Controls for Information Security

Chapter 8

Copyright © Pearson Education Limited 2015. 8-1

 Learning Objectives

• Explain how information security affects

information systems reliability.

• Discuss how a combination of preventive,

detective, and corrective controls can be
employed to provide reasonable assurance about
the security of an organization’s information
system.

Copyright © Pearson Education Limited 2015.

8-2
 Trust Services Framework
• Security
▫ Access to the system and data is controlled and
restricted to legitimate users.
• Confidentiality
▫ Sensitive organizational data is protected.
• Privacy
▫ Personal information about trading partners,
investors, and employees are protected.
• Processing integrity
▫ Data are processed accurately, completely, in a timely
manner, and only with proper authorization.
• Availability
▫ System and information are available.
Copyright © Pearson Education Limited 2015.
8-3
Copyright © Pearson Education Limited 2015. 8-4
 Security Life Cycle
Security is a management issue

Copyright © Pearson Education Limited 2015.

8-5
 Security Approaches
• Defense-in-depth
▫ Multiple layers of control (preventive and
detective) to avoid a single point of failure
• Time-based model, security is effective if:
▫ P > D + C where
 P is time it takes an attacker to break through
preventive controls
 D is time it takes to detect an attack is in progress
 C is time it takes to respond to the attack and take
corrective action

Copyright © Pearson Education Limited 2015.

8-6
 How to Mitigate Risk of Attack

Preventive Controls Detective Controls

• People • Log analysis
• Process • Intrusion detection
• IT Solutions systems
• Physical security • Penetration testing
• Change controls and • Continuous
change management monitoring

Copyright © Pearson Education Limited 2015. 8-7

 Preventive: People

• Culture of security
▫ Tone set at the top with management
• Training
▫ Follow safe computing practices
 Never open unsolicited e-mail attachments
 Use only approved software
 Do not share passwords
 Physically protect laptops/cellphones
▫ Protect against social engineering

Copyright © Pearson Education Limited 2015.

8-8
 Preventive: Process

• Authentication—verifies the person

1. Something person knows
2. Something person has
3. Some biometric characteristic
4. Combination of all three
• Authorization—determines what a person can
access

Copyright © Pearson Education Limited 2015.

8-9
 Preventive: IT Solutions

• Antimalware controls
• Network access controls
• Device and software hardening controls
• Encryption

Copyright © Pearson Education Limited 2015.

8-10
 Preventive: Other

• Physical security access controls

▫ Limit entry to building
▫ Restrict access to network and data
• Change controls and change management
▫ Formal processes in place regarding changes
made to hardware, software, or processes

Copyright © Pearson Education Limited 2015.

8-11
 Corrective

• Computer Incident Response Team (CIRT)

• Chief Information Security Officer (CISO)
• Patch management

Copyright © Pearson Education Limited 2015.

8-12
 Key Terms
• Defense-in-depth • Access control list (ACL)
• Time-based model of security • Packet filtering
• Social engineering • Deep packet inspection
• Authentication • Intrusion prevention system
• Biometric identifier • Remote Authentication Dial-in
• Multifactor authentication User Service (RADIUS)
• Multimodal authentication • War dialing
• Authorization • Endpoints
• Access control matrix • Vulnerabilities
• Compatibility test • Vulnerability scanners
• Border router • Hardening
• Firewall • Change control and change
• Demilitarized zone (DMZ) management
• Routers • Log analysis
• Intrusion detection system
Copyright © Pearson Education Limited 2015.
(IDS)
8-13
 Key Terms (continued)

• Penetration test
• Computer incident response
team (CIRT)
• Exploit
• Patch
• Patch management
• Virtualization
• Cloud computing

Copyright © Pearson Education Limited 2015. 8-14