Professional Documents
Culture Documents
Chap3 Part 2 Controls
Chap3 Part 2 Controls
ch.3 - part ii
Please note: This notes is meant for the presentation purposes only, it’s compact and summarised.
Students are requested to study from jksc notes or module in parallel to this for best results
- Abhishek Mehta
Policies, Procedures, Practices and
Organisational Structures
designed to provide
reasonable assurance
that
are
P,D&C
Prevented, Detected and Corrected.
Classi cation of control
xxxxxxxxxx
xxxxxxxxxx
xxxxxxxxxx
waterproof walls ceiling & oors
adequate drainage
installations on upper oors,not top
Water leakage alarms
Install alarms at strategic points
fl
fl
Electrical
Exposures
non availability
or
spikes/voltage
fl
uctuation
UPS / Generator
Voltage regulators
And
Circuit
breaker
In case of emergency
Pollution
major pollutant is dust…caught between
surface of hard disk and R/W head.
Prohibition of
eating , drinking, smoking within the facility
Others
fi
on
tr
ol
la’C
s
LOGICAL ACCESS CONTROLS
app
user
&
access
monitoring
mgmt
sys
access
ctrl
network os
user
access access
responsibility
ctrl ctrl
1. User access
management
Registration
User
Review access Privilege
mgmt
Password
user info
documented
who
Registration
why
User
Review access Privilege
mgmt
Password
requirements
Privilege responsibilities
minimal w.r.t
job function
Registration
User
Review access Privilege
mgmt
Password
Password
default educate
screen
functions
allocate reissue
store revoke
Registration
User
Review access Privilege
mgmt
Password
need changes
periodic
Review
job
pro le
anomalies
privileges
granted
fi
Registration
User
Review access Privilege
mgmt
Password
2) User
Responsibility
Mandatory
Mandatory
• equipment under
Mandatory responsibility protected
• secured with passwords
• not leave accessible to
others
to maintain con dentiality
fi
3) Network access
control
Policy on internet ser vice
use
of =
network
services business needs only
• restricted n/w
traffic
• based on source
and
• access policy
Enforced path
• specify the exact path or
route.
• pass through proxy & rewall
fi
what’s
the time
what’s www
the time
proxy
it’s 9
it’s 9
Access Control between network
from only
from
both authorised
both
sides user
sides
Can be placed within intranet
Company’s
Intranet
vpn
S
O
N
public
vpn
Segregation of
S
Network O
based on sensitive N
info
public
vpn
S
O
N
public
what : process…converts data to secret code
why: for safety of data during transmission or storage
in DB
how: using encryption algorithm key we convert clear
text to cipher text..decrypted by receiver.
approached using
private key and public key
vpn
S
O
N
public
keeps intruder off the net
user enters pwd and on authorisation
connection is est.
only authorised terminal or telephones
vpn
S
O
N
public
Policy on use of network
services
applicable to internet service requirements
based on business need
Traf c management
fi
fi
fi
Enforced path
• Based on risk assessment,
It is necessary to specify the exact path or
route connecting the networks.
fi
Firewall
System that enforces access control between two
networks.
all traf c must pass through the rewall that will allow only
authorized traf c between the organization and the outside
to pass through it.
The rewall must be immune to penetrate from both side
Can be used to insulate portions of the organization’s
Intranet from internal access also.
fi
fi
fi
fi
ctrl bet network
only authorised user
from both sides
can be placed within intranet
SON
• Segregation of networks:
Based on the sensitive information handling
function.
eg : VPN
Encryption
what: conversion of data into a secret code
why: for storage in databases and transmission over networks.
T
how: The sender uses an encryption algorithm with a key to
convert the original message called the Clear text into Cipher
text. This is decrypted at the receiving end. Two general
approaches are used for encryption viz. private key and
public key encryption.
Call back devices
Call Back Devices:
to keep the intruder off the network rather than imposing
security measure after the criminal has connected to the network.
The call- back device requires the user to enter a password
and then the system breaks the connection.
If the caller is authorized, the call back device dials the
caller’s number to establish a new connection.
This limits access only from authorized terminals or telephone
numbers and prevents an intruder masquerading as a legitimate
user.
keeps intruder off the net
user enters pwd and on authorisation
connection is est.
only authorised terminal or telephones
Policy on use of network
services
Network connection and
routing control
Enforced path
Firewall
SON
Encryption
Call back devices
Network access control
III) Operating System
access control
OS is
computer control program
allows users and their applications
to access computer resources,
such as processor, main memory, database
and printers,etc.
Terminal log-on procedures
Prevent unauthorized access.
Validates ID and Password.
Key security feature
Password management
system
STRONG
PASSWORD
• Approve actions
when is token created
what it contains
+
Access control list
d,
ou or
p
gr w
er ss
s
us, pa
ht
gs ig
ID
lo r
ss
ce
ac
compare Contains
access privileges
info
Grant
Access
Use of System Utilities
Use of System Utilities
• manage critical functions
• e.g. +/- Users
• Not accessible to general
users
• strictly controlled and
logged.
contains critical functions of OS
O.S.A.C
I&A
O.S.A.C
(V)
Application and monitoring
system
access control
1) Information access
restriction
R/W
2.Sensitive System Isolation
critical
isolated
monitor
report
sys with critical constitution
isolated environment—>pc
monitoring system access —
>dc
Report unauthorised access
critical
isolated
monitor
report
3.Event logging
Maintain all events log
Review logging
archive logs properly.
All ⇄ requests 🔴 transaction log.
provides information
GMT / IST
( GMT+5:30 )
Event logs maintained across an enterprise network
plays a signi cant role in correlating an event and
generating report on it.
User
Review access Privilege
mgmt
Password
2) User Responsibility
1) Password Use 2) Unattended user equipments
• equipment under
Mandatory responsibility protected
• secured with passwords
• not leave accessible to
others
to maintain con dentiality
fi
Network access control
I&A
O.S.A.C
Application and monitoring
system access control
2) Physical access control
Related to physical security
of the tangible resources and intangible
resources stored on tangible media
e.g.:
cctv monitoring
access ctrl doors
security guards,etc.
4 PAC:
• lock on doors
• physical identi cation medium
• logging on facilities
• others
fi
4 PAC:
• Lock
• PIM
• Logs
• Others
i)locks on door
1)Cipher lock:
2)bolting door lock
3)
electronic
door locks
ii)physical identi cation
medium
fi
1) PIN
2)Plastic card
3)identi cation badges
fi
iii)logging on facilities
manual logging
electronic logging
(electronic+biometric)
iv) Others
Perimeter Fencing
SECURITY GUARDS
video camera
CONTROLLED VISITOR ACCESS
an employee hired to escort a visitor
Bonded personnel
all service contract personnel made to sign a
bond
Controlled single entry point
Dead man door
Computer terminal locks
Ensure devices
not turned on
or
disengaged
by unauthorised.
Non-exposure of sensitive
facilities
Control over Out of Hours
for Employees
Secured report/
document
distribution cart
means
MANAGEMENT 2 achieve
E A L
T
R
A to achieve goal as
responsibility, and jd N A
N
O
D
per planning
steering
CONTROL committee
I
S
L
E
motivating O
C
O determine
TOP goal L R
N guiding & E G P
means 2 achieve DA
MANAGEMENT A L
T A
communicating
R N
I N
O
L steering committee
CONTROL S
(objective harmony) E
comparing
Jaisa actuals
meine plan Kiyawith C O
determine
planned
TOP
Waise Hua k nahin goal L O R
P
E N G
means
MANAGEMENT2 achieve T A L
if deviates >> apply A
D R N A
N
corrections
steering
CONTROL committee
O
L
I
S
E
Planning:
Resource req: s/w dev,acquisition &
1
implementation
2 factors:
• S/w Size
• Uncertainty of user req &
supporting technology
Design
2
>systematic
>structured or OO
Coding
>module implementation
3
and integration
>documented
Testing
• unit
4
• integration
• whole of program
Operation & Maintenance
Implement & monitor operations
3 types
repair
RAP
5
adaptive
perfective
Control
> monitor progress vs
plan…deviation corrected
6
> ctrl to ensure accurate &
complete
PERT
WBS
GANTT
CHART
PLANNING
CONTROL
DESIGN
OP &
CODING
MAINTENANCE
TESTING
System Development
Management Control
'3
'3
'3
'3
'3
'3
'3
'3
'3
'3
'3
'3
'3
'3
'3
Problem de nition and feasibility
assessment
Hardware El Software
fi
DRMC
5
Security Management Control
IS Assets
H/w Sys App Data
s/w s/w
Personnel Facility
Doc
Assets are secure
when the expected losses that will occur
over some time,
are at an acceptable level.
Physical ctrl
Environmental ctrl
DISASTER
business continuity
to
recover operations
&
mitigate losses
Disaster Recovery Plan
&
insurance
6
Operation
Mgmt
Ctrl
Computer Operations
Data preparation and entry
directly
indirectly
need speed
N
accuracy
Documentation and Program Library
DOCUMENTATION
LIBRARIAN
PP STORED
SECURED
JD
UP-TO DATE
ADEQUATE B.U
SOD
Doc > Librarians
-stored securely
-kept up-to- date
- and backup
DOC:
includes PP,SOD,JD,Responsibility & authority of each
function of org
File Library:
Monitoring
PERFORMANCE
MAKE
RESOURCE
IDENTIFY
AVAILABLE
RESOURCE
DEFICIENCY
HELPDESK/ TECHNICAL SUPPORT
PROVIDE TECHNICAL
ASSISTANCE
ASSIST END
USER
MANAGEMENT OF OUTSOURCED
OPERATIONS
PRODUCTION CONTROL
basically all production jargons…
Receipt n
dispatch of
input and Managing acquisition of
output SLA computer
consumables
JOB
transfer
SCHEDULING pricing
OMC
Computer
Helpdesk
operation Data prep & Entry
Capacity Production
planning control
File library
Quality Assurance management is concerned with ensuring that the –
♦ Information produced by the information systems function achieve certain
quality goals; and
Quality Assurance (QA) personnel should work to improve the quality of information
systems produced, implemented, operated, and maintained in an organization. They
perform a monitoring role for management to ensure that –
♦ Quality goals are established and understood clearly by all stakeholders; and
♦ Compliance occurs with the standards that are in place to attain quality
information systems.
Best industrial practices incorporated
Quality Assurance Mgmt Control
Info produced >> Quality Goal
DIOM>>> Std
Digital Signatures are not constant like analog signatures – they vary across
messages and cannot be forged.
Cryptography
Plain text
Cipher text
3 ways
>transposition
>substitution
>product cipher
transposition
1234>>> 2143
substitution
1234>>>abcd
product cipher
1234>>>badc
Accounting audit trail…boundary control
fraud
error
SOURCE
DOC
CONTROL
use
physical
source doc
for txn.
fraud
to remove
assets
Input Controls:
authorization,
reasonableness,
accuracy , completeness,
and
integrity.
4 types
transcription
1. addition
12345 —> 712345
2. truncation
✂12345 —> 2345
DATA 3. substitution
CODE 12345 —> 92345
CONTROL
transposition
Reduces errors ⇌12345 —> 21345;
during data feed
grouping
BATCH
related
CONTROL
transaction
B.control
prevent or detect
errors
1. nancial total
2. hash total
3.doc or record counts
fi
VALIDATION
Detect err b4 processing
CONTROL
1.Field 2.Record
3.File
Check Check
Check
• examine the type of
• version
characters reasonableness
• labelling i/e
• picture check check
• data le sec
• limit check • sequence check
• data le updation &
• valid code check • sign check
maintenance
Batch check
• Transaction type
• Sequence check
fi
fi
Input Control VALIDATION
SOURCE DATA BATCH CONTROL
DOC CODE CONTROL detect err b4 processing
CONTROL CONTROL
grouping 1.Field
use transcription related Check
physical 1. addition transaction examine characters
source doc 12345 > 712345
for txn. prevent pic/lim/valid code check
or detect
fraud 2. truncation 2.Record
errors
to remove ✂12345 > 2345 Check
1. nancial total reasonable/seq/sign
assets
2. hash total
3. substitution 3.File
3.doc/record counts
12345 > 92345 Check
ver/lab/sec/
transposition Batch check updating.maintenance
⇌12345 > 21345;
• Transaction type
• Sequence check
fi
III Communication
Control
Physical
Component
Ctrl
Line
Flow
Error
Ctrl
Ctrl
Link Channel
Ctrl Access
Ctrl
Topology ctrl
Processing Control
where does processing takes place?
PROCESSOR
program execution done in
PROCESSOR
program k instructions kaha store hote hai
Real Memory
or
Virtual Memory
who manages memory resources, application
programs etc
O.S
Processor Control
Error Detection
Multiple
&
Execution Timing Component
Correction
States control Replication
malfunction determine OS may get processor
number stuck failure…
transient(temp)
and in in nite loop loss
intermittent(bar bar) nature of
execution states utilising important to
permanent have
processor
Helps auditor redundant
making it
understand processors
unavailable
where
for other
unauthorised
programs
access is
possible
fi
2.Real memory Control
what: primary storage in which data/prog reside
controls :
• det n correct err
• also protect areas assigned to a particular prog
from illegal access of other prog
3) Virtual Memory Control
• when real memory is insuf cient for a task
• mechanism that maps real mem to virtual memory
addresses
fi
Some poeple wish to see you fail,
Disappoint them
https://tinyurl.com/eischap3part2
https://tinyurl.com/tallysod