Technologies and security management features
A. Safeguarding records and files B. Back up files 1. Son-father-grandfather concept 2. Back up of systems that can be shut down 3. Backups of systems that do not shut down 4. Mirroring C. Uninterrupted power supply D. Program modification controls E. Data encryption 1. Digital certificates 2. Digital signatures vs E-signatures F. Managing passwords 1. Password length 2. Password complexity 3. Password age 4. Password reuse G. User access 1. Initial passwords and authorization for system access 2. Changes in position
A. Safeguarding records and files
- inadequate protection may result in damage or loss
- data can be protected by the use of internal and external labels and file protection rings
B. Back up files
Back up files
- Son-father-grandfather concept - the most recent file is called the son and the back up process includes reading the previous file, recording transactions being processed and then creating a new updated master file.There are always at least two back ups.
- Back up of systems that can be shut down - updated when shut down
- Backups of systems that do not shut down - recovery includes applying a transaction log and reapplying those transactions to get back to the point immediately before the failure
- Mirroring - the use of a back up computer to duplicate all of the processes and transactions on the primary computer
C. Uninterrupted power supply
a device that maintains a continuous supply of electrical power to connected equipment. Called battery back up.
D. Program modification controls
Program modification controls are controls over the modification of programs being used in production applications. They include controls designed to prevent changes by unauthorized personnel and also controls that track program changes
E. Data encryption
E. Data encryption - an essential foundation for electronic commerce. Encryption involves using a password or a digital key to scramble a readable message into an unreadable message. Then intended recipient of the message then uses the same or another digital key to decrypt or decipher the ciphertext message back into plaintext.
- Digital certificates - an electronic document, created and digitally signed by a trusted party, which certifies the identity of the owners of a particular public key.
- The public key infrastructure - the system and processes used to issue and manage asymmetric keys and digital certificates.
- Certificate authority - the organization that issues public and private keys and records the public key in a digital certificate. - Digital signatures vs E-signatures - use asymmetric encryption to create legally-blinding electronic documents. Web-based e-signatures are an alternative mechanism for accomplishing the same objectives. An e-signature - a cursive style imprint of a person’s name that is applied to an electronic document
F. Managing passwords
F. Managing passwords - every account needs one
- Password length - 7-8 signs
- Password complexity - upper, lowercase, numeric, ASCII characters !@#$
- Password age - every 3 months
- Password reuse - should not be reused (24 passwords)
G. User access
G. User access
- Initial passwords and authorization for system access
- Changes in position - Hr and IT communication
Brute force attack
the attacker simply tries every possible key until the right one is found
A. Security Policy defined
A. Security Policy defined - a document that states how an org plans to protect the org’s info.
B. Security Policy goal
B. Security Policy goal - requires people to protect info, which protects the org, its people, and customers.
C. States and Locations of information covered by security policies:
- The security policy should seek to secure info that exists in 3 distinct states:
a. Stored information
b. Processed information
c. Transmitted information - Information resides in locations:
a. information technology systems
b. paper
c. human brain - Relationship between states and locations of info (Examples):
a. Info systems - stored hard drives - processed computers - transmitted via internet
b. Paper - file cabinets - copy machine - fax
c. Brain - memory - synapses - language
Types of policies
- Program level policy - used for creating a management sponsored computer security program. A program level policy, at the highest level, might prescribe the need for information security and may delegate the creation and management of the program to a role within the IT department.
- Program-framework policy - establishes the overall approach to computer security
- Issue specific policy
- System specific policy
Development and management of security policies
- Security objectives - series of statements to describe meaningful actions about specific resources.
- Operational security - defines the manner in which a specific data operation would remain secure
- Policy implementation - security is enforced by a combination of technical and traditional management methods.
