Controls for Information

Security
Chapter 8
8-1
 Learning Objectives

1) Explain how information security

affects information systems reliability.
2) Discuss how a combination of
preventive, detective, and corrective
controls can be employed to provide
reasonable assurance about the security
of an organization’s information
system. 8-2
8-3
 Trust Services Framework

Security

Confidentiality

Privacy

Processing Integrity

Availability

8-4
 Two Fundamental Information Security Concepts

Security is a The Time Based

Management issue, Model of
not just a Information
technology issue Security

8-5
Security is a Management issue, not just a technology issue

8-6
 Time-Based Model of Security

The goal of the time-based model of security is to

employ a combination of preventive, detective and
corrective controls that protect information assets
long enough to enable an organization to recognize
that an attack is occurring and take steps to thwart
it before any information is lost or compromised.

8-7
 Time-Based Model of Security
>> For an effective information security system:

P>D+R
P = the time it takes an attacker to break through the various
controls that protect the organization’s information assets
D = the time it takes for the organization to detect that an attack is
in progress
R = the time it takes to respond to and stop the attack

8-8
 Time-Based Model of Security

The time-based model of security => the strategy of defense-in-depth.

 Defense-in-depth, entails using multiple layers of controls in

order to avoid having a single point of failure.
 Defense-in-depth recognizes that although no control can be
100% effective, the use of overlapping, complementary, and
redundant controls increases overall effectiveness because if
one control fails or gets circumvented, another may succeed.

8-9
 Steps in an IS System Attack

Conduct Reconnaissance
Attempt Social Engineering
Scan & Map Target
Research
Execute Attack
Cover Tracks
8-10
 Protecting Information Resources
TIME-BASED MODEL COMPONENT PREVENTIVE
Poeple creating “security aware” culture

Training

User access control

Process Penetration Testing

Change controls and change management

Anti-malware
IT Solution Network access controls
Configuration controls
Encryption
Physical security:
8-11
PREVENTIVE

PEOPL COBIT 5 identifies employee skills and competencies as

E: another critical enabler for effective information security.
Training
Employees must understand how to follow the
organization’s security policies.

All employees should be taught why security measures

are important to the organization’s long-run survival.

They also need to be trained to follow safe computing

practices,

8-12
PREVENTIVE

PROCESS Authentication Controls

: User Authentication is the process of verifying the identity
Access of the person or device attempting to access the
Control
system. The objective is to ensure that only legitimate
users can access the system

Authorization Controls
Authorization is the process of restricting access of
authenticated users to specific portions of the system
and limiting what actions they are permitted to
perform.

8-13
8-14
PREVENTIVE

PROCESS:
Penetration A penetration test is an authorized attempt
Testing
by either an internal audit team or an
external security consulting firm to break
into the organization’s nformation system.

Penetration testing provides a more

rigorous way to test the effectiveness of an
organization’s information security.

8-15
PREVENTIVE
PROCESS:
Change Control Change control and change management refer to
and Change the formal process used to ensure that
Management modifications to hardware, software, or processes
do not reduce systems reliability.

Good change control often results in better

operating performance because there are fewer
problems to fix.

8-16
PREVENTIVE

IT
SOLUTION Anti Malware Control
Malware can damage or destroy information or provide a
means for unauthorized access. Therefore, COBIT 5
section DSS05.01 lists malware protection as one of the
keys to effective security,

PROTECTION RECOMMENDATION
1. Malicious software awareness education,
2. Installation of antimalware protection tools on all devices,
3. Centralized management of patches and updates to antimalware software,
4. Regular review of new malware threats,
5. Filtering of incoming traffic to block potential sources of malware, and
6. Training employees not to install shared or unapproved software.
8-17
PREVENTIVE

IT SOLUTION

• Network Access Control

• Routers
• Firewalls
• Intrusion Prevention Sytem

• Controlling Access by Filtering Packets

• Using Defense-in-Depth to Restrict Network Access
• Securing Dial-Up Connections
• Securing Wireless Access
8-18
8-19
DETECTION

Log analysis

Intrusion detection systems

Continuous monitoring

8-20
DETECTION
TIME-BASED MODEL COMPONENT

DETECTION LOG ANALYSIS

Most systems come with extensive capabilities for

logging who accesses the system and what specific
actions each user performed.

These logs form an audit trail of system access. Like any

other audit trail, logs are of value only if they are routinely
examined. Log analysis is the process of examining logs
to identify evidence of possible attacks.
8-21
DETECTION
TIME-BASED MODEL COMPONENT

DETECTION INTRUSION DETECTION SYSTEM

Network intrusion detection systems (IDSs) consist

of a set of sensors and a central monitoring unit
that create logs of network traffic that was
permitted to pass the firewall and then analyze
those logs for signs of attempted or successful
intrusions.

8-22
DETECTION
TIME-BASED MODEL COMPONENT

DETECTION CONTINOUS MONITORING

COBIT 5 stresses the importance of continuously

monitoring both employee compliance with the
organization’s information security policies and overall
performance of business processes.
Such monitoring is an important detective control that
can timely identify potential problems.

8-23
 Corrective Controls

Computer Incident Response Team

• Recognition that a problem exists.
• Containment of the problem.
• Recovery.
• Follow-up

Chief Information Security Officer (CISO)

• Independent responsibility for information security assigned to someone
at an appropriate senior level

8-24
 Corrective Controls

Patch Management
• Fix known vulnerabilities by installing the latest updates
• Security programs
• Operating systems
• Applications programs

8-25
selesai
8-26