Professional Documents
Culture Documents
Controls For Information Security
Controls For Information Security
Security
Chapter 8
8-1
Learning Objectives
Security
Confidentiality
Privacy
Processing Integrity
Availability
8-4
Two Fundamental Information Security Concepts
8-5
Security is a Management issue, not just a technology issue
8-6
Time-Based Model of Security
8-7
Time-Based Model of Security
>> For an effective information security system:
P>D+R
P = the time it takes an attacker to break through the various
controls that protect the organization’s information assets
D = the time it takes for the organization to detect that an attack is
in progress
R = the time it takes to respond to and stop the attack
8-8
Time-Based Model of Security
8-9
Steps in an IS System Attack
Conduct Reconnaissance
Attempt Social Engineering
Scan & Map Target
Research
Execute Attack
Cover Tracks
8-10
Protecting Information Resources
TIME-BASED MODEL COMPONENT PREVENTIVE
Poeple creating “security aware” culture
Training
Anti-malware
IT Solution Network access controls
Configuration controls
Encryption
Physical security:
8-11
PREVENTIVE
8-12
PREVENTIVE
Authorization Controls
Authorization is the process of restricting access of
authenticated users to specific portions of the system
and limiting what actions they are permitted to
perform.
8-13
8-14
PREVENTIVE
PROCESS:
Penetration A penetration test is an authorized attempt
Testing
by either an internal audit team or an
external security consulting firm to break
into the organization’s nformation system.
8-15
PREVENTIVE
PROCESS:
Change Control Change control and change management refer to
and Change the formal process used to ensure that
Management modifications to hardware, software, or processes
do not reduce systems reliability.
8-16
PREVENTIVE
IT
SOLUTION Anti Malware Control
Malware can damage or destroy information or provide a
means for unauthorized access. Therefore, COBIT 5
section DSS05.01 lists malware protection as one of the
keys to effective security,
PROTECTION RECOMMENDATION
1. Malicious software awareness education,
2. Installation of antimalware protection tools on all devices,
3. Centralized management of patches and updates to antimalware software,
4. Regular review of new malware threats,
5. Filtering of incoming traffic to block potential sources of malware, and
6. Training employees not to install shared or unapproved software.
8-17
PREVENTIVE
IT SOLUTION
Log analysis
Continuous monitoring
8-20
DETECTION
TIME-BASED MODEL COMPONENT
8-22
DETECTION
TIME-BASED MODEL COMPONENT
8-23
Corrective Controls
8-24
Corrective Controls
Patch Management
• Fix known vulnerabilities by installing the latest updates
• Security programs
• Operating systems
• Applications programs
8-25
selesai
8-26