Copyright © Pearson Education Limited 2015. Controls for Information Security Chapter 8 8-1.

Copyright © Pearson Education Limited 2015.

Controls for Information Security

Chapter 8

8-1


Learning Objectives

•Explain how information security affects information systems reliability.

•Discuss how a combination of preventive, detective, and corrective controls can be employed to provide reasonable assurance about the security of an organization’s information system.

8-2


Trust Services Framework

• Security▫Access to the system and data is controlled and

restricted to legitimate users.• Confidentiality

▫Sensitive organizational data is protected. • Privacy

▫Personal information about trading partners, investors, and employees are protected.

• Processing integrity▫Data are processed accurately, completely, in a

timely manner, and only with proper authorization.• Availability

▫System and information are available. 8-3


8-4


Security Life CycleSecurity is a management issue

8-5

See pages 256-257 fordetails.


Security Approaches

•Defense-in-depth▫Multiple layers of control (preventive and

detective) to avoid a single point of failure•Time-based model, security is effective if:

▫P > D + C where P is time it takes an attacker to break

through preventive controls D is time it takes to detect an attack is in

progress C is time it takes to respond to the attack and

take corrective action8-6


Steps criminals use to attack an organization’s information systems•Conduct reconnaissance•Attempt social engineering•Scan and map the target•Research•Execute the attack•Cover tracks

8-7


How to Mitigate Risk of Attack

Preventive Controls

Detective Controls•People•Process•IT Solutions•Physical security•Change controls

and change management

•Log analysis•Intrusion detection

systems•Penetration testing•Continuous

monitoring

8-8

Table 8-1


Preventive: People

•Culture of security▫Tone set at the top with management

•Training▫Follow safe computing practices

Never open unsolicited e-mail attachments Use only approved software Do not share passwords Physically protect laptops/cellphones

▫Protect against social engineering

8-9


Preventive: Process

• Authentication—verifies the person 1.Something person knows2.Something person has3.Some biometric characteristic4.Combination of all three

Focus 8-1 on Effective of passwords

• Authorization—determines what a person can access Access control matrix

8-10


Preventive: IT Solutions

•Antimalware controls•Network access controls•Device and software hardening controls•Encryption

8-11


Preventive: Other

•Physical security access controls▫Limit entry to building▫Restrict access to network and data

•Change controls and change management▫Formal processes in place regarding

changes made to hardware, software, or processes

8-12


Corrective

•Computer Incident Response Team (CIRT)•Chief Information Security Officer (CISO)•Patch management

8-13


Key Terms• Defense-in-depth• Time-based model of

security• Social engineering• Authentication• Biometric identifier• Multifactor authentication• Multimodal authentication• Authorization• Access control matrix• Compatibility test• Border router• Firewall• Demilitarized zone (DMZ)• Routers

• Access control list (ACL)• Packet filtering• Deep packet inspection• Intrusion prevention system• Remote Authentication Dial-

in User Service (RADIUS)• War dialing• Endpoints• Vulnerabilities• Vulnerability scanners• Hardening• Change control and change

management• Log analysis• Intrusion detection system

(IDS) 8-14


Key Terms (continued)

• Penetration test• Computer incident

response team (CIRT)• Exploit• Patch• Patch management• Virtualization• Cloud computing

8-15

Copyright © Pearson Education Limited 2015. Controls for Information Security Chapter 8 8-1.

Documents

Transcript of Copyright © Pearson Education Limited 2015. Controls for Information Security Chapter 8 8-1.