1 / 14

Controls for Information Security

Controls for Information Security. Chapter 8. Learning Objectives. Explain how information security affects information systems reliability.

nolen
Download Presentation

Controls for Information Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Controls for Information Security Chapter 8

  2. Learning Objectives • Explain how information security affects information systems reliability. • Discuss how a combination of preventive, detective, and corrective controls can be employed to provide reasonable assurance about the security of an organization’s information system.

  3. Trust Services Framework • Security • Access to the system and data is controlled and restricted to legitimate users. • Confidentiality • Sensitive organizational data is protected. • Privacy • Personal information about trading partners, investors, and employees are protected. • Processing integrity • Data are processed accurately, completely, in a timely manner, and only with proper authorization. • Availability • System and information are available.

  4. Security Life Cycle Security is a management issue

  5. Security Approaches • Defense-in-depth • Multiple layers of control (preventive and detective) to avoid a single point of failure • Time-based model, security is effective if: • P > D + C where • P is time it takes an attacker to break through preventive controls • D is time it takes to detect an attack is in progress • C is time it takes to respond to the attack and take corrective action

  6. How to Mitigate Risk of Attack Preventive Controls Detective Controls • People • Process • IT Solutions • Physical security • Change controls and change management • Log analysis • Intrusion detection systems • Penetration testing • Continuous monitoring

  7. Preventive: People • Culture of security • Tone set at the top with management • Training • Follow safe computing practices • Never open unsolicited e-mail attachments • Use only approved software • Do not share passwords • Physically protect laptops/cellphones • Protect against social engineering

  8. Preventive: Process • Authentication—verifies the person • Something person knows • Something person has • Some biometric characteristic • Combination of all three • Authorization—determines what a person can access

  9. Preventive: IT Solutions Antimalware controls Network access controls Device and software hardening controls Encryption

  10. Preventive: Other • Physical security access controls • Limit entry to building • Restrict access to network and data • Change controls and change management • Formal processes in place regarding changes made to hardware, software, or processes

  11. Corrective Computer Incident Response Team (CIRT) Chief Information Security Officer (CISO) Patch management

  12. Key Terms • Defense-in-depth • Time-based model of security • Social engineering • Authentication • Biometric identifier • Multifactor authentication • Multimodal authentication • Authorization • Access control matrix • Compatibility test • Border router • Firewall • Demilitarized zone (DMZ) • Routers • Access control list (ACL) • Packet filtering • Deep packet inspection • Intrusion prevention system • Remote Authentication Dial-in User Service (RADIUS) • War dialing • Endpoints • Vulnerabilities • Vulnerability scanners • Hardening • Change control and change management • Log analysis • Intrusion detection system (IDS)

  13. Key Terms (continued) • Penetration test • Computer incident response team (CIRT) • Exploit • Patch • Patch management • Virtualization • Cloud computing

More Related