1 / 27

Auditing IT Infrastructures for Compliance Chapter 14

Auditing IT Infrastructures for Compliance Chapter 14 Compliance Within the System/Application Domain. Learning Objective. Describe information security systems compliance requirements within the System/Application Domain. Key Concepts.

bryga
Download Presentation

Auditing IT Infrastructures for Compliance Chapter 14

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Auditing IT Infrastructures for Compliance Chapter 14 Compliance Within the System/Application Domain

  2. Learning Objective • Describe information security systems compliance requirements within the System/Application Domain.

  3. Key Concepts • Compliance law requirements and business drivers for System/Application Domain • Devices and components found in the System/Application Domain • Application traffic and performance issues, and how to maximize availability, integrity, and confidentiality (A-I-C) for the System/Application Domain • System/Application Domain policies, standards, procedures, and guidelines • Best practices for System/Application Domain compliance requirements

  4. DISCOVER: CONCEPTS

  5. Remote Access Domain

  6. Business Drivers and Compliance • System/Application Domain • Provides environment for distributed applications to run • Centralizes core business functions • Supports productivity • Allows for sharing and collaboration

  7. Business Drivers and Compliance • Data must be protected • Faulty application code presents security holes • Lax access controls result in vulnerabilities • Centralization increases security

  8. System/Application Domain Devices

  9. System/Application Domain Devices in Context

  10. Access Controls • Protect confidentiality and integrity of data • Operating system enforces the controls

  11. General Attack Method

  12. Vulnerability and Change Management • Applications and operating system are susceptible to software vulnerabilities • Patch management “patches” vulnerabilities If you know about a vulnerability, chances are an attacker knows about it, too.

  13. DISCOVER: PROCESS

  14. Performance Monitoring Tool Selection

  15. Performance Monitoring and Application Traffic

  16. A-I-C Triad

  17. Maximize A-I-C • Create business continuity plan (BRP) • Create disaster recovery plan (DRP) • Implement access controls • DMZ • Application-based • Keep software patched

  18. DISCOVER: ROLES

  19. Role of Encryption in System/Application Domain

  20. DISCOVER: RATIONALE

  21. Best Practices for Compliance Requirements • Establish physical controls to protect the data center. • Use at least one firewall to limit network traffic from other domains to only authorized traffic. • Use Network Access Control (NAC) devices to restrict computers and other devices from connecting to System/Application Domain components.

  22. Best Practices for Compliance Requirements (Continued) • Define user- or group-based access controls for each computer in the domain. • Use application-defined access controls to limit access to data. • Allow only low-privilege users to establish connections between the Internet-facing servers in the Demilitarized Zone (DMZ) and System/Application Domain servers.

  23. Best Practices for Compliance Requirements (Continued) • Allow only escalated privilege user connections that originate from protected Web servers where users can only connect by using a secure VPN. • Update operating systems frequently with the latest security patches on all computers.

  24. Best Practices for Compliance Requirements (Continued) • Update all application software frequently with the latest security patches. • Follow best practices of software development or software modifications.

  25. Best Practices for Compliance Requirements (Continued) • Create a BCP and DRP. • Keep documents up to date • Test BCP and DRP at least annually • Protect all backup media in transit and storage. • Ensure all backup media is encrypted.

  26. Best Practices for Compliance Requirements (Continued) • Encrypt all sensitive data when it is stored on disks. • Use application-monitoring software to identify performance or availability issues.

  27. Summary • Compliance laws and business drivers for System/Application Domain • Process to monitor application traffic and performance • Ways to maximize A-I-C • Roles and responsibilities associated with System/Application Domain compliance • Best practices for System/Application Domain compliance requirements

More Related