Controls for Information Security Chapter Copyright © 2015 Pearson Education, Inc 8-1 Learning Objectives • Explain how information security affects information systems reliability • Discuss how a combination of preventive, detective, and corrective controls can be employed to provide reasonable assurance about the security of an organization’s information system Copyright © 2015 Pearson Education, Inc 8-2 Trust Services Framework • Security • Confidentiality • Privacy • Processing integrity • Availability ▫ Access to the system and data is controlled and restricted to legitimate users ▫ Sensitive organizational data is protected ▫ Personal information about trading partners, investors, and employees are protected ▫ Data are processed accurately, completely, in a timely manner, and only with proper authorization ▫ System and information are available Copyright © 2015 Pearson Education, Inc 8-3 Copyright © 2015 Pearson Education, Inc 8-4 Security Life Cycle Security is a management issue Copyright © 2015 Pearson Education, Inc 8-5 Security Approaches • Defense-in-depth ▫ • Multiple layers of control (preventive and detective) to avoid a single point of failure Time-based model, security is effective if: ▫ P > D + C where    P is time it takes an attacker to break through preventive controls D is time it takes to detect an attack is in progress C is time it takes to respond to the attack and take corrective action Copyright © 2015 Pearson Education, Inc 8-6 How to Mitigate Risk of Attack Preventive Controls • • • • • Detective Controls People Process IT Solutions Physical security Change controls and change management Copyright © 2015 Pearson Education, Inc • • • • Log analysis Intrusion detection systems Penetration testing Continuous monitoring 8-7 Preventive: People • Culture of security ▫ • Tone set at the top with management Training ▫ Follow safe computing practices     ▫ Never open unsolicited e-mail attachments Use only approved software Do not share passwords Physically protect laptops/cellphones Protect against social engineering Copyright © 2015 Pearson Education, Inc 8-8 Preventive: Process • • Authentication—verifies the person Something person knows Something person has Some biometric characteristic Combination of all three Authorization—determines what a person can access Copyright © 2015 Pearson Education, Inc 8-9 Preventive: IT Solutions • • • • Antimalware controls Network access controls Device and software hardening controls Encryption Copyright © 2015 Pearson Education, Inc 8-10 Preventive: Other • Physical security access controls ▫ ▫ • Limit entry to building Restrict access to network and data Change controls and change management ▫ Formal processes in place regarding changes made to hardware, software, or processes Copyright © 2015 Pearson Education, Inc 8-11 Corrective • • • Computer Incident Response Team (CIRT) Chief Information Security Officer (CISO) Patch management Copyright © 2015 Pearson Education, Inc 8-12 Key Terms • • • • • • • • • • • • • • Defense-in-depth Time-based model of security Social engineering Authentication Biometric identifier Multifactor authentication Multimodal authentication Authorization Access control matrix Compatibility test Border router Firewall Demilitarized zone (DMZ) Routers Copyright © 2015 Pearson Education, Inc • • • • • • • • • • • • • Access control list (ACL) Packet filtering Deep packet inspection Intrusion prevention system Remote Authentication Dial-in User Service (RADIUS) War dialing Endpoints Vulnerabilities Vulnerability scanners Hardening Change control and change management Log analysis Intrusion detection system (IDS) 8-13 Key Terms (continued) • • • • • • • Penetration test Computer incident response team (CIRT) Exploit Patch Patch management Virtualization Cloud computing Copyright © 2015 Pearson Education, Inc 8-14 ... Access to the system and data is controlled and restricted to legitimate users ▫ Sensitive organizational data is protected ▫ Personal information about trading partners, investors, and employees... accurately, completely, in a timely manner, and only with proper authorization ▫ System and information are available Copyright © 2015 Pearson Education, Inc 8-3 Copyright © 2015 Pearson Education, Inc... Process IT Solutions Physical security Change controls and change management Copyright © 2015 Pearson Education, Inc • • • • Log analysis Intrusion detection systems Penetration testing Continuous