Hello and welcome back to Introduction to Information Systems. We are going to be talking this week about security and all the things it takes to keep you and  your family safe and your organization safe when using some of these online  tools and networking Internet tools. But first, like always, I would love it if we  could open up in prayer. So if you'd like to pray with me, Dear Heavenly Father,  thank you so much for each and every student here. Thank you for our time  together that we can grow and learn together as we're as we're learning this  week about some of these topics. We know specifically that the internet can be  a place that's not not a pretty place, and we are so grateful for the opportunity to learn how to keep our families safe and our organization safe so that we can  use this connection with others to serve you and to to just move your ministry  forward. So just really thankful for the opportunity to to learn some of these tools and to progress. You know, we're always we're always getting better, and we're  always going where you lead. So, so we are ready, and thank you in your  heavenly name, we pray amen. And let's go ahead and jump in. We are in week  six, y'all, which means after this module, you are halfway there after this week,  so that is to be celebrated. So congratulations. In a matter of moments, you will  be halfway through, and that's awesome. We're going to be talking about  Information Systems Security today, when you first think of Information Systems  Security, you probably think about, I'm guessing passwords, and maybe we  have covered VPNs, the private network, the virtual private network. We had  talked about those last week quite a bit, and I, and hopefully by the end of today, you're going to realize it's so much more than that. These are the learning  objectives that we are hopefully going to have mastered by the time we're done  in this session. So at the end of this chapter, you're going to be able to identify  the Information Security triad, which is a very fancy way of saying there's three  things you really need to know about internet security, and we're going to learn  those for information systems. We're going to identify and understand the high  level concepts surrounding information security tools. There's a lot of things you  already know about that you could be using more effectively. There's probably  things you don't know about that you should be using, and there's probably  things that you are doing that you should not be doing, so to keep yourself safe  and your organizations safe. So we are going to talk about those as part of our  learning objectives today. We're also going to learn how to secure ourselves, our families, our organizations, digitally, making sure that we're not, you know,  leaving the door open and we can, you know, we don't want to live in fear when  we're computing, but we do want to be smart, and the more we know, the better  we can do. So having that security is definitely the goal today. So let's jump in  and talk about it. So computers and digital devices are becoming integral,  integral to conducting business, and we've already talked about how it's not so  much a differentiator at all, that having being connected is not a competitive  advantage. It is so prevalent, and which means, since they are so prevalent, 

they are really open to attack, a target of attack. So because we do so much of  our lives and our business, all with these packets that we talked about being  sent across the internet at all times, on wired connections and wireless  connections. We talked about mobile networks and Wi Fi, and all of these ways  that we are networking and communicating together are all areas that we could  be potentially vulnerable. So because we are targets of attack, our devices need to be secured. And there's things we can do, networks that computers and  devices use, they should also be secured. So not just our physical devices, the  hardware we talked about in module two, but. But also the networks. Well, the  software should be protected, and the networks and the networking capabilities  that we talked about last week should also have measures in place to be  secure. Okay, this sounds way cooler than it is, because it's the CIA triad, but  sorry to tell you, and sorry, my, my, why dropped off of confidentiality. Sorry  about that. CIA, in this case, is not intelligence agency, it is confidentiality,  integrity and availability, and this is the triad having to do with our information  security, Information Systems Security, so that first leg of the triangle is going to  be confidentiality, restricting access to authorized individuals. Are things  confidential? Are they of a sensitive nature that needs to be restricted access?  And then how are we going to handle that authorization? Who decides who's  authorized? What? What credentialing process do you have to put that in place? The next part of the CIA triad is integrity, and this is making sure that you don't  have dirty data, that that data hasn't been altered in any way. It's not been  changed in some unauthorized manner. And we want to make sure that it's that  clean data that is being transmitted from packets from A to B, and that it  maintains its data integrity. And then the third leg of that CIA triad is the  availability of the data, and that just means the information can be accessed and modified by these people who it should be in an appropriate time frame. So  although we want to make it as safe as possible, we also need it to be  accessible and available to the appropriate people as needed. So when we look  at information system security, we can ask ourselves those three questions,  how, how does this information, or how does this data factor in with  confidentiality? Who is accessing this? Who should it be restricted to? If  anybody? And then what's the integrity, making sure it hasn't been altered, that it is as it was meant to be, as it was authored. And then availability, making sure  it's readily available to those who need it. So that is the triad. So the triad. Pop  my picture up here in the corner. Okay, here are some tools that hopefully are  are familiar to you in terms of internet security. I'm sorry, information security, I  shouldn't say Internet security, because a lot of these you're going to be using  even when offline, but we have authentication, we have access control, and we  can we're going to be talking about each one of these, but encryption,  passwords, backups, firewalls, VPNs that We talked about last week, of that  virtual private network to give us access, even if it's for a temporary basis, in a 

restricted Network Setting physical security, and then our security policies that  we can make at an organizational level, and then the kind of the under that  umbrella, how are you going to enforce those security policies within your  organization, or even within your own family, if you have some internet security  policies that you need to have in place to make sure your family's safe, not just  your organization, when it comes to being online and having information moved  from one place to another that could be sensitive in nature. So these tools,  hopefully are familiar to you, but we're about to jump right in and make sure you  know what they are, authentication. So somebody's accessing information, we  want to make sure they are who they say they are, okay, so factors of  identification something you know, so it could be your user ID and password so  it can identify you. So your user ID identifies you, and hopefully, I'm quite certain that every one of you have logged in with a username and password before the  password authenticates, that it really is you. So the username is your  identification, and then the password is your authentication. This is vulnerable to attack. This is something if you choose a password that's your dog's name or  the street where you grew up, or the same password you use for everything  that's been password, 123, this is something that is definitely breachable. So we want to make sure your user ID and password isn't necessarily the only thing  you're using. Another factor that we can use for authentication is something that  you have with you, a key, a card, something that is you and yours. It is coded to  you. You swipe in and out, maybe using, using a key or card. Of course, that  could be lost. It could be stolen, it could fall into the wrong hands and and be  mis authenticated. You know, assuming that you are someone you are not  someone who shouldn't be there, could gain access to information they should  not have. So that was something you know, your password and your username,  something you have the key card or the whatever the key or the card, and then  the last one is something that you are, and this is a physical characteristic,  maybe it's an iris scanner, a thumbprint, a hand print, something that is  biometrically you this is very much harder to compromise. Not to say that it can't  be compromised, but definitely the most rigorous of security standards of the  three. So why not have a combination, right? So let's say you have the key card, but you also need a password, or you do your thumbprint, and you also need a  key card, having a combination of at least two factor authentication. Lots of you  do this online, where you put in your username, you enter your password and  then it sends a text message to your phone, where you have to authenticate,  this is actually me. That was my cell phone that rang. I'm authenticating that it's  me, and I give permission for this information to be accessed, or this two factor  authentication, which is very typical now in most business organizations, if you  at your workplace are not currently on a two factor authentication, you should  be. It's just too easy to you know every every week in the news, there's a story  about a data breach that was it could be something so simple as a as a key card

that was in the wrong hands, or a password that was hacked, and now the  whole organization worth of data could be at risk because of such a such a  simple measure that could be taken to have a do a Duo or a two, two factor  

