Controls for Information Security
Chapter 8
8-1
Copyright © 2015 Pearson Education, Inc.
Copyright © 2015 Pearson Education, Inc.
Trust Services Framework
Security
Access to the system and data is controlled and restricted to legitimate users.
Confidentiality
Sensitive organizational data is protected.
Privacy
Personal information about trading partners, investors, and employees are protected.
Processing integrity
Data are processed accurately, completely, in a timely manner, and only with proper authorization.
Availability
System and information are available.
8-2
Copyright © 2015 Pearson Education, Inc.
The trust services framework is a means to organize IT controls to help ensure systems reliability. At the foundation of this framework is security which is absolutely necessary for success and for achieving the other four principles.
Security procedures:
Restrict access to authorized users only
which protects confidentiality of sensitive organizational data and the privacy of personal
data collected from customers, suppliers, employees, and so on.
Security protects the processing integrity by preventing submission of unauthorized transactions or unauthorized changes to the data.
Security provides protection from unwanted attacks that could bring down the system and make it unavailable.
2
8-3
Copyright © 2015 Pearson Education, Inc.
This is a good visual of the Trust Services Framework
Using an analogy of building a house, you need a good foundation; otherwise the house will fall apart. Then to keep the roof over your head, you need to have wel-constructed walls.
Similarly, for good systems reliability you need a good foundation of Security. The walls are the four pillars focused on maintaining good systems reliability.
3
Security Life Cycle
Security is a management issue
8-4
Copyright © 2015 Pearson Education, Inc.
Although technologies tools are used for security and the security expertise is within an IT department, effective security must have the support of senior management to understand the potential threats to an organizations information systems which would impede the organization from achieving its goals.
As we previously discussed about threats to an AIS, management must assess the threat to an AIS and determine how to respond (reduce, accept, share, avoid). The second step is to develop security policies (e.g., employees should not click on any links embedded into e-mails) and make sure that those policies are communicated (best way is through training).
The third step is to invest in the necessary resources (human and technology) to reduce the security threats. Finally, active monitoring to evaluate the security effectiveness provides a feedback loop as management may need to make updates based upon new threats or techniques that affect security.
Overall, management is responsible for maintaining a “culture of security”. The fourth step requires monitoring of performance because if you do not monitor how well you are doing with your objectives, how do you know if it is achieved?
4
Security Approaches
Defense-in-depth
Multiple layers of control (preventive and detective) to avoid a single point of failure
Time-based model, security is effective if:
P > D + C where
P is time it takes an attacker to break through preventive controls
D is time it takes to detect an attack is in progress
C is time it takes to respond to the attack and take corrective action
8-5
Copyright © 2015 Pearson Education, Inc.
5
How to Mitigate Risk of Attack
Preventive Controls
Detective Controls
People
Process
IT Solutions
Physical security
Change controls and change management
Log analysis
Intrusion detection systems
Penetration testing
Continuous monitoring
8-6
Copyright © 2015 Pearson Education, Inc.
Preventive: People
Culture of security
Tone set at the top with management
Training
Follow safe computing practices
Never open unsolicited e-mail attachments
Use only approved software
Do not share passwords
Physically protect laptops/cellphones
Protect against social engineering
8-7
Copyright © 2015 Pearson Education, Inc.
7
Preventive: Process
Authentication—verifies the person
Something person knows
Something person has
Some biometric characteristic
Combination of all three
Authorization—determines what a person can access
8-8
Copyright © 2015 Pearson Education, Inc.
These two concepts are related, to get into a system, you need to be authenticated, then authorization is where you are allowed to go once you are in the system.
8
Preventive: IT Solutions
Antimalware controls
Network access controls
Device and software hardening controls
Encryption
8-9
Copyright © 2015 Pearson Education, Inc.
Preventive: Other
Physical security access controls
Limit entry to building
Restrict access to network and data
Change controls and change management
Formal processes in place regarding changes made to hardware, software, or processes
8-10
Copyright © 2015 Pearson Education, Inc.
Corrective
Computer Incident Response Team (CIRT)
Chief Information Security Officer (CISO)
Patch management
8-11
Copyright © 2015 Pearson Education, Inc.

Get help from top-rated tutors in any subject.
Efficiently complete your homework and academic assignments by getting help from the experts at homeworkarchive.com