security controls

8/6/2019 Security Controls

1/21

SecuritySecurity


2/21

AssetsAssetsPhysicalPhysical

PersonnelPersonnel

HardwareHardware Main frame, minis.Main frame, minis.MicrosMicros

PeripheralsPeripheralsonline/offlineonline/offline

Storage mediaStorage media

NetworkNetwork

FacilitiesFacilities DocumentationDocumentation

SuppliesSupplies

LogicalLogical

DataData/information/information

SoftwareSoftware ApplicationApplication

SystemSystem


3/21

Information security ManagementInformation security Management

Ensure the integrity of theEnsure the integrity of theinformation storedinformation stored

Preserve the confidentiality of dataPreserve the confidentiality of data Ensure the continuous availability ofEnsure the continuous availability of

the information systemsthe information systems

Ensure conformity to laws,Ensure conformity to laws,regulations and standards.regulations and standards.


4/21

Elements of Information SecurityElements of Information Security Policies and proceduresPolicies and procedures

Importance of information assetsImportance of information assets Need for securityNeed for security Defining sensitive and critical assetsDefining sensitive and critical assets AccountabilitiesAccountabilities

Development of standards, practices andDevelopment of standards, practices and

proceduresprocedures Organizations (detailed guidance)Organizations (detailed guidance) Executive managementExecutive management Security committeeSecurity committee Data ownersData owners Process ownersProcess owners IT developersIT developers Security specialists/AdvisorsSecurity specialists/Advisors Users (physical, Logins, laws)Users (physical, Logins, laws)

IS Auditors (provide independent assurance)IS Auditors (provide independent assurance)


5/21

SecurityareasSecurityareas Data accessData access

System accessSystem access

Security awareness and educationSecurity awareness and education

Monitoring and complianceMonitoring and compliance

Incident handling and responseIncident handling and response Planning and preparationPlanning and preparation

InitiationInitiation

ResponseResponse RecoveryRecovery

ClosureClosure

Normalization of processesNormalization of processes


6/21

IncidentresponsemanagementIncidentresponsemanagement

CoordinatorCoordinator liaison to business processliaison to business processownersowners

DirectorDirector oversees the incident responseoversees the incident response

capabilitycapability

ManagersManagers manage individual incidentsmanage individual incidents

Security specialistsSecurity specialists detect, investigate,detect, investigate,

recoversrecovers Non security techieNon security techie assist in specificassist in specific

areasareas


7/21

CSFsCSFs

Senior management commitmentSenior management commitment

UpUp--toto--date security policies &date security policies &

proceduresprocedures


8/21

ComputercrimesComputercrimes

Issues

& Exposures

Issues

& Exposures

Financial lossFinancial loss

Legal issuesLegal issues

Loss of credibilityLoss of credibility BlackmailsBlackmails

Disclosure of confidential, sensitiveDisclosure of confidential, sensitive

informationinformation SabotageSabotage


9/21

PossibleperpetratorsPossibleperpetrators

HackersHackers EmployeesEmployees

IS personnelIS personnel

End usersEnd users Former employeesFormer employees

Interested or educated outsidersInterested or educated outsiders CompetitorsCompetitors

ForeignersForeigners

Organized criminalsOrganized criminals

CrackersCrackers


10/21

LogicalaccessexposuresLogicalaccessexposures

Trojan horsesTrojan horses hidden malicious code in an authorizedhidden malicious code in an authorizedcomputer program.computer program.

Rounding downRounding down

Salami techniqueSalami technique VirusesViruses self repetitiveself repetitive

WormsWorms

Logic bombsLogic bombs

Data leakageData leakage Wire tappingWire tapping

Computer shutdownsComputer shutdowns


11/21

LogicalaccessLogicalaccess

Network connectivityNetwork connectivity

Remote accessRemote access

Operator consoleOperator console Online workstation or terminalOnline workstation or terminal


12/21

Areas oflogicalaccesscontrolsAreas oflogicalaccesscontrols

NetworksNetworks

Operating systemsOperating systems

DatabasesDatabases Application systemsApplication systems


13/21

Implementation ofcontrolsImplementation ofcontrols

Logon IDs and PasswordsLogon IDs and Passwords Password policiesPassword policies Password rulesPassword rules

Five to eight charactersFive to eight characters Combination of alphaCombination of alpha--numericnumeric Non identifiableNon identifiable Password historyPassword history Disability of IDs not usedDisability of IDs not used

SessionsSessions Biometric devicesBiometric devices SSOSSO


14/21

AuditinglogicalaccessissuesAuditinglogicalaccessissues

Review written policiesReview written policies

Logical access policiesLogical access policies

Formal security awareness andFormal security awareness andtrainingtraining

Data ownershipData ownership

Data custodiansData custodians

Security administratorSecurity administrator

Data usersData users

Logical accessLogical access


15/21

AuditinglogicalaccessAuditinglogicalaccess

Obtain a general understanding ofObtain a general understanding ofthe security risksthe security risks

Document and evaluate controls overDocument and evaluate controls overpotential access paths. Reviewpotential access paths. Reviewhardware software security features.hardware software security features.

Test controls over access paths toTest controls over access paths toensure the workingensure the working

Evaluate policiesEvaluate policies


16/21

EnvironmentalexposuresEnvironmentalexposures

Alarm controlAlarm control WiringWiring Eating, drinking and smokingEating, drinking and smoking

Fire resistant office materialsFire resistant office materials Emergency exitsEmergency exits Water and smoke detectorWater and smoke detector Fire extinguishersFire extinguishers

Electrical surge protectorsElectrical surge protectors UPSUPS Temperature controlTemperature control


17/21

PhysicalaccessexposuresPhysicalaccessexposures

Unauthorized entryUnauthorized entry

Damage or theft of equipmentDamage or theft of equipment

Copying or viewing of copyrightedCopying or viewing of copyrightedinformationinformation

Alteration of sensitive equipment/Alteration of sensitive equipment/informationinformation

Public disclosure of sensitive informationPublic disclosure of sensitive information Abuse of data processing resourcesAbuse of data processing resources

EmbezzlementEmbezzlement


18/21


19/21

ControlsControls Door locksDoor locks (combination(combination boltingbolting-- electronic)electronic)

Biometric accessBiometric access Manual loggingManual logging

Electronic loggingElectronic logging

IDsIDs Video camerasVideo cameras

Security guardsSecurity guards

Controlled visitor accessControlled visitor access

Bonded personnelBonded personnel Secured document distribution cartSecured document distribution cart

Dead man doorsDead man doors


20/21

SecurityProgramSecurityProgram

Prepare aProject plan

Identify

Assets

Value

Assets

Identifythreats

Assess Likelihoodof threats

AnalyzeExposures

Adjust

Controls

PrepareSecurity Report


21/21

Security OrganizationSecurity Organization

SecurityOffice

Privacy

Office

PhysicalSecurity

ContinuityPlanning

Asset

Management

ServiceManagement

Planning Architecture Operations Monitoring

Business Req:EducationFormal Comm:PoliciesPMRisk Assessment

RFPStandards & guidelinesTechnical requirementsTechnical securityTechnology solutions

Incident responseAccess controlInvestigationsStandards deployTrainingVulnerabilitymngmnt

AuditingReportingSystemmonitoringSecurity testing

security controls

Documents