Figure 11-5: Control Principles

Slides:

Advertisements

Similar presentations

RBAC and HIPAA Security Uday O. Ali Pabrai, CHSS, SCNA Chief Executive, HIPAA Academy.

Advertisements

Access Control Chapter 3 Part 3 Pages 209 to 227.

Overview of IS Controls, Auditing, and Security Fall 2005.

BONDS, CRIME and PROPERTY FARA on the behalf of the Office of Risk Management Revised 06/2011.

Appendix B: Designing Policies for Managing Networks.

Conversation Form l One path through a use case that emphasizes interactions between an actor and the system l Can show optional and repeated actions l.

CST 481/598 x.2.  Broad overview of policy material  What is a “process”  Tiers (not tears) Many thanks to Jeni Li.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Policy & Procedure IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.

Security Management Practices Keith A. Watson, CISSP CERIAS.

Information Systems Security Officer

Stephen S. Yau 1CSE Fall 2006 Personnel Security.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.

ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

©2008 Pearson Prentice Hall. All rights reserved. 4-1 Internal Control & Cash Chapter 4.

BUSINESS OPERATIONS Business Management. Today’s Objectives  Identify workplace safety & security measures.  Analyze components included in policies.

Financial Resource Management Recommended Best Practices Training for Volunteers and Support Groups.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Module 6: Designing Active Directory Security in Windows Server 2008.

BUSINESS OPERATIONS Business Management. Today’s Objectives 1. We will identify workplace safety & security measures. 2. We will analyze components included.

BusinessAllstars.com 1 BusinessAllstars.com Presents Copyright © 2004 by Gainbridge Associates All right reserved This material may not be used or reproduced.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Case Study: DirXML Implementation at Waste Management Rick Wagner Systems Engineer Novell, Inc.

Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.

INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012.

Best Practices: Financial Resource Management February 2011.

Information Systems Security Operational Control for Information Security.

Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.

Instructional & Information Technology Services Fall, Activities and Updates Teresa Macklin Information Security Officer Information Security.

Copyright © 2013 Curt Hill Database Security An Overview with some SQL.

Internal Control 7. Management Issues Related to Internal Control OBJECTIVE 1: Identify the management issues related to internal control.

Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.

Chapter 9: Introduction to Internal Control Systems

Health & Social Care Diploma & Common Induction Standards

Information Security IBK3IBV01 College 2 Paul J. Cornelisse.

Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills.

1 Managing the Security Function Chapter 11 2 Figure 11-1: Organizational Issues Top Management Support  Top-Management security awareness briefing.

1 Managing the Security Function Chapter Figure 11-1: Organizational Issues Top Management Support  Top-Management security awareness briefing.

Trusted Operating Systems

Security-Enhanced Linux Eric Harney CPSC 481. What is SELinux? ● Developed by NSA – Released in 2000 ● Adds additional security capabilities to Linux.

SAFEGUARDING YOUR ASSETS AND PREVENTING FRAUD

Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.

BUSINESS OPERATIONS Business Management. Today’s Objectives  Identify workplace safety & security measures.  Analyze components included in policies.

F8: Audit and Assurance. 2 Audit and Assurance Designed to give you knowledge and application of: Section A: Audit Framework and Regulation Section B:

Access Controls Mandatory Access Control by Sean Dalton December 5 th 2008.

Lecture 5 Control and AIS Copyright © 2012 Pearson Education 7-1.

Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.

Physical Security at Data Center: A survey. Objective of the Survey  1. To identify the current physical security in data centre.  2.To analyse the.

BUSINESS OPERATIONS Business Management. Today in Business Management  Let’s begin by putting your phones away.  Find the 3 Note Packets for Financial.

Internal Control and Managing Cash

Chapter 5 ASX Guidelines for Listed Companies

Security+ All-In-One Edition Chapter 1 – General Security Concepts

IS4680 Security Auditing for Compliance

LAND RECORDS INFORMATION SYSTEMS DIVISION

Chapter 9 Control, security and audit

From Exam Room to Courtroom

IT Development Initiative: Status and Next Steps

THE IMPORTANCE OF USER ACCESS CONTROL

Managing the Security Function

Governance Ikram ul Haque Syed Associate IPS-Islamabad

Chapter 29: Program Security

Chapter 9: Managing Groups, Folders, Files, and Object Security

PLANNING A SECURE BASELINE INSTALLATION

Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.

Access Control and Site Security

Basic Systems Management Employing Security Policies

Presentation transcript:

Figure 11-5: Control Principles Policies Brief visions statements Cannot give details because the environment and technology keep changing Standards Mandatory actions that MUST be followed Baselines The application of standards to specific products For example, steps to harden a LINUX server

Figure 11-5: Control Principles Guidelines Voluntary recommended action Although voluntary, must consider in making decisions Good when the situation is too complex or uncertain for standards Unfortunately, sometimes should be standards but lack of political power prevents this

Figure 11-5: Control Principles Procedures Sets of action taken by people Steps to do background checks on employees Steps to add user on a server

Figure 11-5: Control Principles Employee Behavior Policies For general corporate employees Theft, sexual harassment, racial harassment, pornography, personal use of office equipment, revealing of trade secrets, etc.

Figure 11-5: Control Principles Best Practices and Recommended Practices Best practices are descriptive of what the best firms do Recommended practices are prescriptions for what the firm should do Both allow a firm to know, at a broad level, if it is doing what it should be doing

Figure 11-6: Operations Security The day-to-day work of the IT department and other departments Systems administration (server administration) especially Entering data, upgrading programs, adding users, assigning access permissions, etc.

Figure 11-6: Operations Security Principles Clear roles Who should do what in each step Assign tasks to roles, then assign individuals to roles as needed

Figure 11-6: Operations Security Principles Separation of duties and mandatory vacations to prevent people from maintaining deceptions Prospects for collusion: Reduce them Check family and personal relationships assigning people to duties

Figure 11-6: Operations Security Accountability Accountability and roles Owner: Responsible for the asset Custodian: Delegated responsibility Auditable protections and controls for specific assets If not auditable, can you tell if they work? Exception handling with documentation and audit of who took what actions

Figure 11-6: Operations Security Managing Development and Change for Production Servers Tiers of Servers Development Server: Server on which software is developed and changed Developers need extensive permissions Staging (Testing) Server: Server on which changes are tested and vetted for security Testers should have access permissions; developers should not

Figure 11-6: Operations Security Managing Development and Change for Production Servers Tiers of Servers Production Servers: Servers that run high- volume production operations Neither developers nor testers should have access permissions

Figure 11-6: Operations Security Managing Development and Change for Production Servers Change Management Control Limit who can request changes Implement procedures for controlling changes Have security examine all candidate changes for potential problems (bad encryption, lack of authentication, etc.)

Figure 11-6: Operations Security Managing Development and Change for Production Servers Auditing Development for individual programs Do detailed line-by-line code inspection for security issues