Controls for Information Security

Slides:



Advertisements
Similar presentations
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
Advertisements

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.
Chapter 4 McGraw-Hill/Irwin Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved. Ethics and Information Security.
Separate Domains of IT Infrastructure
HAPTER 7 Information Systems Controls for Systems Reliability
Security Controls – What Works
Security+ Guide to Network Security Fundamentals
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart1 of 222 C HAPTER 7 Information Systems Controls for Systems.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Lecture 11 Reliability and Security in IT infrastructure.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.
Information Systems Controls for System Reliability -Information Security-
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Controls for Information Security
Introduction to Network Defense
Information Security Introduction to Information Security Michael Whitman and Herbert Mattord 14-1.
Chapter 2 Information Security Overview The Executive Guide to Information Security manual.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
CS 325: Software Engineering April 14, 2015 Software Security Security Requirements Software Security in the Life Cycle.
Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.
BUSINESS B1 Information Security.
Tutorial Chapter 5. 2 Question 1: What are some information technology tools that can affect privacy? How are these tools used to commit computer crimes?
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Chapter 6 of the Executive Guide manual Technology.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Web Security for Network and System Administrators1 Chapter 2 Security Processes.
Securing Wired Local Area Networks(LANs)
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
Information Systems Security
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
IS Network and Telecommunications Risks Chapter Six.
How to Integrate Security Tools to Defend Data Assets Robert Lara Senior Enterprise Solutions Consultant, GTSI.
Week 9 Accounting Information Systems Romney and Steinbart Linda Batch March 2012.
Chapter 2 Securing Network Server and User Workstations.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.
McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved INFORMATION SECURITY SECTION 4.2.
HO © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.
Security and Assurance in IT organization Name: Mai Hoang Nguyen Class: INFO 609 Professor: T. Rohm.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
Computer Security By Duncan Hall.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Joe Budzyn Jeff Goeke-Smith Jeff Utter. Risk Analysis  Match the technologies used with the security need  Spend time and resources covering the most.
IS3220 Information Technology Infrastructure Security
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Working at a Small-to-Medium Business or ISP – Chapter 8
Critical Security Controls
Secure Software Confidentiality Integrity Data Security Authentication
Click to edit Master subtitle style
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Joe, Larry, Josh, Susan, Mary, & Ken
I have many checklists: how do I get started with cyber security?
ISMS Information Security Management System
IS4680 Security Auditing for Compliance
How to Mitigate the Consequences What are the Countermeasures?
Session 1 – Introduction to Information Security
Presentation transcript:

Controls for Information Security Chapter 8

Learning Objectives Explain how information security affects information systems reliability. Discuss how a combination of preventive, detective, and corrective controls can be employed to provide reasonable assurance about the security of an organization’s information system.

Trust Services Framework Security Access to the system and data is controlled and restricted to legitimate users. Confidentiality Sensitive organizational data is protected. Privacy Personal information about trading partners, investors, and employees are protected. Processing integrity Data are processed accurately, completely, in a timely manner, and only with proper authorization. Availability System and information are available. The trust services framework is a means to organize IT controls to help ensure systems reliability. At the foundation of this framework is security which is absolutely necessary for success and for achieving the other four principles. Security procedures: Restrict access to authorized users only which protects confidentiality of sensitive organizational data and the privacy of personal data collected from customers, suppliers, employees, and so on. Security protects the processing integrity by preventing submission of unauthorized transactions or unauthorized changes to the data. Security provides protection from unwanted attacks that could bring down the system and make it unavailable.

This is a good visual of the Trust Services Framework Using an analogy of building a house, you need a good foundation; otherwise the house will fall apart. Then to keep the roof over your head, you need to have wel-constructed walls. Similarly, for good systems reliability you need a good foundation of Security. The walls are the four pillars focused on maintaining good systems reliability.

Security is a management issue Security Life Cycle Security is a management issue See pages 256-257 for details. Although technologies tools are used for security and the security expertise is within an IT department, effective security must have the support of senior management to understand the potential threats to an organizations information systems which would impede the organization from achieving its goals. As we previously discussed about threats to an AIS, management must assess the threat to an AIS and determine how to respond (reduce, accept, share, avoid). The second step is to develop security policies (e.g., employees should not click on any links embedded into e-mails) and make sure that those policies are communicated (best way is through training). The third step is to invest in the necessary resources (human and technology) to reduce the security threats. Finally, active monitoring to evaluate the security effectiveness provides a feedback loop as management may need to make updates based upon new threats or techniques that affect security. Overall, management is responsible for maintaining a “culture of security”. The fourth step requires monitoring of performance because if you do not monitor how well you are doing with your objectives, how do you know if it is achieved?

Security Approaches Defense-in-depth Multiple layers of control (preventive and detective) to avoid a single point of failure Time-based model, security is effective if: P > D + C where P is time it takes an attacker to break through preventive controls D is time it takes to detect an attack is in progress C is time it takes to respond to the attack and take corrective action

Steps criminals use to attack an organization’s information systems Conduct reconnaissance Attempt social engineering Scan and map the target Research Execute the attack Cover tracks

How to Mitigate Risk of Attack Table 8-1 Preventive Controls Detective Controls People Process IT Solutions Physical security Change controls and change management Log analysis Intrusion detection systems Penetration testing Continuous monitoring

Preventive: People Culture of security Training Tone set at the top with management Training Follow safe computing practices Never open unsolicited e-mail attachments Use only approved software Do not share passwords Physically protect laptops/cellphones Protect against social engineering

Preventive: Process Authentication—verifies the person Something person knows Something person has Some biometric characteristic Combination of all three Focus 8-1 on Effective of passwords Authorization—determines what a person can access Access control matrix These two concepts are related, to get into a system, you need to be authenticated, then authorization is where you are allowed to go once you are in the system.

Preventive: IT Solutions Antimalware controls Network access controls Device and software hardening controls Encryption

Preventive: Other Physical security access controls Limit entry to building Restrict access to network and data Change controls and change management Formal processes in place regarding changes made to hardware, software, or processes

Corrective Computer Incident Response Team (CIRT) Chief Information Security Officer (CISO) Patch management

Key Terms Defense-in-depth Time-based model of security Social engineering Authentication Biometric identifier Multifactor authentication Multimodal authentication Authorization Access control matrix Compatibility test Border router Firewall Demilitarized zone (DMZ) Routers Access control list (ACL) Packet filtering Deep packet inspection Intrusion prevention system Remote Authentication Dial-in User Service (RADIUS) War dialing Endpoints Vulnerabilities Vulnerability scanners Hardening Change control and change management Log analysis Intrusion detection system (IDS)

Key Terms (continued) Penetration test Computer incident response team (CIRT) Exploit Patch Patch management Virtualization Cloud computing