Chapter 15

Managing Information
Resources and Security

Information Technology For Management 4th Edition

Turban, McLean, Wetherbe
Lecture Slides by A. Lekacos,
Stony Brook University
John Wiley & Sons, Inc.
Chapter 15 1
 Chapter Objectives
Recognize the difficulties in managing information resources.
Understand the role of the IS department and its relationships
with end users.
Discuss the role of the chief information officer.
Recognize information systems vulnerability, attack methods,
and the possible damage from malfunctions.
Describe the major methods of defending information systems.
Describe the security issues of the Web and electronic
commerce.
Describe business continuity and disaster recovery planning.
Understand the economics of security and risk management.

Chapter 15 2
The IS Department
IT resources are very diversified; they include personnel assets,
technology assets, and IT relationship assets. The management
of information resources is divided between the information
services department (ISD) and the end users. The division of
responsibility depends on many factors.

The reporting relationship of the ISD is important in

that it reflects the focus of the department. If the ISD
reports to the accounting or finance areas, there is
often a tendency to emphasize accounting or finance
applications at the expense of those in the marketing,
production, and logistics areas.
The name of the ISD is also important.
Data Processing (DP) Department.
Management Information Systems (MIS) Department
Information Systems Department (ISD)
Another important characteristic is the status of the ISD

Chapter 15 3
The End-User Relationship
Since the ISD is a service organization that manages the IT
infrastructure needed to carry on end-user IT applications. It is
extremely important to have a good relationship with the end
users. The development of end-user computing and outsourcing
was motivated in part by the poor service that end users felt they
received. However, this is not an easy task since the ISD is
basically a technical organization that may not understand the
business and the users. While the users, may not understand
information technologies.

To improve collaboration, the ISD and end users may

employ three common arrangements:
the steering committee
service-level agreements
the information center.

Chapter 15 4
ISDs Mission

To carry out its mission in the digital economy,

the ISD needs to adapt.

Chapter 15 5
The CIO (Chief Information Officer)
Managing the ISD is similar to managing any other organizational
unit. The unique aspect of the ISD is that it operates as a service
department in a rapidly changing environment, thus making the
departments projections and planning difficult.
The changing role of the ISD highlights the fact that the CIO
is becoming an important member of the firm's top
management team.
Realization of the need for IT-related disaster planning and the
importance of IT to the firms activities.
Aligning IT with the business strategy
Implementing state-of-the-art solutions
Providing information access
Being a business visionary who drives business strategy
Coordinating resources

Chapter 15 6
IS Vulnerability
Information resources (physical resources, data, software, procedures,
and other information resources) are scattered throughout the firm.
Information is transmitted to and from the firms components.
Therefore vulnerabilities exist at many points and at any time.

Chapter 15 7
System Vulnerability
A universal vulnerability is a state in a computing system
which either: allows an attacker to execute commands as
another user; allows an attacker to access data that is
contrary to the access restrictions for that data; allows an
attacker to pose as another entity; or allows an attacker to
conduct a denial of service.
An exposure is a state in a computing system (or set of
systems) which is not a universal vulnerability, but either:
allows an attacker to conduct information gathering
activities; allows an attacker to hide activities; includes a
capability that behaves as expected, but can be easily
compromised; is a primary point of entry that an attacker
may attempt to use to gain access to the system or data;
and is considered a problem according to some reasonable
security policy.

Chapter 15 8
System Vulnerability Continued
The vulnerability of information systems is increasing as we move
to a world of networked and especially wireless computing.
Theoretically, there are hundreds of points in a corporate
information system that can be subject to some threats.

These threats can be classified as:

Unintentional
Human errors
Environmental hazards
Computer system failures
Intentional
Theft of data
Inappropriate use of data
Theft of mainframe computer time
Theft of equipment and/or programs

Chapter 15 9
System Vulnerability Continued
Intentional continued
Deliberate manipulation in handling
Entering data
Processing data
Transferring data
Programming data
Labor strikes
Riots
Sabotage
Malicious damage to computer resources
Destruction from viruses and similar attacks
Miscellaneous computer abuses
Internet fraud.
Terrorists attack

Chapter 15 10
Programming Attack One method
Programming attack is implemented through the modification of a
computer program.

Chapter 15 11
Viruses One method
The most common attack method is the virus a program that
attaches itself to (infect) other computer programs, without the
owner of the program being aware of the infection. It spreads,
causing damage to that program and possibly to others. When a
virus is attached to a legitimate software program, the legitimate
software is acting as a Trojan horse, a program that contains a
hidden function.

Chapter 15 12
Protecting Information Resources
Information security problems are increasing rapidly, causing
damage to many organizations. Protection is expensive and
complex. Therefore, companies must not only use controls to
prevent and detect security problems, they must do so in an
organized manner. An approach similar to TQM (total quality
management) would have the following characteristics:
Aligned. The program must be aligned with organizational goals.
Enterprisewide. Everyone in the organization must be included.
Continuous. The program must be operational all the time.
Proactive. Use innovative, preventive, and protective measures.
Validated. The program must be tested to ensure it works.
Formal. It must include authority, responsibility & accountability.

Chapter 15 13
Corporate Security Plan - Protecting

Chapter 15 14
Difficulties - Protecting

Chapter 15 15
Defense Strategy - Protecting
Knowing about potential threats to IS is necessary, but
understanding ways to defend against these threats is equally
critical. Because of its importance to the entire enterprise,
organizing an appropriate defense system is one of the major
activities of the CIO. It is accomplished by inserting controls
(defense mechanisms) and developing awareness.

