Controls for Information

Security

Chapter 8

Copyright © 2015 Pearson Education, Inc.

8-1
 Learning Objectives

• Explain how information security affects

information systems reliability.

• Discuss how a combination of preventive,

detective, and corrective controls can be
employed to provide reasonable assurance about
the security of an organization’s information
system.

Copyright © 2015 Pearson Education, Inc.

8-2
 Trust Services Framework
• Security
▫ Access to the system and data is controlled and restricted to
legitimate users.
• Confidentiality
▫ Sensitive organizational data is protected.
• Privacy
▫ Personal information about trading partners, investors, and
employees are protected.
• Processing integrity
▫ Data are processed accurately, completely, in a timely
manner, and only with proper authorization.
• Availability
▫ System and information are available.
Copyright © 2015 Pearson Education, Inc.
8-3
Copyright © 2015 Pearson Education, Inc.
8-4
 Security Life Cycle
Security is a management issue

Copyright © 2015 Pearson Education, Inc.

8-5
 Security Approaches
• Defense-in-depth
▫ Multiple layers of control (preventive and
detective) to avoid a single point of failure
• Time-based model, security is effective if:
▫ P > D + C where
 P is time it takes an attacker to break through
preventive controls
 D is time it takes to detect an attack is in progress
 C is time it takes to respond to the attack and take
corrective action
Copyright © 2015 Pearson Education, Inc.
8-6
 How to Mitigate Risk of Attack

Preventive Controls Detective Controls

• People • Log analysis
• Process • Intrusion detection
• IT Solutions systems
• Physical security • Penetration testing
• Change controls and • Continuous
change management monitoring

Copyright © 2015 Pearson Education, Inc.

8-7
 Preventive: People

• Culture of security
▫ Tone set at the top with management
• Training
▫ Follow safe computing practices
 Never open unsolicited e-mail attachments
 Use only approved software
 Do not share passwords
 Physically protect laptops/cellphones
▫ Protect against social engineering

Copyright © 2015 Pearson Education, Inc.

8-8
 Preventive: Process

• Authentication—verifies the person

1. Something person knows
2. Something person has
3. Some biometric characteristic
4. Combination of all three
• Authorization—determines what a person can
access

Copyright © 2015 Pearson Education, Inc.

8-9
 Preventive: IT Solutions

• Antimalware controls
• Network access controls
• Device and software hardening controls
• Encryption

Copyright © 2015 Pearson Education, Inc.

8-10
 Preventive: Other

• Physical security access controls

▫ Limit entry to building
▫ Restrict access to network and data
• Change controls and change management
▫ Formal processes in place regarding changes
made to hardware, software, or processes

Copyright © 2015 Pearson Education, Inc.

8-11
 Corrective

• Computer Incident Response Team (CIRT)

• Chief Information Security Officer (CISO)
• Patch management

Copyright © 2015 Pearson Education, Inc.

8-12
 Key Terms
• Defense-in-depth
• Time-based model of security
• Social engineering
• Authentication
• Biometric identifier
• Multifactor authentication
• Multimodal authentication
• Authorization
• Access control matrix
• Compatibility test
• Border router
• Firewall
• Demilitarized zone (DMZ)
• Routers
Copyright © 2015 Pearson Education, Inc.
• Access control list (ACL)
• Packet filtering
• Deep packet inspection
• Intrusion prevention system
• Remote Authentication Dial-in
User Service (RADIUS)
• War dialing
• Endpoints
• Vulnerabilities
• Vulnerability scanners
• Hardening
• Change control and change
management
• Log analysis
• Intrusion detection system
8-13
(IDS)
 Key Terms (continued)

• Penetration test
• Computer incident response
team (CIRT)
• Exploit
• Patch
• Patch management
• Virtualization
• Cloud computing

Copyright © 2015 Pearson Education, Inc.

8-14