Security

Assets
Physical
Personnel Hardware


Main frame, minis. Micros Peripherals online/offline Storage media

Logical Data /information Software

Application System

Network Facilities Documentation Supplies

Information security Management

 

Ensure the integrity of the information stored Preserve the confidentiality of data Ensure the continuous availability of the information systems Ensure conformity to laws, regulations and standards.

Elements of Information Security

Policies and procedures

        

Development of standards, practices and procedures Organizations (detailed guidance) Executive management Security committee Data owners Process owners IT developers Security specialists/Advisors Users (physical, Logins, laws) IS Auditors (provide independent assurance)

Security areas
    

Data access System access Security awareness and education Monitoring and compliance Incident handling and response
Planning and preparation Initiation Response Recovery Closure Normalization of processes

Incident response management

 

Coordinator liaison to business process owners Director oversees the incident response capability Managers manage individual incidents Security specialists detect, investigate, recovers Non security techie assist in specific areas

CSFs
 

Senior management commitment Up-toUp-to-date security policies & procedures

Computer crimes Issues & Exposures

Financial loss Legal issues Loss of credibility Blackmails Disclosure of confidential, sensitive information Sabotage

Possible perpetrators
     

Hackers Employees IS personnel End users Former employees Interested or educated outsiders
Competitors Foreigners Organized criminals Crackers

Logical access exposures

Trojan horses
computer program.

hidden malicious code in an authorized

Rounding down Salami technique Viruses self repetitive Worms Logic bombs Data leakage Wire tapping Computer shutdowns

Logical access
   

Network connectivity Remote access Operator console Online workstation or terminal

Areas of logical access controls

Networks Operating systems Databases Application systems

Implementation of controls
  

Logon IDs and Passwords Password policies Password rules

 

Biometric devices SSO

Auditing logical access issues

    

Review written policies Logical access policies Formal security awareness and training Data ownership Data custodians Security administrator Data users Logical access

Auditing logical access

Obtain a general understanding of the security risks Document and evaluate controls over potential access paths. Review hardware software security features. Test controls over access paths to ensure the working Evaluate policies

Environmental exposures
         

Alarm control Wiring Eating, drinking and smoking Fire resistant office materials Emergency exits Water and smoke detector Fire extinguishers Electrical surge protectors UPS Temperature control

Physical access exposures

  

Unauthorized entry Damage or theft of equipment Copying or viewing of copyrighted information Alteration of sensitive equipment/ information Public disclosure of sensitive information Abuse of data processing resources Embezzlement

Protection areas
          

Programming areas Computer room Operator console Tape library, tapes, disks, magnetic media Storage rooms and supplies Offsite backup facilities Microcomputers Power sources Telecommunication Printing facilities LANS

Controls
          

Door locks (combination bolting- electronic) boltingBiometric access Manual logging Electronic logging IDs Video cameras Security guards Controlled visitor access Bonded personnel Secured document distribution cart Dead man doors

Security Program
Prepare a Project plan Identify Assets Value Assets Identify threats Assess Likelihood of threats Analyze Exposures Adjust Controls Prepare Security Report

Security Organization
Privacy Office Physical Security Continuity Planning Asset Management

Security Office
Service Management
Architecture
RFP Standards & guidelines Technical requirements Technical security Technology solutions

Planning
Business Req: Education Formal Comm: Policies PM Risk Assessment

Operations
Incident response Access control Investigations Standards deploy Training Vulnerability mngmnt

Monitoring
Auditing Reporting System monitoring Security testing