Presentation is loading. Please wait.

Presentation is loading. Please wait.

Figure 11-5: Control Principles

Published byBart de Jonge Modified over 6 years ago

Similar presentations

Presentation on theme: "Figure 11-5: Control Principles"— Presentation transcript:

1 Figure 11-5: Control Principles
Policies Brief visions statements Cannot give details because the environment and technology keep changing Standards Mandatory actions that MUST be followed Baselines The application of standards to specific products For example, steps to harden a LINUX server

2 Figure 11-5: Control Principles
Guidelines Voluntary recommended action Although voluntary, must consider in making decisions Good when the situation is too complex or uncertain for standards Unfortunately, sometimes should be standards but lack of political power prevents this

3 Figure 11-5: Control Principles
Procedures Sets of action taken by people Steps to do background checks on employees Steps to add user on a server

4 Figure 11-5: Control Principles
Employee Behavior Policies For general corporate employees Theft, sexual harassment, racial harassment, pornography, personal use of office equipment, revealing of trade secrets, etc.

5 Figure 11-5: Control Principles
Best Practices and Recommended Practices Best practices are descriptive of what the best firms do Recommended practices are prescriptions for what the firm should do Both allow a firm to know, at a broad level, if it is doing what it should be doing

6 Figure 11-6: Operations Security
The day-to-day work of the IT department and other departments Systems administration (server administration) especially Entering data, upgrading programs, adding users, assigning access permissions, etc.

7 Figure 11-6: Operations Security
Principles Clear roles Who should do what in each step Assign tasks to roles, then assign individuals to roles as needed

8 Figure 11-6: Operations Security
Principles Separation of duties and mandatory vacations to prevent people from maintaining deceptions Prospects for collusion: Reduce them Check family and personal relationships assigning people to duties

9 Figure 11-6: Operations Security
Accountability Accountability and roles Owner: Responsible for the asset Custodian: Delegated responsibility Auditable protections and controls for specific assets If not auditable, can you tell if they work? Exception handling with documentation and audit of who took what actions

10 Figure 11-6: Operations Security
Managing Development and Change for Production Servers Tiers of Servers Development Server: Server on which software is developed and changed Developers need extensive permissions Staging (Testing) Server: Server on which changes are tested and vetted for security Testers should have access permissions; developers should not

11 Figure 11-6: Operations Security
Managing Development and Change for Production Servers Tiers of Servers Production Servers: Servers that run high- volume production operations Neither developers nor testers should have access permissions

12 Figure 11-6: Operations Security
Managing Development and Change for Production Servers Change Management Control Limit who can request changes Implement procedures for controlling changes Have security examine all candidate changes for potential problems (bad encryption, lack of authentication, etc.)

13 Figure 11-6: Operations Security
Managing Development and Change for Production Servers Auditing Development for individual programs Do detailed line-by-line code inspection for security issues

Download ppt "Figure 11-5: Control Principles"

Similar presentations

RBAC and HIPAA Security Uday O. Ali Pabrai, CHSS, SCNA Chief Executive, HIPAA Academy.

RBAC and HIPAA Security Uday O. Ali Pabrai, CHSS, SCNA Chief Executive, HIPAA Academy.
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
Overview of IS Controls, Auditing, and Security Fall 2005.

Overview of IS Controls, Auditing, and Security Fall 2005.
BONDS, CRIME and PROPERTY FARA on the behalf of the Office of Risk Management Revised 06/2011.

BONDS, CRIME and PROPERTY FARA on the behalf of the Office of Risk Management Revised 06/2011.
Appendix B: Designing Policies for Managing Networks.

Appendix B: Designing Policies for Managing Networks.
Conversation Form l One path through a use case that emphasizes interactions between an actor and the system l Can show optional and repeated actions l.

Conversation Form l One path through a use case that emphasizes interactions between an actor and the system l Can show optional and repeated actions l.
CST 481/598 x.2.  Broad overview of policy material  What is a “process”  Tiers (not tears) Many thanks to Jeni Li.

CST 481/598 x.2.  Broad overview of policy material  What is a “process”  Tiers (not tears) Many thanks to Jeni Li.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Policy & Procedure IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.

Policy & Procedure IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.
Security Management Practices Keith A. Watson, CISSP CERIAS.

Security Management Practices Keith A. Watson, CISSP CERIAS.
Information Systems Security Officer

Information Systems Security Officer
Stephen S. Yau 1CSE465-591 Fall 2006 Personnel Security.

Stephen S. Yau 1CSE Fall 2006 Personnel Security.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.

Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.
ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.

ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
©2008 Pearson Prentice Hall. All rights reserved. 4-1 Internal Control & Cash Chapter 4.

©2008 Pearson Prentice Hall. All rights reserved. 4-1 Internal Control & Cash Chapter 4.
BUSINESS OPERATIONS Business Management. Today’s Objectives  Identify workplace safety & security measures.  Analyze components included in policies.

BUSINESS OPERATIONS Business Management. Today’s Objectives  Identify workplace safety & security measures.  Analyze components included in policies.
Financial Resource Management Recommended Best Practices Training for Volunteers and Support Groups.

Financial Resource Management Recommended Best Practices Training for Volunteers and Support Groups.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Similar presentations

Ads by Google