Controls_for_Information_SecurityChapter_88-1Copyright__2015

Controls for Information Security

Chapter 8

8-1

Trust Services Framework

Security

Access to the system and data is controlled and restricted to legitimate users.

Confidentiality

Sensitive organizational data is protected.

Privacy

Personal information about trading partners, investors, and employees are protected.

Processing integrity

Data are processed accurately, completely, in a timely manner, and only with proper authorization.

Availability

System and information are available.

8-2

The trust services framework is a means to organize IT controls to help ensure systems reliability. At the foundation of this framework is security which is absolutely necessary for success and for achieving the other four principles.

Security procedures:

Restrict access to authorized users only

which protects confidentiality of sensitive organizational data and the privacy of personal

data collected from customers, suppliers, employees, and so on.

Security protects the processing integrity by preventing submission of unauthorized transactions or unauthorized changes to the data.

Security provides protection from unwanted attacks that could bring down the system and make it unavailable.

8-3

This is a good visual of the Trust Services Framework

Using an analogy of building a house, you need a good foundation; otherwise the house will fall apart. Then to keep the roof over your head, you need to have wel-constructed walls.

Similarly, for good systems reliability you need a good foundation of Security. The walls are the four pillars focused on maintaining good systems reliability.

Security Life Cycle

Security is a management issue

8-4

Although technologies tools are used for security and the security expertise is within an IT department, effective security must have the support of senior management to understand the potential threats to an organizations information systems which would impede the organization from achieving its goals.

As we previously discussed about threats to an AIS, management must assess the threat to an AIS and determine how to respond (reduce, accept, share, avoid). The second step is to develop security policies (e.g., employees should not click on any links embedded into e-mails) and make sure that those policies are communicated (best way is through training).

The third step is to invest in the necessary resources (human and technology) to reduce the security threats. Finally, active monitoring to evaluate the security effectiveness provides a feedback loop as management may need to make updates based upon new threats or techniques that affect security.

Overall, management is responsible for maintaining a “culture of security”. The fourth step requires monitoring of performance because if you do not monitor how well you are doing with your objectives, how do you know if it is achieved?

Security Approaches

Defense-in-depth

Multiple layers of control (preventive and detective) to avoid a single point of failure

Time-based model, security is effective if:

P > D + C where

P is time it takes an attacker to break through preventive controls

D is time it takes to detect an attack is in progress

C is time it takes to respond to the attack and take corrective action

8-5

How to Mitigate Risk of Attack

Preventive Controls

Detective Controls

People

Process

IT Solutions

Physical security

Change controls and change management

Log analysis

Intrusion detection systems

Penetration testing

Continuous monitoring

8-6

Preventive: People

Culture of security

Tone set at the top with management

Training

Follow safe computing practices

Never open unsolicited e-mail attachments

Use only approved software

Do not share passwords

Physically protect laptops/cellphones

Protect against social engineering

8-7

Preventive: Process

Authentication—verifies the person

Something person knows

Something person has

Some biometric characteristic

Combination of all three

Authorization—determines what a person can access

8-8

These two concepts are related, to get into a system, you need to be authenticated, then authorization is where you are allowed to go once you are in the system.

Preventive: IT Solutions

Antimalware controls

Network access controls

Device and software hardening controls

Encryption

8-9

Preventive: Other

Physical security access controls

Limit entry to building

Restrict access to network and data

Change controls and change management

Formal processes in place regarding changes made to hardware, software, or processes

8-10

Corrective

Computer Incident Response Team (CIRT)

Chief Information Security Officer (CISO)

Patch management

8-11

blog6

Get help from top-rated tutors in any subject.