1 / 0

MODULE 2

MODULE 2. Protection Of Information Assets. Samir Shah CA, CISA, DISA, CIA, CISSP, CFE Director – Eduassure Knowledge Solutions. Module Weightage. Module 1: Information Technology Infrastructure & Communication/ Networking Technologies: 30%

lily
Download Presentation

MODULE 2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. MODULE 2

    Protection Of Information Assets Samir Shah CA, CISA, DISA, CIA, CISSP, CFE Director – Eduassure Knowledge Solutions
  2. Module Weightage Module 1: Information Technology Infrastructure & Communication/ Networking Technologies: 30% Module 2: Protection of Information Assets: 22% Module 3: Systems Development Life Cycle & Application Systems: 20 % Module 4: Business Continuity Planning: 10% Module 5: Information Systems Organization & Management: 8% Module 6: Information Systems Audit Process: 10%
  3. Chapter 1.SECURING PHYSICAL ACCESS Introduction to Information Systems Controls: Information technology covers all key aspects of business processes of an enterprise and has an impact on its strategic and competitive advantage and for its success. Control is defined as policies, procedures, practices and enterprise structure that are designed to ensure that business objectives are achieved and undesirable events are either prevented or detected and corrected. Information Systems (IS) auditing includes reviewing the implemented system or providing consultation and evaluating the reliability of operational effectiveness of controls.
  4. Need for Control and Audit of Information Systems Organizational Costs of Data Loss Incorrect Decision Making Costs of Computer Abuse Value of Computer Hardware, Software and Personnel High Costs of Computer Error Maintenance of Privacy (vii) Controlled evolution of computer Use (viii) Information Systems Auditing (ix) Asset Safeguarding Objectives (x) Data Integrity Objectives (xi) System Effectiveness Objectives (xii) System Efficiency Objectives
  5. Impact of Control and Audit
  6. Objective of Control Control objective is defined as “A statement of the desired result or purpose to be achieved by implementing control procedures in a particular IT process or activity”. It describes what is sought to be accomplished by implementing control. The objective of controls is also to reduce or, if possible, eradicate the causes of the exposure to probable loss.
  7. Internal Controls The basic purpose of internal control in an organization is to ensure that business objectives are achieved and undesired risk events are prevented or detected and corrected. This is achieved by designing an effective internal control framework, which comprises policies, procedures, practices, and organizational structure. Elements of the Internal Control Environment
  8. Types of Internal Controls Controls can be preventive, detective, or corrective (reactive) and are implemented administratively, technically or physically
  9. Preventive Controls These controls are those inputs, which are designed to protect the organization from unauthorized activities. This attempts to predict the potential problems before they occur and make necessary adjustments. Examples of preventive controls include employing qualified personnel, segregation of duty, access control, documentation, etc.
  10. Detective Controls and Corrective Controls Detective Controls These controls are designed to detect errors and malicious acts. Examples of detective controls include - hash totals, check points in production jobs, error message over tape labels, duplicate checking of calculations, past due accounts report, etc Corrective Controls These controls are designed to correct an error when it is detected. These include the use of default dates on invoices where an operator tries to enter an incorrect date. A business continuity plan is considered a significant corrective control. Other Examples of Corrective Controls are contingency planning, backup procedure, rerun procedure, treatment procedures for a crucial error occurrence etc.
  11. Information System Controls
  12. Physical Access Physical access is a term used in computer security that refers to the ability of people to physically gain access to a computer system. Physical access control can be achieved by a human (a guard, bouncer, or receptionist), or through mechanical means such as locks and keys, or through technological means such as access control systems like the swipe card system.
  13. Objectives of Physical Access Controls i. Physical access controls encompass securing physical access to computing equipment as well as facilities housing the IS computing equipment and supplies. The choice of safeguards should be such that they prevent unauthorized physical access and at the same time cause very little inconvenience to authorized users. ii. Physical access controls restrict physical access to resources and protect them from intentional and unintentional loss or impairment. Assets to be protected include: primary computer facilities, cooling system facilities, microcomputers, and telecommunications equipment and lines, including wiring closets andsensitive areas such as buildings, individual rooms or equipment.
  14. Objectives of Physical Access Controls Cont… iii. Physical access controls include manual door or cipher key locks, photo Ids and security guards, entry logs, perimeter intrusion locks, etc. The controls are meant to: grant/discontinue access authorizations. control passkeys and entry during and after normal business hours. handle emergencies control the deposit and withdrawals of tapes and other storage media to and from the library. iv. Physical controls also include: pre-planned appointments, identification checks, controlling the reception area, logging in visitors, escorting visitors while in sensitive areas, etc.
  15. Physical Access Issues and Exposures Who are the Possible attackers / perpetrators? What facilities needs to be protected against these attackers? What can go wrong – various assets like data, hardware, software, facility, employees are at threat. What could happen if someone forcefully or accidently enters your house?
  16. Physical Access Threats to Assets Physical threats to information system assets comprise threats to computing equipment, facilities which house the equipment, media and people. The focus of the IS Auditor is to examine all factors that adversely affect confidentiality, integrity and availability of information, due to improper physical access. Confidentiality: Preventing disclosure of information to unauthorized individuals or systems. Integrity: Preventing modification of data by unauthorized personnel. Availability: Keeping information available for any need.
  17. Physical access threats are of four kinds: Electrical: Electrical vulnerabilities are seen in things such as spikes in voltage to different devices and hardware systems, or brownouts due to an insufficient voltage supply. Electrical threats also come from the noise of unconditioned power or of total power loss. Environmental: These include natural disasters such as fires, hurricanes, tornados, and flooding. Extreme temperature and humidity are also environmental threats. Hardware: It means a threat of physical damage to corporate hardware or its theft. Maintenance: These threats arise from the poor handling of electronic components, which cause ESD (electrostatic discharge), or because of the lack of spare parts, poor cabling, poor device labeling, etc.
  18. Sources of Physical Access Threats The sources of physical access threats can be broadly divided into the following: Physical access to IS resources by unauthorized personnel. Authorized personnel having pre-determined rights of access, misusing their rights in a manner prejudicial to the interests of the organization. Authorized personnel gaining access to Information Systems resources in respect of which they have no authorized access. Interested or informed outsiders such as competitors, thieves, organized criminals and hackers. Former employees. Ignorant people who unknowingly perpetrate a violation. Discontented or disgruntled employees. Employees on strike. Employees under termination or suspended and pending termination. Those addicted to drugs or gambling. People experiencing financial or emotional problems.
  19. Examples of Sources of Physical Access Threats Unauthorized persons gaining access to restricted areas. Examples are prospective suppliers gaining access to computer terminal of purchase department, viewing the list of authorized suppliers and their rates. Employees gaining access to areas not authorized, e.g. sales executives gaining access to the server room. Damage, or theft of equipments or other IS resources. Abuse of data processing resources, e.g. employees using internet for personal use. Damage due to civil disturbances and war. Theft of computer supplies, e.g. floppies, cartridges, printers and consumables. Public disclosure of sensitive information, e.g. Information regarding location of servers, confidential or embarrassing information.
  20. Physical Access Exposures to Assets Unintentional or Accidental: When authorized or unauthorized personnel gain accidental physical access to IS resources, it can cause loss or damage to the organization. Deliberate: Unauthorized r or authorized personnel may gain access to IS resources, to which they have no right of access. This may result in the perpetrator achieving his objective of causing loss or damage to the organization. Losses: Improper physical access to IS resources may result in losses to organization which can result in compromising any one of the following: Confidentiality: of organizational information or knowledge of protected organizational resources. Example: unauthorized access to systems containing sensitive information may be viewed or copied by visitors gaining access to such systems. Integrity of information: by improper manipulation of information or data contained on systems or media. Example; Unauthorized access to record rooms or databases may result in modification or deletion of file content. Availability of information: Improper access to IS resources used to adversely impact availability of IS resources’ ultimately preventing or delaying access to organizational information and business applications. Example: A disgruntled bank employee may switch off power to information servers, thus sabotaging operations.
  21. Physical Access Control Techniques Administrative Controls i. Choosing and Designing a Secure Site In the choice of the location during initial planning for a facility the following concerns are to be addressed. Local considerations: local crime rate External services: Proximity to Police Station Visibility: Data center identity Windows Doors ii. Security Management Controlled user registration procedure Audit trails Reporting and incident handling procedure iii. Emergency Procedures iv. Administrative Personnel Controls: pre-employment screening, ongoing employee checks, and post-employment procedures
  22. Physical Access Control Techniques Cont… Technical Controls: These controls are technical solutions, which have administrative aspects. Given below are various tools and techniques to achieve physical security. xiii. Electronic Logging xiv. Controlled single point access xv. Controlled Visitor access Wireless Proximity Readers Alarm System\ Motion Detectors Secured Distribution Carts Cable Locks Port Controls Switch Controls Peripheral switch controls Biometric Mouse Laptops Security Guards Dogs Compound Wall & Perimeter fencing Lighting Deadman Doors Bolting Door Locks Combination or Cipher locks Electronic Door Locks Biometric Door Locks Video Cameras Identification Badge Manual Logging
  23. Auditing Physical Access Controls Auditing physical access requires the auditor to review the physical access risks and controls to form an opinion on their effectiveness Risk Assessment Controls Assessment Review of Documentation Testing of Controls
  24. Physical Control Techniques and their Suggested Audit Procedures
  25. Environmental Access Controls Examines the risks to IS resources arising from undesired changes in the environment. Environmental threats to information assets include threats to facilities and supporting infrastructure, which house and support the computing equipment, media and people. IS Auditor should review all factors that adversely bear on the confidentiality, integrity and availability of information, due to undesired changes in the environment or ineffective environmental controls.
  26. Objectives of Environmental Controls The objects to be protected from environmental threats are almost the same as discussed in the section on physical access controls: Hardware & Media Information Systems Supporting Infrastructure or Facilities Physical Premises, like Computer Rooms, Cabins, Server Rooms/Farms, Data Centre premises, Printer Rooms, Remote facilities and Storage Areas Communication Closets Cabling ducts Power Source Heating, Ventilation and Air Conditioning (HVAC) Documentation Supplies People
  27. Environmental Threats Natural Threats Natural disasters such as earthquakes, foods, volcanoes, hurricanes and tornadoes Extreme variations in temperature such as heat or cold, snow, sunlight, etc. Static electricity Humidity, vapors, smoke and suspended particles Insects and organisms such as rodents, termites and fungi Structural damages due to disasters Man-made Threats Fire due to negligence and human action War and bomb threats Uncontrolled/(unconditioned?) power, spikes, surges, low voltage Equipment failure Failure of Air-conditioning, Humidifiers, Heaters Food particles and residues, undesired activities like smoking in computer facilities. Structural damages due to human action/inaction and negligence Electrical and Electromagnetic Interference (EMI) from generators and motors. Radiation Chemical/liquid spills or gas leaks due to human carelessness or negligence
  28. Environmental Threats iii. Exposures: Some examples of exposures from violation of environmental controls: A fire could destroy valuable computer equipment and supporting infrastructure and invaluable organizational data.. Magnetic tapes use materials that are inflammable. Poor quality of power cables can over-heat and cause fire. Lightening may burn up communication devices and computing equipment due to improper earthing or grounding. Continuous process systems bear the risk of internal component damage due to improper air conditioning or high humidity. Damage of keyboards and other computing devices can be caused by accidental dropping of beverages, liquid, etc. The organizational policies do not check the consumption of food, tobacco products near computer equipments resulting in food particles leftover in computer facilities that attract rodents and insects, which can damage cabling and hard disks. Chemical or liquid spills from a nearby unit may seep into the IPF (Information Processing Facility) thereby damaging equipment. Sudden surges in power or other voltage fluctuations can irreversibly damage computer equipment. Fungi formation on tapes can lead to tapes and disks being not readable. EMI from generators can damage integrity of contents on magnetic media. Water leakages can induce shocks and short circuits.
  29. Techniques of Environmental Controls Administrative Controls Choosing and designing a safe site The considerations during choosing a location: Natural Disaster Transportation: excessive air, highway, or road traffic External Services: police, fire, and hospitals or medical facilities Considerations during designing a site: Walls Ceilings Floors Windows Doors Media Protection Sprinkler System & Fire Alarm Water or gas lines Air Conditioning Electricity Connections
  30. Techniques of Environmental Controls ii. Facilities Planning: Environmental security clearance Approved List of material to be used for construction Designated personnel assigned with the responsibility of risk assessment procedures The risk profile of the organization should take into consideration newer environmental threats iii. Documentation iv. People Responsibility and Training v. Emergency Plan Reporting procedures. Periodic inspection, testing and supervision of environmental controls Documented and tested emergency evacuation plans. Administrative procedures – incident handling procedures vi. Vendors/Suppliers (Third Party) vii. Maintenance Plans viii. MTBF and MTTR - evaluating alternatives with low MTBF or installing redundant units. Stocking spare parts on site and training maintenance personnel can reduce MTTR.
  31. Techniques of Environmental Controls Technical Controls Fire-resistant Walls, Floors and Ceilings Concealed Protective Wiring Ventilation and Air Conditioning Power Supplies: Some of the controls to ensure uninterrupted delivery of clean power are: Uninterruptible Power Supply (UPS)/ Generator Electrical Surge Protectors/Line Conditioners Power leads from two sub-stations Smoke Detectors and Fire Detectors Fire alarm Emergency Power Of Switch inside and outside of the IPF Water Detectors Centralized Disaster monitoring and control Systems
  32. Techniques of Environmental Controls I Fire Suppression Systems: Fire Suppression systems for facilities are classed into a. Water Based Systems Wet Pipe Sprinklers Dry-Pipe Sprinklers b. Gas Based Systems Carbon-dioxide Halon
  33. Audit of technical controls The audit of environmental controls requires the IS auditor to conduct physical inspections and observe practices, which may include the following activities: Inspect the IPF and examine the construction with regard to the type of materials used for construction by referring to appropriate documentation. Visually examine the presence of water and smoke detectors, examine power supply arrangements to such devices, testing logs, etc. Examine location of fire extinguishers, fire fighting equipment and refilling date of fire extinguishers and ensure their adequate and appropriate maintenance. Examine emergency procedures, evacuation plan and marking of fire exits. If considered necessary, the IS Auditor can also require a mock drill to test the preparedness with respect to disaster. Examine documents for compliance with legal and regulatory requirements as regards fire safety equipment, external inspection certificate, and shortcomings pointed out by other inspectors/auditors.
  34. Audit of technical controls Examine power sources and conduct tests to assure quality of power, effectiveness of power conditioning equipment, generators, simulate power supply interruptions to test effectiveness of back-up power Examine environmental control equipment such as air-conditioners, dehumidifiers, heaters, ionizers, etc. Examine complaint logs and maintenance logs to assess if MTBF and MTTR are within acceptable levels. Observe activities in the IPF for any undesirable d activities such as smoking, consumption of eatables, etc. Documentation of findings As part of the audit procedures, the IS auditor should also document all findings as part of working papers. The working papers could include audit assessment, audit plan, audit procedure, questionnaires, and interview sheets, inspection charts, etc
  35. Few Examples of Environmental Controls and their Audit Procedures.
  36. Few Examples of Environmental Controls and their Audit Procedures.
  37. Few Examples of Environmental Controls and their Audit Procedures.
  38. Few Examples of Environmental Controls and their Audit Procedures
More Related