is attached to a network, you’re just
asking for trouble if you don’t have antivirus software. This type of software checks
Unified Threat Management Systems
It’s a daunting task to individually manage all the security tools available to business.
Securing Wireless Networks
It’s important for wi-fi users to protect their data and electronic transmissions as wireless
networks and their access points proliferate around the country. Security is easily
penetrated because of the very nature of the spectrum transmission used in wi-fi. Unless
users take stringent precautions to protect their computers, it’s relatively easy for hackers
8-21
“Before he ran for president Barack Obama quit smoking. Now that he’s
won the job, he may have to break another addiction: Checking his
BlackBerry for email.
The president’s email can be subpoenaed by Congress and courts and may
be subject to public records laws, so if a president doesn’t want his email
public, he shouldn’t email, experts said. And there may be security issues
about carrying around trackable cell phones.
Encryption and Public Key Infrastructure
Most people are reluctant to buy and sell on the Internet because they’re afraid of theft,
fraud, and interception of transactions. To help ease the mind and make transactions
secure, many companies are using very sophisticated methods of protecting data as they
travel across the various transmission mediums through the use of encryption.
8-22
Figure 8-6: Public Key Encryption
This figure shows you how public key encryption works using two keys: one public and
one private. The keys are created through complicated mathematical formulas. The
longer the key, the harder it is to decipher. That’s the whole point of encryption.
Figure 8-7 Digital Certificates
Public key infrastructure (PKI) is another method for providing secure authentication
of online identity and makes users more comfortable transacting business over networks.
Ensuring System Availability
Many companies create fault-tolerant computer systems that are used as back-ups to
help keep operations running if the main system should go out. These back-up systems
add to the overall cost of the system—but think about the losses if the system experiences
8-23
Make sure you understand the difference between fault-tolerant computer systems and
high-availability computing:
• Fault-tolerant computer systems promise continuous availability and eliminate
recovery time altogether.
• High-availability computer systems help firms recover quickly from a crash.
High-availability computer systems use the following tools to ensure digital firms have
continuous computing capacity available:
• Load balancing
Controlling Network Traffic: Deep Packet Inspection
Network data traffic takes many different forms, from simple text file transfers to
massive audio or video file transmission. Obviously, the small text files take up less
bandwidth and can be transmitted faster than the larger files. Deep packet inspection
technologies help identify which types of files are being transferred and delay those that
hog the network. It makes sense to a point except when the technology is misused or
abused.
8-24
promised upgrades in speed. Those are some of the results of research we
conducted on the Internet market.
Security Outsourcing
If your company lacks the internal resources to adequately plan for disaster, you can use
Security Issues for Cloud Computing and the Mobile Digital Platform
The concept of cloud computing sounds like nirvana to many companies. Someone else
Security in the Cloud
Regardless of where your company stores its data, performs data processing, or how it
transmit data to and from, your company is ultimately the only one who is responsible for
security.
Even if a cloud provider has every security certification in the book, that’s
8-25
Securing Mobile Platforms
Hackers don’t discriminate when it comes to targeting computing devices. They will go
after your unprotected smartphone just as gladly as they will your desktop or laptop
computer. Don’t leave yourself an easy target.
As Internet telephony and mobile computing handle more and more data,
they will become more frequent targets of cyber crime. From the outset,
Patrick Traynor, an assistant professor in the School of Computer Science
at Georgia Tech and a member of GTISC, discussed the concept of the
“digital wallet,” in which smartphones store personal identity, payment
card information and more. Already in Japan, people use their cell phones
at vending machines and subway token dispensers.
8-26
As it turns out, President Obama was allowed to keep his Blackberry, much to the
chagrin of the Secret Service.
When the mainstream media first announced Barack Obama‘’s “victory”
in keeping his BlackBerry, the focus was on the security of the device, and
keeping the U.S. president’s email communications private from spies and
hackers.
Interactive Session: Technology: MWEB Business: Hacked (see page 354 of the text)
describes the action that MWEB, South Africa’s leading ISP, took following a security
breach that left the personal data of thousands of customers vulnerable.
Ensuring Software Quality
There are two methods to help improve software programs and ensure better quality of
them. The first one, software metrics, allows IS departments and users to measure a
8-27
Bottom Line: Some of the technologies and tools businesses use for security and
control include access control, firewalls, intrusion detection systems, antivirus
software, and encryption. The tools available for ensuring business continuity
include fault-tolerant systems and high-availability computing. Security is
everyone’s concern throughout the organization.
Discussion Questions:
1. Discuss why wireless networks are more susceptible to security problems and how
businesses can protect them.
2. Discuss the security issues associated with cloud computing and what cloud users
should do about them.
Answers to Discussion Questions:
1. Wireless networks are more susceptible to security problems because they are built on
the 802.11 standard of transmission that allows computing devices to easily connect
with each other and transfer data. The service set identifiers (SSID) identifying the
2. Cloud users are still responsible for their data, how it’s processed and stored, and how
it’s transmitted. Most cloud providers will not assume security risks for user data.
3. Employees pose serious threats to a security system because of lack of awareness
about security vulnerabilities. Employees fail to adequately safeguard their passwords
4. Three major laws recently passed by the U.S. government to help make data and
5. Security policies should cover acceptable use, user authorization, and identity
management systems. The policy should include statements ranking information