Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Systems Security Operational Control for Information Security.

Published byCordelia Barber Modified over 9 years ago

Similar presentations

Presentation on theme: "Information Systems Security Operational Control for Information Security."— Presentation transcript:

1 Information Systems Security Operational Control for Information Security

2 Operational Control The controls that due with the everyday operation of an organization to ensure that all objectives are achieved This covered a wide spectrum of procedures associated with the users and how to get the work done A continual effort and discipline to maintain the system in a high level of security

3 Aspects of operational control Staffing Management Application control User management Change control Backup and restore Incident handling Awareness, training and education Physical and environmental security

4 Staffing Defining the job Determine the sensitivity of the position Filling the post, which involves background check, screening and selecting an individual Employee handbook Training Mandatory vacation Job rotation

5 Management Make sure the policies, standards, guidelines and procedures are in place and being followed Administrative management practice to prevent and eliminate the chance of fraud Act with due care and due diligence

6 Management Proper organization structure Clear duties and responsibilities Proper authorization procedure Check and balance Schedule of work Checking of result

7 Application of security principles Separation of duties: to ensure a single individual cannot subvert a critical process (check and balance) Least privilege: only granting those rights to perform their official duties

8 Application controls It refers to the transactions and data relating to each computer-level and are therefore specific to each application The objective is to ensure the completeness and accuracy of the records and the validity of the entries

9 Application controls They are controls over input, processing and output functions. They include methods to ensure Only complete, accurate and valid data are entered and updated Processing do the correct task Data are maintained

10 Input controls Sequence check Limit check Range check Validity check Check digit Duplicate check Logical relationship check

11 Process controls Manual re-calculation Run to run totals Programmed controls Exception reports

12 Output controls Logging Storage of sensitive forms and reports in a secure place Report distribution

13 Data files control Source document retention Before and after imaging Version control Transaction log Labeling Authorization for access

14 Media control Media library might be set up and procedure adopted to ensure the physical safety of the media and that the information security is ensured Date of creation Who created it Period of retention Classification Volume name and version Disposal

15 Error handling Transaction log Error correction procedure Logging Timely correction Upstream resubmission Suspense file Error file Cancellation of source document

16 User administration User account management Detecting unauthorized/illegal activities Temporary assignment and transfers Termination: friendly and unfriendly Contractor access consideration Public access consideration

17 User account management Process of requesting, establishing, issuing and closing of user accounts Assign user access authorization and rights Tracking users and their respective access authorizations Password policy and guidelines

18 Detecting unauthorized/illegal activities Monitoring and keep log Audit and review log Set clipping level

19 Change management Request for change Approval of change Documentation of the change Test and presentation Test system Production system Implementation Report to management

20 Backup and Restore Loss of data due to: Hardware failure Software failure File system corruption Accidental deletion Virus infection Theft Sabotage Natural disaster

21 6 steps to backup and recovery Preparation Identify assets and requirement Select backup strategy Develop data protection strategy Backup process and monitoring Recovery drill test Refer IS Guide to SME

22 Comparison of backup media

23 Computer security incident handling How to respond to malicious technical threats Closely related to support and operations and contingency planning

24 Computer security incident handling Reporting of the security accident How to contain the damage What technical expertise required Liaise with other organizations, e.g. CERT, police How to respond to the public Awareness of staff important

25 Incident Response Objectives Minimise business loss and subsequent liability of company Minimise the impact of the accident in terms of information leakage, corruption of system etc Ensure the response is systematic and efficient

26 Incident Response Ensure the required resources are available to deal with accidents Ensure all concerned parties have clear understanding about the task they should perform Ensure the response activities are coordinated Prevent future attack and damages Deal with related legal issues

27 Incident Response Preparation Detection Containment Eradication Recovery Follow up Refer IS Guide to SME

28 Disaster recovery and Business Continuity Planning Identify the mission critical functions Identify the resources that support the critical functions Anticipating potential contingencies or disasters Select and devise contingency plans Implement contingency plans Test and revise the plans

29 Awareness, training and education People being a very important part of an information system How to improve their behaviour Increase the ability to hold employees accountable

30 Awareness Stimulates and motivates employees to take security seriously and to remind them of security practices to be taken

31 Physical and environmental security Measures to protect systems, buildings and related supporting infrastructure against threats associated with the physical environment Natural threats Man-made threats

32 Physical and environmental security Threats Physical damage Physical theft Interruption of computing services Unauthorized disclosure of information Loss of control over system integrity

33 Physical and environmental security Controls Physical access control: biometrics Fire safety Supporting facilities Structural collapse Plumbing leaks Interception of data Mobile and portable systems

Download ppt "Information Systems Security Operational Control for Information Security."

Similar presentations

1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.

1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.
Software Quality Assurance Plan

Software Quality Assurance Plan
Information Technology Control Day IV Afternoon Sessions.

Information Technology Control Day IV Afternoon Sessions.
Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.

Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.
Auditing Computer Systems

Auditing Computer Systems
9 - 1 Computer-Based Information Systems Control.

9 - 1 Computer-Based Information Systems Control.
Information systems Integrity Protection. Facts on fraud  UK computer fraud 400 Million £  17 000 on 136 000 companies  avg case 46 000 £  France.

Information systems Integrity Protection. Facts on fraud  UK computer fraud 400 Million £  on companies  avg case £  France.
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.

Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Managing Information Systems Information Systems Security and Control Part 2 Dr. Stephania Loizidou Himona ACSC 345.

Managing Information Systems Information Systems Security and Control Part 2 Dr. Stephania Loizidou Himona ACSC 345.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Factors to be taken into account when designing ICT Security Policies

Factors to be taken into account when designing ICT Security Policies
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Pertemuan 17-18 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Achieving our mission Presented to Line Staff. INTERNAL CONTROLS What are they?

Achieving our mission Presented to Line Staff. INTERNAL CONTROLS What are they?
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Network security policy: best practices

Network security policy: best practices
Copyright © 2015 Pearson Education, Inc. Processing Integrity and Availability Controls Chapter 10 10-1.

Copyright © 2015 Pearson Education, Inc. Processing Integrity and Availability Controls Chapter
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Similar presentations

Ads by Google