IS4680 Security Auditing for Compliance

Slides:



Advertisements
Similar presentations
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Advertisements

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Database Administration and Security Transparencies 1.
Chapter 7 HARDENING SERVERS.
INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
New Data Regulation Law 201 CMR TJX Video.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Concepts of Database Management Sixth Edition
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter.
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
Chapter 6 of the Executive Guide manual Technology.
Module 4: Planning, Optimizing, and Troubleshooting DHCP
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
Information Systems Security
OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Configuring Data Protection Chapter 12 powered by dj.
Module 6: Designing Security for Network Hosts
Chapter 2 Securing Network Server and User Workstations.
Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.
Security fundamentals Topic 2 Establishing and maintaining baseline security.
© ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 6 Implementing Infrastructure Controls.
ITGS Network Architecture. ITGS Network architecture –The way computers are logically organized on a network, and the role each takes. Client/server network.
1 Chapter 13: RADIUS in Remote Access Designs Designs That Include RADIUS Essential RADIUS Design Concepts Data Protection in RADIUS Designs RADIUS Design.
Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.
IS3220 Information Technology Infrastructure Security
Unit 2 Personal Cyber Security and Social Engineering Part 2.
By the end of this lesson you will be able to: 1. Determine the preventive support measures that are in place at your school.
© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 10 Network Security Management.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
Technology to Protect Crown Jewels. Purpose This pack draws out extreme examples for protecting the Crown Jewels. The purpose of examining these extremes.
UNIT V Security Management of Information Technology.
Developing a Network Security Policy By: Chris Catalano.
Review of IT General Controls
Chapter 7. Identifying Assets and Activities to Be Protected
Securing Network Servers
Cybersecurity - What’s Next? June 2017
IS4550 Security Policies and Implementation
Working at a Small-to-Medium Business or ISP – Chapter 8
Module Overview Installing and Configuring a Network Policy Server
NETWORK SECURITY Cryptography By: Abdulmalik Kohaji.
IS4550 Security Policies and Implementation Unit 7 Risk Management
Chapter 17 Risks, Security and Disaster Recovery
IS4680 Security Auditing for Compliance
BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT
Security of a Local Area Network
IS4550 Security Policies and Implementation
Unit 10 NT1330 Client-Server Networking II Date: 8/16/2016
IS4550 Security Policies and Implementation
IS4550 Security Policies and Implementation Unit 5 User Policies
IS3440 Linux Security Unit 9 Linux System Logging and Monitoring
IS4550 Security Policies and Implementation
IS4680 Security Auditing for Compliance
IS4550 Security Policies and Implementation
IS4550 Security Policies and Implementation
IS4680 Security Auditing for Compliance
IS4680 Security Auditing for Compliance
12 STEPS TO A GDPR AWARE NETWORK
Bethesda Cybersecurity Club
Securing Windows 7 Lesson 10.
IS4680 Security Auditing for Compliance
Topic 5: Communication and the Internet
Designing IIS Security (IIS – Internet Information Service)
Presentation transcript:

IS4680 Security Auditing for Compliance Unit 9 Compliance Within the System/Application Domain

Class Agenda 8/15/16 Covers Chapter 14 Learning Objectives Lesson Presentation and Discussions. Discussion on Assignments. Discussion on Lab Activities. Lab will be perform in class. Break Times as per School Regulation Discussion on Project.

Learning Objective Describe information security systems compliance requirements within the System/Application Domain.

Key Concepts Compliance law requirements and business drivers for System/Application Domain Devices and components found in the System/Application Domain Application traffic and performance and maximizing availability, integrity, and confidentiality (A-I-C) for System/Application Domain

Key Concepts (Continued) System/Application Domain—policies, standards, procedures, and guidelines Best practices for System/Application Domain compliance requirements

EXPLORE: CONCEPTS

Compliance Law and Business Drivers Centralizing core business functions on networked servers can increase the security of your data in many ways. You can centrally control how you store your data and how you allow users to access it.

Compliance Law and Business Drivers (Continued) The System/Application Domain provides an environment for the applications you run as clients on your network and the computer systems that store them. The domain provides an engine for distributed applications and empowers the concept of providing individual components of applications, as opposed to entire applications in one footprint.

Devices You can find the following servers in today’s environments: File server Web server Authentication server Database server

Devices (Continued) Application server Mail server Media server

Access Controls Access controls protect the confidentiality and integrity of data as long as the operating system enforces the controls. The first attack method is to boot the computer that contains the data by using removable media: Removable media, such as a Compact Disc (CD), Digital Versatile Disc (DVD), or Universal Serial Bus (USB) drive, can contain an alternate operating system that allows the attacker to access any file with no access controls.

Access Controls (Continued) The second type of attack can result in disclosing large amounts of confidential data This second type of attack involves acquiring a copy of a backup image. Many organizations make the mistake of not securing backups once they are created.

Vulnerability and Change Management All application software and operating system are susceptible to software vulnerabilities. Operating systems use a form of change management called patch management to update and ‘patch’ vulnerabilities.

Vulnerability and Change Management (Continued) Application software also use the patch management form of change management to provide the same types of processes to reduce vulnerabilities that exist. Always remember that if you know about a vulnerability, the chances are that some attacker knows about it too.

EXPLORE: PROCESSES

Performance Monitoring and Application Traffic Identify a software tool that provides highest level of monitoring and analysis. Ensure that the monitoring tool provides proactive monitoring by providing assurance that everything is working as planned.

Performance Monitoring and Application Traffic (Continued) Ensure that the application raises alerts whenever issues occur in the System/Application Domain. Use tools like Zeus to raise alerts along with other vendor software to aid in the process of performance and traffic monitoring.

Maximize AIC The overall purpose of compliance requirements is to enforce the basic pillars or tenets of security, the AIC properties of security, and some compliance requirements might seem to be unnecessary, they all should work together to support the AIC properties of secure systems.

Maximize AIC (Continued) Availability—Assurance that the information is available to authorized users in an acceptable time frame when the information is requested. Integrity—Assurance that the information cannot be changed by unauthorized users. Confidentiality—Assurance that the information cannot be accessed or viewed by unauthorized users.

Maximize AIC (Continued) To achieve AIC functions, data must be confidential or private and encrypted within databases and hard drives.

EXPLORE: ROLES

Roles and Responsibilities Senior Managers Responsible for support and funding approval. Information technology (IT) Managers Overall IT function leadership and support.

Roles and Responsibilities (Continued) IT Auditors System/Application Domain control auditors. Data Owners Grant access to data in applications.

Roles and Responsibilities (Continued) System Administrators Monitor systems/applications for anomalies. Application Developers Monitor system applications and works with system administrators to access the data.

EXPLORE: RATIONALE

Information Systems Security (ISS) Compliance The components in the System/Application Domain are so specific to the organization and not generic. In many cases, it is imperative to create specific documents to direct actions that apply to this domain. Security policies state high-level goals for security. Standards state specific performance metrics to meet goals.

ISS Compliance (Continued) Procedures document the steps to meet stated performance metrics. Guidelines provide general direction for situations that don’t have specific procedures.

Best Practices for Compliance Requirements Establish physical controls to protect the data center. Use at least one firewall to limit network traffic from other domains to only authorized traffic. Use Network Access Control (NAC) devices to restrict computers and other devices from connecting to System/Application Domain components.

Best Practices for Compliance Requirements (Continued) Define user- or group-based access controls for each computer in the domain. Use application-defined access controls to limit access to data. Allow only low-privilege users to establish connections between the Internet-facing servers in the Demilitarized Zone (DMZ) and System/Application Domain servers.

Best Practices for Compliance Requirements (Continued) Allow only escalated privilege user connections that originate from protected Web servers where users can only connect by using a secure VPN. Update operating systems frequently with the latest security patches on all computers.

Best Practices for Compliance Requirements (Continued) Update all application software frequently with the latest security patches. Follow these best practices if your organization engages in software development or software modifications: Use software configuration management software to control software changes. Create separate environments for development, testing, and production. Prohibit developers from accessing the production environment. Follow formal procedures for approving software to move from development to testing and from testing to production.

Best Practices for Compliance Requirements (Continued) Create a Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP) that includes each component in the System/Application Domain: Keep the BCP and DRP up to date to reflect any changes to the domain. Test the BCP and DRP at least annually. Protect all backup media in transit and storage. Ensure all backup media is encrypted.

Best Practices for Compliance Requirements (Continued) Encrypt all sensitive data when it is stored on disks. Use application-monitoring software to identify performance or availability issues.

Summary In this presentation, the following were covered: Compliance laws and business drivers for System/Application Domain Process to monitor application traffic and performance Ways to maximize A-I-C Roles and responsibilities associated with System/Application Domain compliance Best practices for System/Application Domain compliance requirements

Unit 9 Assignment and Lab Discussion 9.1 Maximizing Availability, Integrity, and Confidentiality (A-I-C) for System/Application Lab 9.2 Auditing the Systems/Application Domain for Compliance Assignment 9.3 Best Practices for System/Application Domain Compliance

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.