Page 358 -
P. 358
Chapter 8 Securing Information Systems 357
Review Summary
1. Why are information systems vulnerable to destruction, error, and abuse?
Digital data are vulnerable to destruction, misuse, error, fraud, and hardware or software
failures. The Internet is designed to be an open system and makes internal corporate systems
more vulnerable to actions from outsiders. Hackers can unleash denial-of-service (DoS) attacks or
penetrate corporate networks, causing serious system disruptions. Wi-Fi networks can easily be
penetrated by intruders using sniffer programs to obtain an address to access the resources of the
network. Computer viruses and worms can disable systems and Web sites. The dispersed nature of
cloud computing makes it difficult to track unauthorized activity or to apply controls from afar.
Software presents problems because software bugs may be impossible to eliminate and because
software vulnerabilities can be exploited by hackers and malicious software. End users often
introduce errors.
2. What is the business value of security and control?
Lack of sound security and control can cause firms relying on computer systems for their core
business functions to lose sales and productivity. Information assets, such as confidential employee
records, trade secrets, or business plans, lose much of their value if they are revealed to outsiders or if
they expose the firm to legal liability. New laws, such as HIPAA, the Sarbanes-Oxley Act, and the
Gramm-Leach-Bliley Act, require companies to practice stringent electronic records management and
adhere to strict standards for security, privacy, and control. Legal actions requiring electronic evidence
and computer forensics also require firms to pay more attention to security and electronic records
management.
3. What are the components of an organizational framework for security and control?
Firms need to establish a good set of both general and application controls for their information
systems. A risk assessment evaluates information assets, identifies control points and control
weaknesses, and determines the most cost-effective set of controls. Firms must also develop a coherent
corporate security policy and plans for continuing business operations in the event of disaster or
disruption. The security policy includes policies for acceptable use and identity management.
Comprehensive and systematic MIS auditing helps organizations determine the effectiveness of
security and controls for their information systems.
4. What are the most important tools and technologies for safeguarding information resources?
Firewalls prevent unauthorized users from accessing a private network when it is linked to the
Internet. Intrusion detection systems monitor private networks from suspicious network traffic and
attempts to access corporate systems. Passwords, tokens, smart cards, and biometric authentication
are used to authenticate system users. Antivirus software checks computer systems for infections by
viruses and worms and often eliminates the malicious software, while antispyware software combats
intrusive and harmful spyware programs. Encryption, the coding and scrambling of messages, is a
widely used technology for securing electronic transmissions over unprotected networks. Digital
certificates combined with public key encryption provide further protection of electronic transactions
by authenticating a user’s identity. Companies can use fault-tolerant computer systems or create
high-availability computing environments to make sure that their information systems are always
available. Use of software metrics and rigorous software testing help improve software quality and
reliability.
MIS_13_Ch_08 Global.indd 357 1/17/2013 3:10:24 PM