The major objectives of a defense strategy are:

1. Prevention and deterrence.
2. Detection.
3. Limitation of damage.
4. Recovery.
5. Correction
6. Awareness and compliance

Chapter 15 16
Defense Strategy - Controls
Any defense strategy involves the use of several controls. These
controls are divided into two categories general controls that
protect the system regardless of the specific application and
application controls that safeguard specific applications.

General Application

Chapter 15 17
Defense Strategy Internet Security
Over the Internet, messages are sent from one computer to
another. This makes the network difficult to protect, since there
are many points to tap into the network.

Web Attack Threats

Chapter 15 18
Defense Strategy Internet Security
The major objective of border security is access control. Then
authentication or proof of identity and finally authorization
which determine the action or activities a user is allowed to
perform.

Security Layers
Chapter 15 19
 Business Continuity
An important element in any security system is the business
continuity plan, also known as the disaster recovery plan. Such a
plan outlines the process by which businesses should recover
from a major disaster.

The purpose of a business continuity plan is to keep the

business running after a disaster occurs.
Recovery planning is part of asset protection.
Planning should focus on recovery from a total loss of all
capabilities.
Proof of capability usually involves some kind of what-if
analysis that shows that the recovery plan is current.
All critical applications must be identified and their recovery
procedures addressed.
The plan should be written so that it will be effective in case of
disaster.
Chapter 15 20
 Business Continuity continued
The plan should be kept in a safe place; copies should be
given to all key managers; or it should be available on the
Intranet and the plan should be audited periodically.

One of the most logical ways to deal with loss of data is to back it up. A business continuity
plan should include backup arrangements were all copies of important files are kept offsite.
Chapter 15 21
 Auditing
Implementing controls in an organization can be very complicated
and difficult to enforce. Are controls installed as intended? Are
they effective? Did any breach of security occur? These and other
questions need to be answered by independent and unbiased
observers. Such observers perform an auditing task.

There are two types of auditors:

An internal auditor is usually a corporate employee who is not
a member of the ISD.
An external auditor is a corporate outsider. This type of auditor
reviews the findings of the internal audit.
There are two types of audits.
The operational audit determines whether the ISD is working
properly.
The compliance audit determines whether controls have been
implemented properly and are adequate.

Chapter 15 22
Risk Management
It is usually not economical to prepare protection against every
possible threat. Therefore, an IT security program must provide a
process for assessing threats and deciding which ones to prepare
for and which ones to ignore.

Chapter 15 23
IT Security Trends
Increasing the reliability of systems
Self-healing computers
Intelligent systems for early intrusion detection
Intelligent systems in auditing and fraud detection
Artificial intelligence in biometrics
Expert systems for diagnosis, prognosis, and disaster
planning
Smart cards

Chapter 15 24
 MANAGERIAL ISSUES
To whom should the IS department report? This issue is related to the
degree of IS decentralization and to the role of the CIO. Having the IS department
reporting to a functional area may introduce biases in providing IT priorities to that
functional area, which may not be justifiable. Having the IS report to the CEO is
very desirable.
Who needs a CIO? This is a critical question that is related to the role of the
CIO as a senior executive in the organization. Giving a title without authority can
damage the ISD and its operation. Asking the IS director to assume a CIOs
responsibility, but not giving the authority and title, can be just as damaging. Any
organization that is heavily dependent on IT should have a CIO.
End users are friends, not enemies, of the IS department. The
relationship between end users and the ISD can be very delicate. In the past, many
ISDs were known to be insensitive to end-user needs. This created a strong desire
for end-user independence, which can be both expensive and ineffective. Successful
companies develop a climate of cooperation and friendship between the two parties.
Ethical issues. The reporting relationship of the ISD can result in some unethical
behavior. For example, if the ISD reports to the nance department, the nance
department will have access to information about individuals or other departments
that could be misused.

Chapter 15 25
 MANAGERIAL ISSUES Continued
Responsibilities for security should be assigned in all areas. The
more organizations use the Internet, extranets, and intranets, the greater are the
security issues. It is important to make sure that employees know who is
responsible and accountable for what information and that they understand the
need for security control. The vast majority of information resources is in the
hands of end users. Therefore, functional managers must understand and practice
IT security management and other proper asset management tasks.
Security awareness programs are important for any organization,
especially if it is heavily dependent on IT. Such programs should be
corporate wide and supported by senior executives. In addition, monitoring
security measures and ensuring compliance with administrative controls are
essential to the success of any security plan. For many people, following
administrative controls means additional work, which they prefer not to do.
Auditing information systems should be institutionalized into the
organizational culture. Organizations should audit IS because it can save
considerable amounts of money. Conversely, over-auditing is not cost-effective.

Chapter 15 26
 MANAGERIAL ISSUES Continued
Multinational corporations. Organizing the ISD in a multinational
corporation is a complex issue. Some organizations prefer a complete
decentralization, having an ISD in each country or even several ISDs in one
country. Others keep a minimum of centralized staff. Some companies prefer a
highly centralized structure. Legal issues, government constraints, and the size of
the IS staff are some factors that determine the degree of decentralization.

Chapter 15 27
Chapter 15
Copyright 2003 John Wiley & Sons, Inc. All rights
reserved. Reproduction or translation of this work
beyond that permitted in Section 117 of the 1976
United States Copyright Act without the express
written permission of the copyright owner is
unlawful. Request for further information should be
addressed to the Permissions Department, John
Wiley & Sons, Inc. The purchaser may make back-
up copies for his/her own use only and not for
distribution or resale. The Publisher assumes no
responsibility for errors, omissions, or damages,
caused by the use of these programs or from the
use of the information contained herein.

Chapter 15 28