Presentation is loading. Please wait.

Presentation is loading. Please wait.

LO3 Review mechanisms to control organisational IT security

Published byCordelia May Modified over 5 years ago

Similar presentations

Presentation on theme: "LO3 Review mechanisms to control organisational IT security"— Presentation transcript:

1 LO3 Review mechanisms to control organisational IT security
Unit 5: Security LO3 Review mechanisms to control organisational IT security

2 Learning Outcomes and Assessment Criteria
Pass Merit Distinction LO3 Review mechanisms to control organisational IT security D2 Consider how IT security can be aligned with organisational policy, detailing the security impact of any misalignment. P5 Discuss risk assessment procedures. P6 Explain data protection processes and regulations as applicable to an organisation. M3 Summarise the ISO risk management methodology and its application in IT security. M4 Discuss possible impacts to organisational security resulting from an IT security audit.

3 LO3 Review mechanisms to control organisational IT security
Risk assessment and integrated enterprise risk management: Network change management, audit control, business continuance/disaster recovery plans, potential loss of data/business, intellectual property, hardware and software; probability of occurrence e.g. disaster, theft; staff responsibilities; Data Protection Act; Computer Misuse Act; ISO standards. Company regulations: Site or system access criteria for personnel; physical security types e.g. biometrics, swipe cards, theft prevention.

4 Risk assessment and integrated enterprise risk management:
Network change management Audit control Business continuance/disaster recovery plans, Potential loss of data/business, Intellectual property, Hardware and software Probability of occurrence e.g. disaster, theft; staff responsibilities; Data Protection Act; Computer Misuse Act; ISO standards.

5 (NCCM) Network configuration and change management
With this system/discipline in place organising and maintaining information about all of the components in a computer network becomes significantly easier. Network device configuration information will be stored in a centrally located server, where device configurations can be easily downloaded. The network administrator refers to the network configuration management database to determine the best course of action when repairs, modifications or upgrades are needed.

6 (NCCM) Network configuration and change management
Uses include: Daily checking of device configuration data to spot any changes in configuration files, which could reveal cyber threats and potential failures.  Creating bulk changes such as implementing mass changes to passwords on devices throughout the network Auditing and reporting allowing for easy track information about network components.

7 This image is taken from:
Also see more info here: This image is taken from: configuration-and-change-management.html This is a good resource to see a practical software application of NCCM.

8 Audit control Audits could include: Review and management
eg access to systems. Establishment and review of personal, corporate and technical trust. Vetting of staff. Forensic analysis of systems Use of custom forensics or existing sysadmin tools. Audit control An organisation that is unaware of how and where security breaches might occur could soon be faced with a situation that will be costly, and could be very embarrassing. Instead, a security audit should be conducted to check what might go wrong, and to plan improvements before a hacker – or some other individual – takes advantage of the situation.

9 Training should be given so that employees know what to do, for example, if they suspect a virus attack: Who should they contact first? Should they turn their ICT system off? Employees also need to know what to do if they think their login ID is being used by someone else: Who should they inform of their fear? What methods might be used to trap the culprit? What procedures should be followed to prevent similar lapses in security in future. Business continuance While a security audit will identify weaknesses that ought to be addressed, and an organisation should make every effort to remedy any shortfall, there will always be a risk of a security breach. For this reason, an analysis of risks should be carried out and a contingency plan drawn up. This contingency plan should cover backup, offsite storage, data recovery procedures, access to immediate hardware replacement, plus insurance that covers replacement, loss of business and all the recovery work. Ability of an organization to maintain essential functions during, as well as after, a disaster has occurred.

10 Backup/restoration of data
Employees who are responsible for data recovery should also know the procedures to follow. The aim should be to plan ahead so that the whole system can be up and running again within a specified time- scale, e.g. 24 hours. Then, if the worst case scenario happens, disaster recovery should be as smooth as possible. The contingency plan has to be developed from a full risk analysis, so that every eventuality is taken into consideration.

11 Potential loss of data/business
Costs If data is lost, costs are incurred in recovering the data. If software is corrupted, a copy should be available, but the replacement will take time and incur staff costs. Depending on how serious a breach was experienced, there may be a need to consult specialists, and this too will incur extra costs Loss of business A security breach can result in the collapse of an ICT system. The time during which normal service is not available is called downtime. Organisations that rely on an ICT system to take orders will suffer a loss of business during the downtime. Some customers will come back later, but some will not; they will already have taken their business elsewhere. If a security breach causes data loss, and it proves difficult to recover that data, then the result can be disastrous for an organisation.

12 Intellectual property
Intellectual property protection helps you to stop people stealing or copying: the names of your products or brands your inventions the design or look of your products things you write, make or produce Copyright, patents, designs and trade marks are all types of intellectual property protection. You get some types of protection automatically, others you have to apply for. Consider that you must have mechanisms in place to protect a company's IP

13 Hardware and software Risk assessment of this take place through ISO Risk Assessment and Treatment Process.

14 Probability of occurrence
Consider the following when outlining likelihood of security risks: Disaster Theft How can a company meet the following: Data Protection Act (2018 Computer Misuse Act (1990) ISO standards. What are staff responsibility's in this process? Explaining why data is collected, how it is stored, management of data, following security guidelines etc.

15 Data Protection Act 2018 Implementation of General Data Protection Regulation(GDPR) Outlines strict rules called ‘data protection principles” There is stronger legal protection for more sensitive information, such as: Race, ethnic background, political opinions, religious beliefs, trade union membership, genetics biometrics (where used for identification), health, sex life or orientation Outlines rights to find out what information the government and other organisations store about you. 

16 Computer Misuse Act (1990) Protect computer users against attacks and theft of information. Offences under the act include: hacking, unauthorized access to computer systems purposefully spreading malicious and damaging software (malware), such as viruses.

17 ISO standards Provides guidelines for dealing with today’s threats Not requirements, and is therefore not intended for certification purposes. Risk management guidelines include: Planning Implementing Measure Learn.

18 Company regulations: Site or system access criteria for personnel;
It should not be easy to walk into a facility without a key or badge, or without being required to show identity or authorization. Controlling physical access is your first line of defense, by protecting your data (and your staff) against the simplest of inadvertent or malicious intrusions and interferences. Physical security types could include e.g. biometrics, swipe cards, theft prevention(Cameras etc.).

Download ppt "LO3 Review mechanisms to control organisational IT security"

Similar presentations

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.

2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.
Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.

Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.
E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.

E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.
Security Controls – What Works

Security Controls – What Works
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Factors to be taken into account when designing ICT Security Policies

Factors to be taken into account when designing ICT Security Policies
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Network security policy: best practices

Network security policy: best practices
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Air Force Association (AFA) 1. 1.Access Control 2.Four Steps to Access 3.How Does it Work? 4.User and Guest Accounts 5.Administrator Accounts 6.Threat.

Air Force Association (AFA) 1. 1.Access Control 2.Four Steps to Access 3.How Does it Work? 4.User and Guest Accounts 5.Administrator Accounts 6.Threat.
Information Security Technological Security Implementation and Privacy Protection.

Information Security Technological Security Implementation and Privacy Protection.
General Awareness Training

General Awareness Training
Security of Data. Key Ideas from syllabus Security of data Understand the importance of and the mechanisms for maintaining data security Understand the.

Security of Data. Key Ideas from syllabus Security of data Understand the importance of and the mechanisms for maintaining data security Understand the.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
BUSINESS B1 Information Security.

BUSINESS B1 Information Security.
DEVELOPING A RISK ANALYSIS. What is a risk analysis? A Risk analysis is concerned with identifying the risks that an organisation is exposed to, identifying.

DEVELOPING A RISK ANALYSIS. What is a risk analysis? A Risk analysis is concerned with identifying the risks that an organisation is exposed to, identifying.
Security Awareness: Applying Practical Security in Your World Chapter 1: Introduction to Security.

Security Awareness: Applying Practical Security in Your World Chapter 1: Introduction to Security.

Similar presentations

Ads by Google