authentication process. So if you are part of that decision making process, I  would recommend you suggest that for your organization, or maybe suggest it  anyway, even if you're not a decision maker, if you're still on a single point where you're you're accessing your organization's info by a simple username and  password. We we have moved past that as a society. The the the other side is  just too strong at this point and and their resources too vast to be able to hack  usernames and passwords. So it's time for two people, all right, so that was  authentication. Next we're going to talk about access control. Okay, so access  control means that once you have authenticated, it's me, I'm supposed to be  here. I provided the information. I gave you my key card and my thumb print or  whatever the case may be, once you're authenticated, access control means  that we're only going to provide that access on need to know basis. So people  who need that information, it's necessary for them to to do their job. So to read,  modify, add, delete information is because it really needs to happen. So limiting  access really just limits your vulnerability. The less people that have access, you know, the easier it is to kind of control who has access to that information. So  ACL, not to be confused with your your knee, I've torn an ACL or two in my time. This is an access control list, and this is created for each resource of  information. So there's a control list of people of the specific users who are  allowed to read, write, delete or add information. You'll notice if you, for instance, have a Google Doc, or if you have some type of collaborative document that  you're working on, there are already structures in place that are templated that  will ask you to create an ACL, an access control list if you want to share it with  someone, it will ask you what that person's. Role is, and so we're going to talk  about that next. But if that person needs access to this document, is it read  only? Are they just able to read what you've written? Or do you want to give  them the permissions that they can make changes, they can totally delete your  document or your file? They can add in their two cents, which is most likely, if it's a collaborative document, but you want to make sure this ACL, this access  control list, is maintained by a single point of contact, so that we can just make  sure that the right people are getting that information at the right time, and it's  not as vulnerable to breach as it would be it was a free for all within your whole  organization. This role based access control is a little less specific. So instead of having a list of individual names of users who have access it's the role that they  have. So for instance, I've had in my job teaching in a public school, if there was an if there was information that certain roles, if the general teacher, that role  would be checked, all the teachers could log in and see a document. If that  document was restricted only to the administrative faculty, that would be that  role based and the administration would be checked so that the whole entire 

campus and all the teachers would be able to see, of course, users are  assigned to roles, and then the roles define what they can access. And it just  simplifies the administration of this process so that you don't have to keep up  with individual names. So let's if you're in a small organization having this ACL  it's not that big of a deal. You hire somebody, you add their name to the list.  They quit or they retire, you remove their name from the list. But if you're in a  huge enterprise, an organization, keeping up with that HR in terms of an  individual, names on this ACL is going to be it's just not manageable. It's not  reasonable. So this role based access is better for an enterprise situation where, as your role changes with HR, these permissions will be automatically granted  to you. So we've talked about the first two, and we're going to move on to  encryption. And encryption is an algorithm or a program that's going to encode  or scramble that information while it's being transmitted or stored, so only  authorized individuals are going to be able to unscramble it or decode it. So how is this done? It's like magic, right? You just push encode and there it's put into a  encrypt, and it's put into a secret code. Both parties agree on the encryption  method or the key that can kind of unlock this encryption. There's lots of keys.  So there's a symmetric key, and that's going to be that the sender and the  receiver have the key. And that can be risky, because if one side is breached,  the whole system goes poof, and your your information is not as encrypted as  you thought it was. That's that symmetric key, sender and receiver have the  same one, then there's a public key. So you use a public and a private key,  where the public key is used to send an encrypted message and the private key  is used to decode the message. So being asymmetrical like this, someone who  you know had some nefarious intentions would need to hack both the public key and the private key to be able to decrypt that message. So this one is a little  more secure. It just depends on on what you're going for. So that's encryption,  this algorithm that codes or scrambles it, and now we're moving forward to  passwords. I can't stand it when I get the email at work that says it's been 90  days you need to change your password. You need a capital letter and a  number and a special character and the blood of your first born child and all of  these things that make passwords effective. But we know that what we just  talked about that single factor authentication, if someone only needs your  username and your password, your organization will be hacked. It's a matter of  time if you don't have dual authentication, so password policies by your  organization, just make sure that that risk, that risk is as minimal as possible,  even though it is a giant pain. Organizations do have to determine, because it's  the weakest link, right? If your email or your password is hacked and you're the  way in, think about all the data that your organization stores, and the databases  and the data warehouse and all of these things that if someone were to breach  and intrude in on your network, and especially even if it's your your extranet,  your intranet, those kind of things are we need to make sure that it's as difficult 

as possible to breach, and then, of course, that we do have our our two factor  authentication. So we make sure that passwords have a certain length. Some  people have a certain amount of characters you have to use, you know, a  mixture of upper and lower case letters, numbers, special characters. And that  we do change passwords on a regular schedule so that you don't have a  password, and six years later, it's the same one, and everybody knows what it  is, because you use it for everything. I have definitely been guilty of that in the  past. But now that I know better, I know that employees shouldn't, you know,  share their password, of course, with anybody, and even though you know it  feels over the top, but notifying your security department if you feel like your  password has been compromised, or if you feel like something's not right, you  go to log in and then it's prompting you to change your password in a way that  hasn't before. We want to make sure that every every employee kind of realizes  the risk. Usually, there's some kind of confirmation that you send out each year  to let them know about their responsibility. And it really is, you know, everyone's  responsibility to keep the whole network safe. So that's for passwords. Next  we're going to talk about how important it is for backing up. So for backup, we  want to make sure that we back it up in a separate location. And I think I I told  you in module one, I believe when you store things to one location, it's just if  your, if your device is lost or stolen, if you, if you spill a giant Diet Coke all over  your computer, which has happened to me before. I've pretty much done it all in  terms of why backup is important, I've closed my devices inside a car door and  folded them in half when they're aluminum. All these things that happen to make your data disappear. We want to make sure that doesn't happen to you. So  backing up your files and your information, making sure that we store those in a  separate location, in case your primary computer becomes unavailable for some reason, whether that's a big, dramatic story, or else just it crashed. So a good  backup plan requires that you understand the organizational information  resources. We want to make sure that the place you're putting it matches the  needs of what the data actually is that you're backing up regularly on a schedule something that happens independent of you is ideal that there's off site storage  of the backups. Let's say there's a weather emergency, a fire emergency, your  organization would be wiped off the map if everything was in the building and  something happened and none of your data was able to be retrieved because it  was all in one physical location. So off site storage is important, and having  some redundancies as well. Test the data restoration. We all have seen those,  those data restoration features where you can Apple calls it the time machine.  There's lots of different ways that we can go back and restore data. We want to  make sure we test that before it's actually needed, just to make sure that it's  working properly and that everyone who's part of the process knows how to use  it properly, all right. And then the complimentary practices, things that go right  along with that UPS systems and backing up processing sites, and we're going 

to be getting into these in just a moment. Firewalls are up next. All right, a big  part of information security is going to be firewalls, and that's going to be a  hardware or a software solution that's going to inspect and stop those little  packets of information that don't apply to a strict set of rules we already talked  about packets just being the smallest amounts of information. So you send, you  click the you click the button that you want to watch a YouTube video, your  request is actually broken down into many packets that get sent through the  internet that have your your IP address, the address of the video you want to  watch, all of that information, we want to make sure that all of those packets, if  they don't meet the set of security standards that those inbound and outbound  packages are stopped before they enter into the firewall of your network. We  know that hardware, hardware firewalls are connected to the network, and  software firewalls run on the OS that operating system that we talked about, so  they're going to be they're going to act like the bouncer at the club, and they're  going to intercept those packets as they arrive to the computer and say, You  have no business here, sir, and send them away. So we want to make sure that  your hardware and your software firewalls are in place. We can implement  multiple firewalls at the same time so that we can allow segments of the network to be partially secured. There might be some things that are more sensitive than  others. We can have a have a general firewall, and then add additional security,  so multiple firewalls to have depending on what kind of business you're  conducting, that are temporary or permanent, you know, depending on on what  the needs of your organization are. And then it's very important to have an IDS,  and this is an intrusion detection system. And so what this happens is, if  Something's fishy, if something's out of the normal if there is, if there's a  spammy looking email that gets flagged by someone in your organization, it's  going to just watch for those things and Alert, alert you and alert the security  personnel that there's a potential attack or a breach in the firewall, just to make  sure that everyone's on the same page, and steps can be taken to make sure  that your organization is still staying safe. So those were firewalls. I know this is  a lot to throw at you in terms of security tools, but there is certainly a lot to be  responsible for. So we are going to move forward to those VPNs, those virtual  private networks. Here we go. So some systems can be made private using an  internal network to limit the access. But then we, like we said, we want to give if  you want to access that network remotely, or if you want to give someone  temporary access to your network that wouldn't normally have it, a VPN allows  these kind of accesses to take place. So even if there is a strict firewall in place.  If your VPN is coded to give you a temporary access, it can bypass that firewall  even if you are remote. And so then those encryptions, so we talked about those two types of encryption keys on the VPNs is going to be that public key and the  private key, so someone would essentially need to hack both encryption keys to  be able to decode that message. It's just for an extra layer of security. It also 

kind of hides your geolocation and IP address. It can't be it requires a more  specific connection. Instead of just being in the building and connected to the  internet, it has more rigorous standards that you need to meet. So this VPN is  something that you might consider if you're working on some sensitive material,  or if you are working on a project that requires pretty specific access to things  that you can kind of code those firewall capabilities through the VPN system.  And next we're going to talk about physical security. So what we've talked about  so far has been digital security practices and things we have in place virtually.  And now we're going to talk about the actual physical security protection of the  actual equipment. So the hardware. How are you protecting the hardware?  Because you can protect things all you want, but if someone walks away with  the laptop, that's not a safety that's not safe either, those networking  components, the servers that we're talking about, how are you protecting that  actual equipment, whether it be locks or coded room or time stamps or whatever the case is, how are you keeping track of the actual hardware? Organizations  need to identify assets that need to be physically secured, meaning they need to lock the doors. There needs to be that intrusion detection that we talked about.  So we talked about digital intrusion detection. There also needs to be physical  intrusion detection, for instance, turning on a security camera or having a motion sensor in hours where there shouldn't be people accessing certain areas of  hardware. So that you know security personnel can be notified if Something's  fishy or out of the out of the usual securing those equipment, environmental  monitoring, monitoring the temperature, the humidity, the air flow, which all  impact computers if the temperature is much too high. Or low where your  technology is being stored, that could also leave it really vulnerable to crashing  and not having those things in place that we need to make sure we're staying  safe. So finally, the last one on the list, here might be the most important,  although it is the most annoying and obnoxious when you're an employee, is the IT security training for all employees, which I know when we when we have this  at work, it's tedious. Some of it's ridiculous, but some of it really does change as  time goes on. And there are some people who aren't aware of new ways that  some of these attackers are trying to get into your network which which don't  seem very threatening, until you really break it down. I received, I was selling  something online, and had a definite scam trying to go down on me yesterday,  and it was just being aware of what kind of what those scams might look like,  and what you know, recognizing red flags when you see them, knowing what to  report, knowing what to delete, knowing what to never click, all those things  when everyone in your organization is on the same page. That's the only way to  really keep your organization safe, because otherwise it's just that weakest link  that's going to be, obviously, where an intrusion happens. And then once  someone is in your network, it's very much more difficult to, you know, make  sure everything is nice and tight. So that was the physical security. Next we're 

going to talk about these security policies. We're almost done with these, with  this list. So having security policies in place is a good starting point for  developing an overall security plan. So it's more than likely that your whole  enterprise, your whole organization, has some type of security plan in place if  someone, if a bad guy walks in to your office, what's the what's the protocol  there? Same thing when we talk about information security, it's formal. You  know, it's not super long, but it's formal. It's written down a high level statement  that somebody in senior management says, This is our policy for security when  it comes to IT, and MIS for information security, just guidelines for employees to  use if they have questions. You know, it includes company resources. What  happens if an employee violates the policy? What happens if somebody  intentionally or unintentionally violates the policy and there's a breach that  happens, you know, where is that liability that takes place? Security policies  focus on those that CIA triad that we talked about a few minutes ago, with  confidentiality, integrity and availability, making sure that all three areas we have a focus on to make sure that they all have to be running properly to have a  secure organization. So as part of that, CIA is going to be some government and industry regulations as well. It's not just that every organization makes up their  own. There are some guidelines to help us. If you are in an organization that you have a BYOD policy, bring your own device. I know in lots of schools, they have  a BYOD policy of students that are able to bring in their own technology and  hook up to the network. A lot of workplaces insist that you use your you know  your already vetted work device, but when you do have a BYOD, bring your own device policy. You want to make sure that there are especially strong standards  for accessing and storing information. What information can you put on the  network, or what information can you take from the network? What are the  intellectual property implications if you if you come across an idea or a file that's  not yours and now it's on your device, if it's on a shared drive, so it would be a  total free for all if you didn't have some type of guidelines in place ahead of time. And so being proactive and having these security policies is a very good idea if  you don't have them in place at your workplace. Suggest it make it happen. So  it's a fine line to balance on making sure that your organ that people are able to  work effectively and and have what they need, and also have the need for  security. Because some of those security things that we talked about, they're  cumbersome and they're annoying and people don't like them, so just balancing  kind of what keeps us safe and what keeps us productive and happy. At the  same time. All right, this is the last piece of the puzzle here, of these security  tools. This is personal information security. This is steps that you can take  personally, to be more secure at work and to be more secure at home, to be  more secure wherever it is that you compute wherever you're online, so you  want to make sure your software is up to date. And I feel ridiculous saying that  to you, because I am always the last person to update my software until I just 

recently, just went ahead and pushed the button to let it happen automatically on update day to make sure that my equipment is updated. And it's not just for  performance. It's not just for, you know, bugs that they found to make your  machine run more efficiently, whatever your hardware devices. It's also because  a lot of times those updates are because of a security breach or a security  protocol or a security improvement that is put into place, and so it's just a better  level of protection if you if you keep up to date with your software, especially  with your OS that we talked about, your your main operating system, because  keep in mind your operating system is what's going to be talking to the  hardware, to the CPU, and it's all because the your OS is the brains of your  software, it's going to talk to your CPO CPU, which is the brains of your  hardware. So we want to make sure that those are up to date, installing antivirus software if it's not already on your work computers, or if you want to do that at  home, if you are on a public network, if you're on a public Wi Fi situation, if you  go to Starbucks and use their hotspot, or you go to a hotel lobby and you jump  on their internet, just make sure you do that carefully, that might be an  opportunity for that VPN that we talked about backing up your data, of course,  like we just were talking about, is a good way to keep yourself personally safe,  securing your accounts with that two factor authentication. I know this is the fifth  time hearing me say that. Make it happen in your workplace or in your home. If  you're not doing it yet, just get on board. Make your passwords long, unique,  strong. Most places are going to have that little meter that tells you how long  your for, how strong your password is. And then, of course, being suspicious of  those strange links and attachments we're not going to get into all of those you  know how to recognize phishing in an email and all of those things that that  would be a separate course in itself on how to keep yourself safe on the internet for from intrusion and phishing and those kind of things, and what to look for. But we want to make sure, especially when it comes to links that you click, or files  that you open, attachments that you download, that you are very critical. Open  those with a critical eye just to make sure that you're not opening yourself, your  family, your organization, up to a potential breach. Okay, all right, you've made it  to the end. So in summary here, we're going to talk about, or we did talk about,  the Information Security triad. So right now, ask yourself, what those three  things are, do you remember? I hope so, with a C and an I and an A on  information security triad, we identified and understand that high level concept  surrounding information security tools. We just went through pretty in depth for  each one of those tools that you can use at the organizational level, or really at  the personal level, in your homes, and then how to secure yourself digitally, not  just yourself your families and your workplace as well, because good internet  hygiene and security hygiene will help everyone. So thank you so much for  sticking with me. I know this one was particularly dry, just being, being the  security topic that it is, but very necessary just to make sure that everyone is 

staying safe. The Internet is has some very dark corners, and not everyone is  using it for that really, really useful way to connect with other people and all the  wonderful things that come from those connections, we just want to make sure  that we keep it safe for those interactions, and that we can do everything we can to make sure that we're staying safe. So thank you so much. You are officially  halfway done with this course. Congratulations. And I can't wait to see you next  week for week seven on, we're going to answer that question that we started in  week one, which was, Does IT even matter? And we're going to talk about all  the reasons why. Spoiler alert, it does. And I. I will see you next week. Thank  you so much. 



Last modified: Monday, January 27, 2025, 8:04 AM