Front Cover -- Security and Control in Information Systems -- Copyright Page -- Contents -- Acknowledgements -- Publisher's acknowledgements -- I: Introduction -- 1. Aims of this book -- 2. Models of security in a business setting -- 3. The structure of the book -- 4. The objectives of the book -- Part 1: Threats and Risks -- 1. Information under threat -- 1.1 Placing a value on information -- 1.2 Business dependence on information systems -- 1.3 New sources of threats to information systems -- 1.4 Outsourcing and re-engineering: two decades of change -- 1.5 The nature and sources of threats -- 1.6 Internal versus external threats -- 1.7 Questions -- 2. Risk appraisal and management -- 2.1 Why appraise risk? -- 2.2 Perceptions of risk -- 2.3 Decisions about risk: the need for anticipation -- 2.4 Systematic appraisal of risk: an introduction -- 2.5 Risk assessment: large organisations -- 2.6 Risk assessment: smaller organisations -- 2.7 Costs and benefits of risk reduction -- 2.8 Questions -- Part 2: Controls for Internal Services -- 3. Computerised controls: the organisational context -- 3.1 Introduction -- 3.2 Information security and control as a responsibility of general management -- 3.3 Matching control systems to the organisation's structure and culture -- 3.4 Balancing trust and enforcement -- 3.5 The limits of trust: the rise of 'social engineering' -- 3.6 Legitimacy of controls: some issues of probity and surveillance -- 3.7 Conflicts of loyalty and obligation -- 3.8 Questions -- 4. Access controls -- 4.1 Introduction -- 4.2 Characteristics of methods of user identification -- 4.3 System-wide access controls -- 4.4 Application controls: multiple versus single sign-on -- 4.5 Constructing and implementing rules for access control -- 4.6 Access to databases and aggregated data -- 4.7 Some risk and cost issues.

4.8 Questions -- 5. Controls within business processes -- 5.1 Introduction: transactions and processes -- 5.2 Input: checks applied to data capture -- 5.3 Processing the data -- 5.4 Output: printers and displays -- 5.5 Information derived from transactions -- 5.6 Case study: The FAO Microbanker system - selling secure systems in the Third World -- 5.7 Questions -- Part 3: Controls for Networked Services -- 6. Controls for network communications -- 6.1 Introduction -- 6.2 Commercial networks: functions and origins -- 6.3 Eavesdropping on data transmissions -- 6.4 Communication layers -- 6.5 The role of cryptography -- 6.6 Business applications of encryption -- 6.7 Costs and vulnerabilities of cryptographic methods -- 6.8 Security on the Internet -- 6.9 Questions -- 7. Managing the security of networked facilities -- 7.1 Introduction -- 7.2 Maintenance and distribution of cryptographic keys -- 7.3 PGP, Certification Authorities, and Public Key Infrastructures -- 7.4 Key storage, escrow and recovery -- 7.5 Inter-company transactions: EFT, EDI and Electronic Mail -- 7.6 Trading with the public: Electronic Commerce -- 7.7 Monitoring and surveillance of networks -- 7.8 Questions -- 8. Controls for local area networks and small systems -- 8.1 Introduction -- 8.2 Managing compliance within the local work group -- 8.3 Controls within office software (1): clerical and administrative applications -- 8.4 Controls within office software (2): accounting applications -- 8.5 Viruses, downloads, and other hazards of networked personal computing -- 8.6 Regulating usage of the Internet -- 8.7 Questions -- Part 4: Business Continuity and Archiving -- 9. Business Continuity -- 9.1 Introduction -- 9.2 Threats to business continuity -- 9.3 Physical protection of processors, nodes and terminals -- 9.4 Pre-empting disasters.

9.5 Creating and implementing the Disaster Recovery Plan -- 9.6 Implications of the proliferation of IT -- 9.7 Justifying investment in measures for business continuity protection -- 9.8 Questions -- 10. Controls for archived data -- 10.1 Introduction -- 10.2 Obsolescence of software and media -- 10.3 Requirements for archiving of business data -- 10.4 Authentication of archived files and documents -- 10.5 Record retention policies -- 10.6 Questions -- Part 5: Computer Audit -- 11. Computer audit: the introduction of new systems -- 11.1 The role of the computer auditor -- 11.2 Auditing of systems development -- 11.3 Non-traditional approaches: packages and end-user computing -- 11.4 Auditing systems testing and implementation -- 11.5 Questions -- 12. Computer audit: control of existing systems -- 12.1 Introduction -- 12.2 Change management and control -- 12.3 Routine checks and investigations -- 12.4 Competencies required of computer auditors -- 12.5 Questions -- 13. Computer forensics -- 13.1 Introduction -- 13.2 Techniques and procedures to obtain valid computer evidence -- 13.3 Correlation of data from multiple sources -- 13.4 Misuse of telecommunications services -- 13.5 Proof of ownership: electronic watermarks -- 13.6 The ethics of investigations -- 13.7 Questions -- Part 6: Regulation and Standards -- 14. Standards, codes of practice and regulatory bodies -- 14.1 Frameworks for regulation -- 14.2 Certification schemes: BS 7799 and WebTrust -- 14.3 Technical standards for IS products -- 14.4 Issues of Data Protection in business systems -- 14.5 Information systems in the future: some issues of control and regulation -- Appendices -- 1. Twelve Rules of Thumb for Managers -- 2. Useful Internet addresses -- Glossary -- References -- Index.