PrE 5: Information Security and Management

LESSON 2: THREATS AND ATTACKS SECURITY

CONTROLS ETHICS in InfoSec
SECURITY CONTROLS
Angelina Marie R. Santos, MBA
What are security controls?

Security controls are countermeasures or

Learning Objectives safeguards used to reduce the chances that a
threat will exploit a vulnerability.
• Identify different threats and attacks
Three different sets of security controls:
• Define security controls
1. Managerial security controls
• Elaborate the different sets of security
2. Operational security controls
controls
3. Technical security controls
• Discuss ethics in InfoSec

1. Management Security Controls

Threats and Attacks
Managerial controls focus on the management
Threats of the information system and the
management of risk for a system. They are
A threat represents a potential risk to an
techniques and concerns that are normally
information asset, whereas an attack
addressed by management.
represents an ongoing act against the asset
that could result in a loss. Threat agents The following are managerial security
damage or steal an organization’s information controls:
or physical assets by using exploits to take
• Risk assessment
advantage of a vulnerability where controls are
• Planning
not present or no longer effective.
• System and services acquisition
• Certification, accreditation, and
security assessments

2. Operational Security Controls

Operational controls address security methods

focusing on mechanisms primarily
implemented and executed by people (not
technology). These controls are put in place to
improve the security of a particular system (or
group of systems). They often require technical
or specialized expertise and often rely on
management activities as well as technical
controls.

1
PrE 5: Information Security and Management

The following are operational security The Ten Commandments of Computer Ethics
controls:
1. Thou shalt not use a computer to harm
• Personnel security other people.
• Physical and
2. Thou shalt not interfere with other people’s
• Contingency planning
computer work.
• Awareness and training
3. Thou shalt not snoop around in other
people’s computer files.
3. Technical Security Controls
4. Thou shalt not use a computer to steal.
Technical controls focus on security controls
5. Thou shalt not use a computer to bear false
that the computer system executes. The
witness.
controls can provide automated protection for
unauthorized access or misuse, facilitate 6. Thou shalt not copy or use proprietary
detection of security violations, and support software for which you have not paid.
security requirements for applications and
7. Thou shalt not use other people’s computer
data. Technical controls use software and data
resources without authorization or proper
to monitor and control access to information
compensation.
and computing system.
8. Thou shalt not appropriate other people’s
The following are technical security controls:
intellectual output.
• Encryption
9. Thou shalt think about the social
• Antivirus And Anti-Malware Software
consequences of the program you are writing
• Firewalls or the system you are designing.

10. Thou shalt always use a computer in ways

Ethics in InfoSec that ensure consideration and respect for your
fellow humans
What is Ethics?

Some define ethics as the organized study of

how humans ought to act. Others define it as a
set of rules we should live by. The student of
information security is not expected to study
ethics in a vacuum, but within a larger
framework. However, InfoSec professionals
may be expected to be more informed about
the topic than others in the organization, and
they must often withstand a higher degree of
scrutiny.