Scribd
Upload
283 views14 pages

Controls For Information Security

Uploaded by

muhammad f laitupa
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
283 views14 pages

Controls For Information Security

Uploaded by

muhammad f laitupa
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 14

Controls for Information

Security

Chapter 8

Copyright © 2015 Pearson Education, Inc.


8-1
Learning Objectives

• Explain how information security affects


information systems reliability.

• Discuss how a combination of preventive,


detective, and corrective controls can be
employed to provide reasonable assurance about
the security of an organization’s information
system.

Copyright © 2015 Pearson Education, Inc.


8-2
Trust Services Framework
• Security
▫ Access to the system and data is controlled and restricted to
legitimate users.
• Confidentiality
▫ Sensitive organizational data is protected.
• Privacy
▫ Personal information about trading partners, investors, and
employees are protected.
• Processing integrity
▫ Data are processed accurately, completely, in a timely
manner, and only with proper authorization.
• Availability
▫ System and information are available.
Copyright © 2015 Pearson Education, Inc.
8-3
Copyright © 2015 Pearson Education, Inc.
8-4
Security Life Cycle
Security is a management issue

Copyright © 2015 Pearson Education, Inc.


8-5
Security Approaches
• Defense-in-depth
▫ Multiple layers of control (preventive and
detective) to avoid a single point of failure
• Time-based model, security is effective if:
▫ P > D + C where
 P is time it takes an attacker to break through
preventive controls
 D is time it takes to detect an attack is in progress
 C is time it takes to respond to the attack and take
corrective action
Copyright © 2015 Pearson Education, Inc.
8-6
How to Mitigate Risk of Attack

Preventive Controls Detective Controls


• People • Log analysis
• Process • Intrusion detection
• IT Solutions systems
• Physical security • Penetration testing
• Change controls and • Continuous
change management monitoring

Copyright © 2015 Pearson Education, Inc.


8-7
Preventive: People

• Culture of security
▫ Tone set at the top with management
• Training
▫ Follow safe computing practices
 Never open unsolicited e-mail attachments
 Use only approved software
 Do not share passwords
 Physically protect laptops/cellphones
▫ Protect against social engineering

Copyright © 2015 Pearson Education, Inc.


8-8
Preventive: Process

• Authentication—verifies the person


1. Something person knows
2. Something person has
3. Some biometric characteristic
4. Combination of all three
• Authorization—determines what a person can
access

Copyright © 2015 Pearson Education, Inc.


8-9
Preventive: IT Solutions

• Antimalware controls
• Network access controls
• Device and software hardening controls
• Encryption

Copyright © 2015 Pearson Education, Inc.


8-10
Preventive: Other

• Physical security access controls


▫ Limit entry to building
▫ Restrict access to network and data
• Change controls and change management
▫ Formal processes in place regarding changes
made to hardware, software, or processes

Copyright © 2015 Pearson Education, Inc.


8-11
Corrective

• Computer Incident Response Team (CIRT)


• Chief Information Security Officer (CISO)
• Patch management

Copyright © 2015 Pearson Education, Inc.


8-12
Key Terms
• Defense-in-depth • Access control list (ACL)
• Time-based model of security • Packet filtering
• Social engineering • Deep packet inspection
• Authentication • Intrusion prevention system
• Biometric identifier • Remote Authentication Dial-in
• Multifactor authentication User Service (RADIUS)
• War dialing
• Multimodal authentication
• Endpoints
• Authorization
• Vulnerabilities
• Access control matrix
• Vulnerability scanners
• Compatibility test
• Hardening
• Border router • Change control and change
• Firewall management
• Demilitarized zone (DMZ) • Log analysis
• Routers • Intrusion detection system
Copyright © 2015 Pearson Education, Inc.
8-13
(IDS)
Key Terms (continued)

• Penetration test
• Computer incident response
team (CIRT)
• Exploit
• Patch
• Patch management
• Virtualization
• Cloud computing

Copyright © 2015 Pearson Education, Inc.


8-14

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy