Professional Documents
Culture Documents
Part 1: Information Security: Information Systems Controls For System Reliability
Part 1: Information Security: Information Systems Controls For System Reliability
8-2
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
AIS Controls
8-3
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
Information for Management Should Be:
Effectiveness Availability
Information must be relevant and Information must be available
timely. whenever needed.
Efficiency Compliance
Information must be produced in a Controls must ensure compliance
cost-effective manner. with internal policies and with
external legal and regulatory
Confidentiality requirements.
Sensitive information must be
protected from unauthorized
Reliability
disclosure. Management must have access to
appropriate information needed to
Integrity conduct daily activities and to
exercise its fiduciary and governance
Information must be accurate,
responsibilities.
complete, and valid.
8-4
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
COBIT Framework
Plan &
Organize
Deliver &
Support
8-5
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
COBIT Cycle
8-6
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
COBIT Controls
8-7
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
Trust Services Framework
Security
Access to the system and its data is controlled and restricted to legitimate users.
Confidentiality
Sensitive organizational information (e.g., marketing plans, trade secrets) is protected from
unauthorized disclosure.
Privacy
Personal information about customers is collected, used, disclosed, and maintained only in
compliance with internal policies and external regulatory requirements and is protected from
unauthorized disclosure.
Processing Integrity
Data are processed accurately, completely, in a timely manner, and only with proper
authorization.
Availability
The system and its information are available to meet operational and contractual obligations.
8-8
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
Trust Services Framework
8-9
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
Security / Systems Reliability
8-10
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
Management’s Role in IS Security
8-11
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
Time-Based Model
8-12
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
Steps in an IS System Attack
Conduct
Reconnaissance
Attempt Social
Cover Tracks
Engineering
Research
8-13
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
Mitigate Risk of Attack
Preventive Control
Detective Control
Corrective Control
8-14
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
Preventive Control
Training
8-15
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
Authentication vs. Authorization
Authentication—verifies who a person is
1. Something person knows
2. Something person has
3. Some biometric characteristic
4. Combination of all three
8-16
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
Network Access Control
(Perimeter Defense)
Border router
Connects an organization’s information system to the Internet
Firewall
Software or hardware used to filter information
8-17
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
Internet Information Protocols
8-18
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
Device and Software Hardening
(Internal Defense)
End-Point Configuration
Disable unnecessary features that may be vulnerable to attack on:
Servers, printers, workstations
Software Design
Programmers must be trained to treat all input from external users as
untrustworthy and to carefully check it before performing further actions.
8-19
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
Detective Controls
Log Analysis
Process of examining logs to identify evidence of possible attacks
Analyze logs of failed attempts to log on to a system and failed attempts
to obtain access to specific information resources
Logs need to be analyzed regularly to detect problems in a timely
manner
Log analysis requires human judgement to interpret and identify
situations that are not “ normal “
8-20
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
Detective Controls
Intrusion Detection
Consists of sensors and a central monitoring unit that create logs of
network traffic that was permitted to pass the firewall and then analyze
those logs for signs of attempted or successful intrusions
Intrusion detection can be installed on a specific device to monitor
unauthorized attempts to change the device’s configuration
Produces warning alerts when it detects a suspicious pattern of network
traffic
8-21
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
Detective Controls
Managerial Reports
Continuously monitoring both employee compliance with the
organization ‘s information security policies and overall performance of
business process
Help management design effective reports that highlight areas most in
need of attention
8-22
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
Detective Controls
Security Testing
Periodically test the effectiveness of business process and internal
controls including security procedures
Is authorized attempt by either an internal audit team or external security
consulting firm to break into organization’s information system
To identify where additional protections are most needed to increase the
time and effort required to compromise the system
8-23
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
Corrective Controls
8-24
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
Corrective Controls
Patch Management
Fix known vulnerabilities by installing the latest updates
Security programs
Operating systems
Applications programs
8-25
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
Corrective Controls
Patch Management
Fix known vulnerabilities by installing the latest updates
Security programs
Operating systems
Applications programs
8-26
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
Computer Incident Response Team
Recognize that a problem exists
Recovery
8-27
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
Computer Incident Response Team
Follow-up
8-28
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
New Considerations
8-29
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
New Considerations
Virtualization
Multiple systems are run on one computer
Cuts hardware costs – fewer servers needed
- maintenance cost lower
- data center cost lower
8-30
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
New Considerations
Cloud Computing
Remotely accessed resources
Software
Data storage
Hardware
Applications
Cost savings in IT capital investments vs subscription basis
Improving flexibility – easier to change software and
hardware
8-31
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
New Considerations
Risks
Increased exposure if breach ( hack ) occurs
risk of theft and destruction
unauthorized access to multiple systems
Confidentiality, privacy , processing integrity and availability
Opportunities
Implementing strong access controls in the cloud or over the server that hosts a
virtual network provides good security over all the systems contained therein
Use multifactor authentication and physical access control
Virtual firewalls and intrusion detection system by cloud providers and by
organizations
Depends on preventive, detective and corrective controls
8-32
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall