Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.

Slides:



Advertisements
Similar presentations
Guide to Network Defense and Countermeasures Second Edition
Advertisements

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
The Islamic University of Gaza
HAPTER 7 Information Systems Controls for Systems Reliability
Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Security Controls – What Works
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart1 of 222 C HAPTER 7 Information Systems Controls for Systems.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
Auditing A Risk-Based Approach To Conducting A Quality Audit
Controls for Information Security
Stephen S. Yau CSE , Fall Security Strategies.
Information Systems Controls for System Reliability -Information Security-
Network security policy: best practices
Chapter 10 Information Systems Controls for System Reliability—Part 3: Processing Integrity and Availability Copyright © 2012 Pearson Education, Inc.
Controls for Information Security
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Chapter 2 Information Security Overview The Executive Guide to Information Security manual.
AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Module 14: Configuring Server Security Compliance
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Chapter 6 of the Executive Guide manual Technology.
Learning Objectives LO5 Illustrate how business risk analysis is used to assess the risk of material misstatement at the financial statement level and.
Today’s Lecture Covers < Chapter 6 - IS Security
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
Web Security for Network and System Administrators1 Chapter 2 Security Processes.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
Module 2: Installing and Maintaining ISA Server. Overview Installing ISA Server 2004 Choosing ISA Server Clients Installing and Configuring Firewall Clients.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Knowing What You Missed Forensic Techniques for Investigating Network Traffic.
Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
Week 9 Accounting Information Systems Romney and Steinbart Linda Batch March 2012.
Chapter 2 Securing Network Server and User Workstations.
Chapter 9: Introduction to Internal Control Systems
Module 11: Designing Security for Network Perimeters.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
IPv6 security for WLCG sites (preparing for ISGC2016 talk) David Kelsey (STFC-RAL) HEPiX IPv6 WG, CERN 22 Jan 2016.
Role Of Network IDS in Network Perimeter Defense.
IS3220 Information Technology Infrastructure Security
Regan Little. Definition Methods of Screening Types of Firewall Network-Level Firewalls Circuit-Level Firewalls Application-Level Firewalls Stateful Multi-Level.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 10 Network Security Management.
Lecture 5 Control and AIS Copyright © 2012 Pearson Education 7-1.
IT Audit for non-IT auditors Cornell Dover Assistant Auditor General 31 March 2013.
CompTIA Security+ Study Guide (SY0-401)
Team 1 – Incident Response
Working at a Small-to-Medium Business or ISP – Chapter 8
Critical Security Controls
Click to edit Master subtitle style
CompTIA Security+ Study Guide (SY0-401)
IS4680 Security Auditing for Compliance
Presentation transcript:

Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall

Learning Objectives Discuss how the COBIT framework can be used to develop sound internal control over an organization’s information systems. Explain the factors that influence information systems reliability. Describe how a combination of preventive, detective, and corrective controls can be employed to provide reasonable assurance about information security. Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall

AIS Controls COSO and COSO-ERM address general internal control COBIT addresses information technology internal control Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall

Information for Management Should Be: Effectiveness Information must be relevant and timely. Efficiency Information must be produced in a cost-effective manner. Confidentiality Sensitive information must be protected from unauthorized disclosure. Integrity Information must be accurate, complete, and valid. Availability Information must be available whenever needed. Compliance Controls must ensure compliance with internal policies and with external legal and regulatory requirements. Reliability Management must have access to appropriate information needed to conduct daily activities and to exercise its fiduciary and governance responsibilities. Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall

COBIT Framework Information Criteria Plan & Organize Acquire & Implement Deliver & Support Monitor & Evaluate Information Criteria Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall

COBIT Cycle Management develops plans to organize information resources to provide the information it needs. Management authorizes and oversees efforts to acquire (or build internally) the desired functionality. Management ensures that the resulting system actually delivers the desired information. Management monitors and evaluates system performance against the established criteria. Cycle constantly repeats, as management modifies existing plans and procedures or develops new ones to respond to changes in business objectives and new developments in information technology. Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall

COBIT Controls 210 controls for ensuring information integrity Subset is relevant for external auditors IT control objectives for Sarbanes-Oxley, 2nd Edition AICPA and CICA information systems controls Controls for system and financial statement reliability Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall

Trust Services Framework Security Access to the system and its data is controlled and restricted to legitimate users. Confidentiality Sensitive organizational information (e.g., marketing plans, trade secrets) is protected from unauthorized disclosure. Privacy Personal information about customers is collected, used, disclosed, and maintained only in compliance with internal policies and external regulatory requirements and is protected from unauthorized disclosure. Processing Integrity Data are processed accurately, completely, in a timely manner, and only with proper authorization. Availability The system and its information are available to meet operational and contractual obligations. Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall

Trust Services Framework Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall

Security / Systems Reliability Foundation of the Trust Services Framework Management issue, not a technology issue SOX 302 states: CEO and the CFO responsible to certify that the financial statements fairly present the results of the company’s activities. The accuracy of an organization’s financial statements depends upon the reliability of its information systems. Defense-in-depth and the time-based model of information security Have multiple layers of control Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall

Management’s Role in IS Security Create security aware culture Inventory and value company information resources Assess risk, select risk response Develop and communicate security: Plans, policies, and procedures Acquire and deploy IT security resources Monitor and evaluate effectiveness Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall

Time-Based Model Combination of detective and corrective controls P = the time it takes an attacker to break through the organization’s preventive controls D = the time it takes to detect that an attack is in progress C = the time it takes to respond to the attack For an effective information security system: P > D + C Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall

Steps in an IS System Attack Conduct Reconnaissance Attempt Social Engineering Scan & Map Target Research Execute Attack Cover Tracks Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall

Mitigate Risk of Attack Preventive Control Detective Control Corrective Control Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall

Preventive Control Training User access controls (authentication and authorization) Physical access controls (locks, guards, etc.) Network access controls (firewalls, intrusion prevention systems, etc.) Device and software hardening controls (configuration options) Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall

Authentication vs. Authorization Authentication—verifies who a person is Something person knows Something person has Some biometric characteristic Combination of all three Authorization—determines what a person can access Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall

Network Access Control (Perimeter Defense) Border router Connects an organization’s information system to the Internet Firewall Software or hardware used to filter information Demilitarized Zone (DMZ) Separate network that permits controlled access from the Internet to selected resources Intrusion Prevention Systems (IPS) Monitors patterns in the traffic flow, rather than only inspecting individual packets, to identify and automatically block attacks Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall

Internet Information Protocols Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall

Device and Software Hardening (Internal Defense) End-Point Configuration Disable unnecessary features that may be vulnerable to attack on: Servers, printers, workstations User Account Management Software Design Programmers must be trained to treat all input from external users as untrustworthy and to carefully check it before performing further actions. Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall

Detective Controls Log Analysis Intrusion Detection Managerial Reports Process of examining logs to identify evidence of possible attacks Intrusion Detection Sensors and a central monitoring unit that create logs of network traffic that was permitted to pass the firewall and then analyze those logs for signs of attempted or successful intrusions Managerial Reports Security Testing Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall

Corrective Controls Computer Incident Response Team Chief Information Security Officer (CISO) Independent responsibility for information security assigned to someone at an appropriate senior level Patch Management Fix known vulnerabilities by installing the latest updates Security programs Operating systems Applications programs Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall

Computer Incident Response Team Recognize that a problem exists Containment of the problem Recovery Follow-up Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall

New Considerations Virtualization Cloud Computing Risks Multiple systems are run on one computer Cloud Computing Remotely accessed resources Software applications Data storage Hardware Risks Increased exposure if breach occurs Reduced authentication standards Opportunities Implementing strong access controls in the cloud or over the server that hosts a virtual network provides good security over all the systems contained therein Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall