MD 240 Managing Information Resources and Security

1
MD 240Managing Information Resources and Security
2
Agenda

• IRM, ISD, and End Users
• How the ISD Can Fail
• Designing the ISD So It Shouldnt Fail
• Managing the Eventual ISD Failures
• Job Information

3
Information Resources Management (IRM)

• Information Resources Management (IRM)
  encompasses all activities related to the
  planning, organizing, operating, maintaining,
  securing, and controlling of IT resources

4
Information Resources Management (IRM)Ex
Operational Tasks

• Microsoft includes
• Availability management operations
• Capacity management operations
• Change management operations
• Configuration management operations
• Directory Services management operations
• Financial management operations
• Incident management operations
• Job Scheduling operations
• Network Administration operations

• Problem management
• Print and Output management operations
• Release management operations
• Service Continuity management operations
• Service Level management operations
• Service Desk operations
• Storage management operations
• System Administration operations
• Workforce management operations

Source Microsoft Operations Framework,
www.microsoft.com/mof/
5
Information Systems Department (ISD)

• Information Systems Department
• The functional area within an organization
  charged with managing all of the organizations
  information systems and IT assets (technology,
  personnel, and IT relationships).
• A service organization that uses those systems
  and assets to deliver services necessary for end
  users and other functional areas to accomplish
  their jobs

6
Information Systems Department (ISD)

• End Users
• Customers of the ISD
• Historically in conflict with the ISD objectives
• ISD managers think objectives should be met in
  one way
• End Users each have their own ideas about how
  their computing needs should be met
• Difference between End User expectations and ISD
  services delivered DISSATISFACTION

7
Information Systems Department (ISD)ISD vs. End
Users

• Ex BC IT vs. BC Professors
• BC IT sent an email to all professors who have
  servers in their offices that provide web pages
  to individuals outside of the BC network
• Prove to us that your web server is secure by
  Oct. 10, otherwise we will eliminate your
  servers access to the WWW.
• Make sure you back up your hard drive frequently
  
• After Oct. 10, we will be scanning your server,
  trying to break in to it through security holes.
• If we find a security hole during our scan, it
  may have the unintended consequence of crashing
  your computer, meaning that you may have to
  reformat your hard drive, and reinstall all of
  your applications on your server.

8
Information Systems Department (ISD)Typical End
User Service Strategies

• Typical ISD Approaches for Making Computing
  Resources Available for End-Users
• Let Them Sink or Swim - Dont do anything. It is
  up to the end-user to figure it out themselves.
• Use the Stick - Establish policies and procedures
  to control end-user computing (e.g., to limit
  risks).
• Use Carrots - Create incentives for end users to
  behave in certain ways.
• Offer Support - Develop services to aid end users
  in their computing activities.

9
Information Systems Department (ISD)Typical End
User Service Strategies

• Ex BC IT
• Let Them Sink or Swim
• We control the UNIX computers. If you need a UNIX
  computer, you must use ours. However, we wont
  give you any documentation about how to use them.
• Use the Stick
• BC IT will only allow you to buy one of four
  acceptable computer configurations and you
  cant buy a UNIX box
• Use Carrots
• If you complain any more, we wont talk to you,
  we wont provide any support, and well put you
  on a committee that eats up all of your time
• Offer Support
• ???

10
What Happens in Modern Organizations When ISD
Operations Fail?
11
Failure of ISD OperationsImplications

• Production Operations Fail
• MRP inventories
• ERP supply chain
• Marketing Operations Fail
• sales force
• call center operations
• customer service
• Financial Operations Fail
• Forecasting
• spreadsheet models that query databases
• Accounting Operations Fail
• payments
• performance evaluation

12
Designing Reliable ISD Operations
13
Desirable Characteristicsin Modern ISDs

• Strategic leadership align IT strategy with
  business strategy
• Support of other functional areas
• Integration with functional areas
• Quickly develop and implement new systems
• Redundancy in ISD operations
• Reliability of IT systems
• Manage vendor relationships well
• Customer service/support
• Internal
• External
• Able to re-skill the organization

14
Problems in Transforming ISDsHistorical Issues
Still Around

• Strategic leadership
• Previously a cost center ISD had little
  strategic importance
• Support of other functional areas
• ISD used to mainly respond to other areas, now it
  needs to lead
• Integration with functional areas
• Outsourcing of whole ISD
• Reliability/Redundancy in ISD operations
• ISD as cost center
• Customer service/support
• History of ISD/end user squabbles

15
Modern ISD Performance Tradeoffs

• Conflicting Goals Forcing Tradeoffs
• Achieve ISD resource efficiency
• Provide high quality of end-user services
• Architecture Characteristics Exhibit Tradeoffs

• Centralized Systems/ISD
• increased productivity/system-wide efficiency
• ease of control
• ease of planning
• consolidation of resources
• slow response
• strategic systems homogeneous functions

• Decentralized Systems/ISD
• control costs locally
• more difficult to control users at the point of
  end-use
• rapid response flexibility of response at point
  of end-users need
• needs are unique, heterogeneous, for
  decentralized operations

16
How Organizations Are RespondingNew Mechanisms
Management Hierarchy

• Strategic importance
• The Chief Information Officer (CIO)
• Support of functional areas
• IT Steering Committee
• Service level agreements (SLAs)
• Integration into other functions
• Network structure of ISD
• Customer service/support/responsiveness
• User-friendly organizational structure of the IS
  department
• Information Centers
• Better end-user relationships
• Conflict Resolution Teams
• End User committees

17
How Organizations Are RespondingIT Steering
Committee

• IT Steering Committee
• Direction setting linking corporate strategy to
  IT strategy
• Rationing approving allocation of resources
• Structuring positioning ISDs role in
  organization
• Staffing selection of CIO and major IT
  outsourcing decisions
• Communication information about IT activities
  sent out to end users
• Evaluating establishes performance measures for
  ISD, ensures that performance measures are met

18
How Organizations Are RespondingService Level
Agreements (SLA)

• Service Level Agreements (SLAs)
• Formal agreements regarding the division of
  computing responsibilities among the end users
  and the ISD
• Formal agreements between an outsourcing vendor
  (e.g., an ASP) and a client organization about
  required IS performance levels
• Steps involved
• End user managers and ISD managers define
  acceptable service levels
• Computing responsibilities are divided at each
  level
• Details of the service levels to be provided by
  the ISD are specified
• Ex 99 uptime, one hour response time if server
  fails
• Service levels are implemented and monitored

19
Managing for Failure of ISDs Operations
20
How Might ISD Operations Fail?

• Information systems breakdowns
• Software ex poor design/programming
• Hardware ex insufficient capacity
• Acts of God
• Systems vulnerability
• Unintentional threats
• Intentional threats
• Computer crimes
• Many types of crimes and criminals
• Many methods of attack (data tampering,
  programming fraud, identifying bugs that can
  crash a server)

21
How Might ISD Operations Fail?
22
Causes of ISD Operations Failures

• Problems Both Social and Technological
• Most breakdowns are human-related
• Example Recent e-mail attachment viruses take
  advantage of human (particularly male
  techno-geek) tendencies and stupidity
• Female Tennis Player naked image attachment
  Kournikova.vbs.exe
• Example May virus writers will take advantage of
  vulnerable human qualities
• Friendly greetings supposedly from friends
• Contemporary (tragic) news issues of the day

23
Defense Strategies for ISD

• Defense Strategies
• Prevention and Deterrence strategies
• Detection and Limitation strategies
• Response, Recovery, and Correction strategies

24
Defense Controls for ISD

• Information Systems Defense Controls
• General Controls
• Physical Controls
• Access Controls
• Data Security Controls
• Communications (Networks) Controls
• Administrative Controls
• Application Controls
• Input Controls
• Processing Controls
• Output Controls

25
Prevention and Deterrence Strategies
26
Prevention and Deterrence StrategiesDesigning
Information Systems

• During SDLC process
• Assessment of relative risks
• Design fail-safe architecture
• Systems backup/redundancy
• Physical end-user computer centers
• Hosting of critical systems in concrete bunkers,
  separate flood-plains, separate nations, separate
  WWW infrastructure segments, etc.
• Storage backups
• RAID
• Offsite backup
• User interfaces (on web sites)
• False front doors (only people who need to know,
  know they are there)
• Redundant methods of user authentication (IP,
  username/password, etc.)

27
Prevention and Deterrence Strategies Validating
Information Systems

• Software Quality Assurance (QA)
• Tests quality of information system before
  deploying software to human end users
• by running real-world information system through
  simulated (virtual) end-user demand loads
• Tests for
• system capacity/ability to handle various
  end-user loads
• end user response times
• database hot spots caused by system
• Automated Testing Tools (Jobs here
  70,000/year)
• Mercury Interactive
• Rational
• Segue

28
Prevention and Deterrence StrategiesAuditing
Information Systems

• Several types of auditors and audit
• Internal Auditor (professionals)
• External Auditor (professionals, often from
  Accounting firms)
• Hackers for hire -- ex Senate passed a law to
  have GSA hire people to hack into federal
  agency web sites
• What needs to be audited?
• Physical security (building)
• Control
• System security
• Computer security policy
• Standards and procedures
• Assignment of responsibility
• Personnel security program
• Exhaustive asset-threat inventory
• User awareness

29
Detection and Limitation Strategies
30
Detection and Limitation Strategies
Physical/Access Controls

• Secure computer building/room
• Something only the user knows
• Password
• Something only the user has
• Smart card or token
• Something only the user is
• Signature, voice, fingerprint, retinal scan

31
Detection and Limitation Strategies Biometric
Controls

• Photo of face
• Fingerprints
• Hand geometry
• Blood vessel pattern in the retina
• Voice patterns
• Signature
• Keystroke dynamics
• Facial thermography (heat patterns)

32
Detection and Limitation Strategies Data
Security Issues

• Confidentiality of data
• Becoming a national law in many countries
  (particularly the EU)
• Control access to data
• Maintain integrity of data
• Security principles
• Minimal privilege
• Minimal exposure

33
Detection and Limitation Strategies
Administrative Controls

• Appropriate selection, training and supervision
  of employees
• Fostering company loyalty
• Immediate revocation of privileges of dismissed,
  resigned, or transferred employees
• Required periodic modification of access controls

34
Detection and Limitation Strategies
Administrative Controls

• Development and use of programming and
  documentation standards
• Security bonds for key employees
• Separation of duties
• Periodic random audits of the system

35
Detection and Limitation Strategies Application
Controls

• Input controls
• Completeness of input, in proper format, within
  specified range, consistent with other data
• Process controls
• Determine that programs have been properly
  executed
• Output controls
• Assure that results of computer programs are
  accurate, valid, complete, and consistent
• Assure output only goes to those who should get it

36
Detection and Limitation Strategies Network
Protection and Firewalls

• Security measures
• Access control
• Encryption
• Cable testers
• Firewalls
• Permits authorized traffic into your network
• Blocks unauthorized traffic from entering your
  network
• Essentially software, but now often built into
  hardware (e.g. in routers)
• Why firewalls?
• Lots of people (crackers) with port sniffers
  trying to find a port on your computer that is
  open to them
• Even important for home networks, connected via
  Cable Modem or DSL

37
Response, Recovery and Correction Strategies
38
Response, Recovery and Correction Disaster
Recovery Planning (Knoll 1986)

• Purpose of a recovery plan is to keep business
  running after a disaster
• Asset protection identify and protect
• Planning should focus first on recovery
• Plan must address the identification and recovery
  of all critical applications
• What-if analysis to demonstrate the recovery plan
  is current

39
Response, Recovery and Correction Disaster
Recovery Planning (Knoll 1986)

• Plan must be in a written form to be effective
• Plan must be available to and usable by employees
• Plan should be kept safe and audited periodically

40
Response, Recovery and Correction Various Methods

• Risk Management
• Determine (calculate) the likelihood of various
  failures
• Disaster Avoidance
• Preventive measures for some or all of the risks
• Backup Arrangements
• Split up data center into several redundant data
  centers spread across USA
• Cold-site vendors empty office space
• Hot-site vendors fully configured backup data
  center
• Business Continuity Plan
• Outlines the process by which businesses should
  recover from a major disaster

41
Jobs in Security/Risk Management
42
Jobs

• Information Security Manager/Security Consulting
• Average starting salary 76,000-96,000
• Skills requirements Ability to work with a
  number of operating systems, familiarity with
  security policy procedure development, networking
  technology, experience with wireless access,
• Certification security certifications helpful
• Whos hiring Financial services, health care,
  government
• (Chen, A., Wanted Security Managers, eWeek,
  Dec. 31, 2001, p. 32)

43
For More Information
44
For More Info on IT Security

• Security
• Computer Emergency Response Team (CERT) -
  (www.cert.org)
• SANS.com (www.sans.com)
• ICSA.net - (www.icsa.net)
• CSRC - (csrc.nist.gov)
• ISS.net
• TIS.com
• Computer Security Institute - (www.gocsi.com)
• L0pht Heavy Industries Security Advisories -
  (www.l0pht.com/advisories)
• PGP (www.pgp.com)
• NCSA.com
• RSA.com
• Link page to most security sites -
  (www.gocsi.com/links.htm)
• Virus/Antivirus
• Antivirus.com, Symantec.com, McAfee.com