Security Controls
-
Upload
princessmuneebashah -
Category
Documents
-
view
224 -
download
0
Transcript of Security Controls
-
8/6/2019 Security Controls
1/21
SecuritySecurity
-
8/6/2019 Security Controls
2/21
AssetsAssetsPhysicalPhysical
PersonnelPersonnel
HardwareHardware Main frame, minis.Main frame, minis.MicrosMicros
PeripheralsPeripheralsonline/offlineonline/offline
Storage mediaStorage media
NetworkNetwork
FacilitiesFacilities DocumentationDocumentation
SuppliesSupplies
LogicalLogical
DataData/information/information
SoftwareSoftware ApplicationApplication
SystemSystem
-
8/6/2019 Security Controls
3/21
Information security ManagementInformation security Management
Ensure the integrity of theEnsure the integrity of theinformation storedinformation stored
Preserve the confidentiality of dataPreserve the confidentiality of data Ensure the continuous availability ofEnsure the continuous availability of
the information systemsthe information systems
Ensure conformity to laws,Ensure conformity to laws,regulations and standards.regulations and standards.
-
8/6/2019 Security Controls
4/21
Elements of Information SecurityElements of Information Security Policies and proceduresPolicies and procedures
Importance of information assetsImportance of information assets Need for securityNeed for security Defining sensitive and critical assetsDefining sensitive and critical assets AccountabilitiesAccountabilities
Development of standards, practices andDevelopment of standards, practices and
proceduresprocedures Organizations (detailed guidance)Organizations (detailed guidance) Executive managementExecutive management Security committeeSecurity committee Data ownersData owners Process ownersProcess owners IT developersIT developers Security specialists/AdvisorsSecurity specialists/Advisors Users (physical, Logins, laws)Users (physical, Logins, laws)
IS Auditors (provide independent assurance)IS Auditors (provide independent assurance)
-
8/6/2019 Security Controls
5/21
SecurityareasSecurityareas Data accessData access
System accessSystem access
Security awareness and educationSecurity awareness and education
Monitoring and complianceMonitoring and compliance
Incident handling and responseIncident handling and response Planning and preparationPlanning and preparation
InitiationInitiation
ResponseResponse RecoveryRecovery
ClosureClosure
Normalization of processesNormalization of processes
-
8/6/2019 Security Controls
6/21
IncidentresponsemanagementIncidentresponsemanagement
CoordinatorCoordinator liaison to business processliaison to business processownersowners
DirectorDirector oversees the incident responseoversees the incident response
capabilitycapability
ManagersManagers manage individual incidentsmanage individual incidents
Security specialistsSecurity specialists detect, investigate,detect, investigate,
recoversrecovers Non security techieNon security techie assist in specificassist in specific
areasareas
-
8/6/2019 Security Controls
7/21
CSFsCSFs
Senior management commitmentSenior management commitment
UpUp--toto--date security policies &date security policies &
proceduresprocedures
-
8/6/2019 Security Controls
8/21
ComputercrimesComputercrimes
Issues
& Exposures
Issues
& Exposures
Financial lossFinancial loss
Legal issuesLegal issues
Loss of credibilityLoss of credibility BlackmailsBlackmails
Disclosure of confidential, sensitiveDisclosure of confidential, sensitive
informationinformation SabotageSabotage
-
8/6/2019 Security Controls
9/21
PossibleperpetratorsPossibleperpetrators
HackersHackers EmployeesEmployees
IS personnelIS personnel
End usersEnd users Former employeesFormer employees
Interested or educated outsidersInterested or educated outsiders CompetitorsCompetitors
ForeignersForeigners
Organized criminalsOrganized criminals
CrackersCrackers
-
8/6/2019 Security Controls
10/21
LogicalaccessexposuresLogicalaccessexposures
Trojan horsesTrojan horses hidden malicious code in an authorizedhidden malicious code in an authorizedcomputer program.computer program.
Rounding downRounding down
Salami techniqueSalami technique VirusesViruses self repetitiveself repetitive
WormsWorms
Logic bombsLogic bombs
Data leakageData leakage Wire tappingWire tapping
Computer shutdownsComputer shutdowns
-
8/6/2019 Security Controls
11/21
LogicalaccessLogicalaccess
Network connectivityNetwork connectivity
Remote accessRemote access
Operator consoleOperator console Online workstation or terminalOnline workstation or terminal
-
8/6/2019 Security Controls
12/21
Areas oflogicalaccesscontrolsAreas oflogicalaccesscontrols
NetworksNetworks
Operating systemsOperating systems
DatabasesDatabases Application systemsApplication systems
-
8/6/2019 Security Controls
13/21
Implementation ofcontrolsImplementation ofcontrols
Logon IDs and PasswordsLogon IDs and Passwords Password policiesPassword policies Password rulesPassword rules
Five to eight charactersFive to eight characters Combination of alphaCombination of alpha--numericnumeric Non identifiableNon identifiable Password historyPassword history Disability of IDs not usedDisability of IDs not used
SessionsSessions Biometric devicesBiometric devices SSOSSO
-
8/6/2019 Security Controls
14/21
AuditinglogicalaccessissuesAuditinglogicalaccessissues
Review written policiesReview written policies
Logical access policiesLogical access policies
Formal security awareness andFormal security awareness andtrainingtraining
Data ownershipData ownership
Data custodiansData custodians
Security administratorSecurity administrator
Data usersData users
Logical accessLogical access
-
8/6/2019 Security Controls
15/21
AuditinglogicalaccessAuditinglogicalaccess
Obtain a general understanding ofObtain a general understanding ofthe security risksthe security risks
Document and evaluate controls overDocument and evaluate controls overpotential access paths. Reviewpotential access paths. Reviewhardware software security features.hardware software security features.
Test controls over access paths toTest controls over access paths toensure the workingensure the working
Evaluate policiesEvaluate policies
-
8/6/2019 Security Controls
16/21
EnvironmentalexposuresEnvironmentalexposures
Alarm controlAlarm control WiringWiring Eating, drinking and smokingEating, drinking and smoking
Fire resistant office materialsFire resistant office materials Emergency exitsEmergency exits Water and smoke detectorWater and smoke detector Fire extinguishersFire extinguishers
Electrical surge protectorsElectrical surge protectors UPSUPS Temperature controlTemperature control
-
8/6/2019 Security Controls
17/21
PhysicalaccessexposuresPhysicalaccessexposures
Unauthorized entryUnauthorized entry
Damage or theft of equipmentDamage or theft of equipment
Copying or viewing of copyrightedCopying or viewing of copyrightedinformationinformation
Alteration of sensitive equipment/Alteration of sensitive equipment/informationinformation
Public disclosure of sensitive informationPublic disclosure of sensitive information Abuse of data processing resourcesAbuse of data processing resources
EmbezzlementEmbezzlement
-
8/6/2019 Security Controls
18/21
-
8/6/2019 Security Controls
19/21
ControlsControls Door locksDoor locks (combination(combination boltingbolting-- electronic)electronic)
Biometric accessBiometric access Manual loggingManual logging
Electronic loggingElectronic logging
IDsIDs Video camerasVideo cameras
Security guardsSecurity guards
Controlled visitor accessControlled visitor access
Bonded personnelBonded personnel Secured document distribution cartSecured document distribution cart
Dead man doorsDead man doors
-
8/6/2019 Security Controls
20/21
SecurityProgramSecurityProgram
Prepare aProject plan
Identify
Assets
Value
Assets
Identifythreats
Assess Likelihoodof threats
AnalyzeExposures
Adjust
Controls
PrepareSecurity Report
-
8/6/2019 Security Controls
21/21
Security OrganizationSecurity Organization
SecurityOffice
Privacy
Office
PhysicalSecurity
ContinuityPlanning
Asset
Management
ServiceManagement
Planning Architecture Operations Monitoring
Business Req:EducationFormal Comm:PoliciesPMRisk Assessment
RFPStandards & guidelinesTechnical requirementsTechnical securityTechnology solutions
Incident responseAccess controlInvestigationsStandards deployTrainingVulnerabilitymngmnt
AuditingReportingSystemmonitoringSecurity testing