Policy support documents
- Regulations - laws, rules, regulations represent governmentally imposed restrictions passed by regulators and lawmakers
- Standards and baselines - topic specific (Standards) and system specific (baseline) documents that describe overall requirements for security
- Guidelines - provide hints, tips, and best practices in implementation
- Procedures - step by step instructions on how to perform a specific security activity
Decryption or decipherment
the intended recipient converts the cipher text into plain text
Digital signature
is a means of ensuring that a message is not altered in transmission. It is a form of data encryption
Electronic Commerce (E-Commerce)
- the electronic consummation of exchange transactions,
- can use a private network or the Internet as the communications provided
- may involve communication between previously known parties or between parties that have had no prior contract or agreements
Electronic Business (E-business)
- general term
- any use of information technology like networking and communications technology to perform business processes in an electronic form
- may or may not relate to selling or buying
Electronic Data Interchange (EDI)
the computer to computer exchange of business transaction documents
EDI -Reduced handling costs and increased processing speed
reduces transaction handling costs and speeds transaction processing
EDI- Standard data format
Standard data format
a. Mapping - process of determining the correspondence between data elements in an organization’s terminology and data elements in standard EDU terminology.
b. Standards - several different standards
- XML - extensible markup language - technology that has been developed to transmit data in flexible formats instead of the standard formats of EDI.
EDI - Communication
EDI can be implemented using direct links between the organizations exchanging information via communication intermediaries, VANs or networks of VANs, or over the Internet.
Features of EDI
- allows the transmission of electronic documents between compeer systems in different organizations
- reduces handling costs and speeds transaction processing compared to traditional paper based processing.
- requires that all transactions be submitted in a standard data format
- can be implemented using direct links between the trading partners, communication intermediaries, VANs or networks of VANs, or over the Internet.
Costs of EDI
- Costs of EDI
a. Legal costs
b. Hardware costs
c. Costs of translation software
d. Costs of data transmission
e. Costs associated with security, monitoring and control procedures
EDI controls
Audit trails should include:
- activity logs of failed transactions
- network and sender/recipient acknowledgements
EDI Risks
unauthorized access to the organization’s system is the greatest risk
Comparison of EDI and E-Commerce
Which has higher? Cost - EDI Security - EDI Speed - E-Commerce Network - EDI - VAN (private), E-Commerce - Internet (public)
Business process reengineering
the analysis and redesign of business processes and information systems to achieve significant performance improvements.
Challenges faced in business process reengineering
- Tradition - old ways of doing things do not die easily
- Resistance - people don’t like changes
- Time and cost requirements - takes 2 + years to complete
- Lack of management support
- Skepticism
- Retraining
- Controls
Business to business (B2B)
- Business to Consumer (B2C) transaction - a business sells its products or services to the public
- Business to Business (B2B) transaction - a business sells products to another business
- Consumer to Consumer (C2C) transaction - consumers sell products to other consumers (eBay)
B2B E-Commerce
a lot of business do that, especially in the wholesale markets
Electronic market
Internet transactions can occur between businesses where there is no pre existing relationship.
Direct market
B2B transactions may occur electronically between businesses where there is a pre-existing relationship (EDI, corporate intranets and extranets)
Importance of B2B
- Speed - the faster the better and the Internet is faster than phone, fax or mail.
- Timing - E-Commerce transactions do not have to occur during normal business hours (time zones)
- Personalization - after registering with a new business partner, the website can guide it to the most interesting areas.
- Security - private info is encrypted
- Reliability - transactions occur electronically from one computer directly to another computer, the transactions should be very precisely performed, no opportunity for human error
Factors to consider
- The selection of the business model
- Channel conflicts - the possibility of stealing business from existing sales or channels
- Legal issues - laws governing electronic commerce
- Security - outsiders can hack into your account
Components of B2B
- the customer connecting to the site through the Internet
- the seller’s site behind an enterprise firewall
- the seller’sInternet commerce center, considering of an order entry system and a catalog system containing product descriptions and other information on what is for sale and which acts as an interface to the customer’s browser.
- the seller’s back office system for inventory management, order processing, and order fulfillment, which could include a shipping or transportation system
- the seller’s back office accounting system
- the seller’s payment gateway communicating via the Internet to validate and authorize credit card transactions or other payment methods.
B2B vs B2C
B2C - less complex, the payment mechanism is more problematic
Enterprise Resource Planning System (ERP) defined
- a cross functional enterprise system that integrates and automates the many business processes that must work together in the manufacturing, logistics, distribution, accounting, finance and HR of a business.
- ERP software comprises a number of modules that can function independently or as an integrated system to allow data and information to be shared among all of the different departments and divisions of large businesses.
ERP Functions
- ERP systems store information in a central repository so that data may be entered and accessed and used by the various departments.
- ERP systems act as the framework for integrating and improving an organization’s ability to monitor and track sales, expenses, customer service, distribution, and many other business functions.
- ERP systems can provide vital cross functional information quickly to managers across the organization in order to assist them in the decision making process.
Supply chain management
concerned with four characteristics of every sale: what, when, where, how much
Supply chain management functions
- Achieve flexibility and responsiveness
- planning
- sourcing
- making
- delivery - Supply chain planning software
- Often termed an extension of ERP
Customer relationship management systems defined
provide sales force automation and customer services in an attempt to manage customer relationships.
Customer relationship management systems objectives
- increase customer satisfaction and increase revenue and profitability.
- CRM attempts to do this by appearing to market to each customer individually.
- the assumptions are that 20% of customers generate 80% of sales and that it is 5-10 time more expensive to acquire a new customer that to obtain repeat business from an existing customer.
Categories of CRM
- Analytical CRM - creates and exploits knowledge of a company’s current and future customers to drive business decisions
- Operational CRM - the automation of customer contracts or contact points
Electronic Funds Transfer system
- a form of electronic payment for banking and retailing industries.
- the federal reserve fedwire system (automated clearing house network) is used very frequently in EFT to reduce the time and expense required to process checks and credit transactions
Electronic Funds Transfer system
- Third party vendor - EFT service is often provided by a third party vendor who acts as the intermediary between the company and banking system
- Data encryption - EFT security is provided via various types of data encryption.
- Reduction in errors - EFT reduces the need for manual data entry, thus reducing the occurrence of data entry errors
Application Service Providers (ASP)
- provide access to application programs on a rental basis.
- They allow small companies to avoid the extremely high cost of owning and maintaining today’s application systems by allowing them to pay only for what is used.
- The ASPs own and host the software.
Advantages of ASP
- lower cost
- greater flexibility
Disadvantages of ASP
- possible risks to the security and privacy of the organization’s data
- the financial viability or thereof lack of the ASP
- possible poor support by the ASP
Similar concepts to ASP
- IBM offers a similar thing in its utility computing and E-Commerce on demand strategies
- ASPs are similar to the timesharing providers or service bureaus of the past that rented raw computing power (time on computers) to customers, except that ASPs rent applications instead of just the computer processing
- related to ASPs are present day service bureaus, which perform processing outside the organization
Web 2.0
- Collaborative websites and social networking - collaborative website in which users not only brows content, but also ass and modify content
- Dynamic content - increase in web pages with dynamic content, linked to databases, price lists and catalog product lists.
Mashups
Web pages that are collages of other web pages and other information (google maps)
Web stores
- Stand alone web stores - many small companies have stand alone Web stores that are not integrated with large accounting systems (shopping cart software)
- Integrated web stores - many larger companies, and an increasing number of small companies, have turned to ERP systems that integrate all the major accounting functions, as well as the web stores into a single software system
Cloud computing
virtual servers available over the Internet
Cloud computing services
- Infrastructure as a service (IaaS) - outsources storage, hardware, services, and networking components to customers
- Platform as a service (PaaS) - allows customers to rent virtual servers and related services that can be used to develop and test new software applications
- Software as a service (SaaS) - method of software distribution in which applications are hosted by a vendor or service provider and made available to customers over the Internet
Hypertext Markup Language (HTML)
a tag base formatting language used for web pages
Hypertext Transfer Protocol (HTTP)
- communications protocol used to transfer Web pages on the World Wide Web.
- HTTP uses SSL (secure socket layer) for its security
URL
- a Web address is the uniform resource locator (URL) that directs the user to a specific location on the web
Web addresses
- Transfer protocol http:// (Hypertext Transfer Protocol) or ftp:// (File Transfer Protocol)
- Server www (web server)
- Domain name - Becker - subdomain name, Becker.com - füll domain name
- Top-leve domain .com, .net, .edu (generic top level domains)
- Country .us, .de. pl (country code top level domains)
- http://www.becker.com.us (us not needed)
TCP
Transport Control Protocol is the transmission protocol of the Internet protocol suite. TCP is a transport layer protocol.
Domain name
includes one or more IP addresses
Domain Name System (DNS)
system of domain names that is employed by the Internet
Domain Name Warehousing
practice of obtaining control of domain names with the intent of warehousing (owning but not using)
Web Server
a computer that delivers a Web page upon request
Web Hosting Service
an organization that maintains a number of Web servers and provides fee paying customers with the space to maintain their websites
WiFi
- WiFi Alliance - a global nonprofit org with the goal of driving the adoption of a single worldwide accepted standard for high speed wireless local area networks
Potential errors in computerized system
- Opportunity for remote access increases the likelihood for unauthorized access.
- Concentration of information means that once security is breached, the potential for damage is higher.
- Decrease human involvement in processing results in a decreased opportunity for observation of errors.
- Errors or fraud might occur in the design or maintenance of application programs.
Safeguard files and records
Safeguarding of files and records is important because inadequate protection may result in loss or damage that might drive an organization out of business. Hardware cab aways be replaced, but data often can’t be.
Encryption
Encryption involves using a password or a digital key to scramble a readable message (plaintext) into an unreadable (cipher text). The intended recipient of the message then uses either the same or another digital key (depending on encryption method) to convert the cipher text message back into plaintext.
Password management policy
- Password length - the longer the better. Passwords should be greater than seven characters, many organizations requires 8.
- Password complexity - complex passwords feature three of the following four characteristics: uppercase, lowercase, numeric characters and ASCII characters !@@#$$%
Types of policy
- Program level policy
- Program framework policy
- Issue specific policy
- System specific policy
Digital signatures
use asymmetric encryption to create legally binding electronic documents
E-signatures
an alternative mechanism for accomplishing the same objective. An e-signature is a cursive style imprint of a person’s name that is applied to an electronic document.
Information security policy
states how organization plans to protect its tangible and intangible information assets
Internet
international network composed of servers around the world that communicate with each other
Public Key Infrastructure
the system and processes used to issue and manage asymmetric keys and digital certificates
Implementation of EDI
- Legal cost
- Hardware cost
- Costs of translation software
- Costs of data transmission
- Process reengineering and employee training costs for affected applications
- Costs associated with security, monitoring and control procedures
B2B transactions
When business sells its products to another business
B2B e-Commerce
many businesses buy, sell, or trade their products and services with other businesses
Electronic market
very common for B2B transactions to occur electronically via the Internet
Direct market
B2B transactions occur electronically between businesses when there is a preexisting relationship
Advantages of B2B e-Commerce
- Speed
- Timing
- Personalization
- Security
- Reliability
Electronic Funds Transfer EFT
Major form of electronic payment for banking and retailing industries.
EFT uses a variety of technologies to transact, process, and verify money transfers and credits between banks, businesses, and consumers. The Federal Reserve wire system is used very frequently in EFT to reduce the time and expense required to process checks and credit transactions.
EDI
computer to computer exchange of business transaction documents
EDI transactions are submitted
submitted in a standard data format
EDI Mapping
the process of determining the correspondence between elements in a company’s terminology and elements in standard EDI terminology
Characteristics of EDI
- EDI allows the transmission of electronic documents between systems in different organizations
- EDI reduces handling costs and speeds transaction processing
- EDI can be implemented using direct links, VANs, or over the Internet
- EDI can be implemented using direct links, VANs, or over the Internet.
EDI controls
- Encryption of data
- Activity logs of failed transactions
- Network and sender/recipient acknowledgments
e-Commerce
involves electronic consummation of exchange transactions. Uses the Internet
