Embed Size (px)
Citation preview
IT APPLICATIONSProfessional Stage Application Level, ICABTeacher: Mohammad Abdul Matin
Chapter 5Controls and Standards
Chapter Outline Information System Security Controls Physical Security Controls Logical Security Controls Control and Standard for Information Integrity Control and Standard for Information Access
Control Control and Standard for Computer Audit Control and Standard for System Implementation Phase Control and Standard for System Maint. and Evaluation Risks of IT Systems Controls for Personal Systems
Syllabus In the examination, candidates may be
required toa. describe in detail the controls and standards
which are applied to information systems for the purpose of audit and security (regulatory and management controls, computer risk management, back up procedures, controls over data integrity, computer audit, passwords and logical access system, personal security planning)
b. explain the risks to IT systems from hackers and viruses
Types of Security ControlPhysical Security Controls
Lock | Access Control | Fire Protection
Logical Security ControlsAuthentication | Anti Virus | Encryption
Environmental ControlsSecurity Policy | SOP | License | AMC | Warranty
Information System Operating ControlsPerformance | Completion | Accuracy | Backup & Restore
Information System Security Policy Information System (IS)
Hardware, Network, Software, Applications, Databases involved in recording, processing, analyzing, storing and reporting information.
IS Security PolicyHigh level statements stating goals regarding control and security of Information Systems, which also…– specifies who is responsible of implementation– is established by management and approved by
Board– does not lay down detailed control procedures or
SOPs
Sections of a Security Policy
•to provide guidelines on information processing, reporting, MIS, etc. for management and BoardPurpose &
Responsibility
•guides on system life-cycle management, starting with evaluation, procurement to monitoringSystem
Procurement & Development
•defines access authorization and processes for management to the information systems
Access Terminals
•explains equipment & environment, information & communication security, contingency & recoveryEquipment &
Information Security
•outline the engagement framework and service levels in regard to development, managementService Bureau
Programs
IS Security Standards Minimum criteria, rules and procedures
established in an organization that must be implemented for ensuring achievement of IS Security Policy objectives.
The IS Security Standards….– are implemented under the direction of
Management– specify detailed requirements of each IS control;
e.g. length of passwords, construction of passwords, backup retention period, etc.
– are not specific to any particular computer platform. It’s more generally applicable.
Physical Security Controls Physical Locks Security Guards Video Surveillance Cameras General Emergency and Detection Controls Heating, Ventilation and Cooling Systems Insurance Coverage Periodic Backups Emergency Power and UPS Business Resumption Programs Backup System Security Administrator
Logical Security Control User ID and Passwords Remote Access Controls
• Dedicated Leased Lines• Automatic Dial-back• Secure Socket Layer (SSL)• Multifactor Authentication• Virtual Private Network (VPN)
Computer Operations Audit Backup and Recovery Procedures Integrity / Completeness Checks
Control & Standards for Information Integrity
Policy & Procedures – Formal documented policy addressing purpose,
scope, roles, committees, coordination among entities, etc.
– Formal guideline on the process of establishing information integrity policy
Flaw Remediation– Establishing a process for proactive
identification, reporting and addressing flaws/vulnerability (that can take effect into errors/faults)
– Patch management, system updates, service packs, etc.
Control & Standards for Information Integrity (cont.) Malicious Code Protection
– Gateway filtering/protection for email, web, removable media– Software for in-depth protection
Security Alerts and Advisories– Following and keeping up-to-date with different popular alerts
Security Functionality Verification– Monitoring and notification system for automated security
test failures or exposed vulnerabilities Software and Information Integrity
– Software integrity with version control, release management, etc.
– Master Data Management (MDM)
Control & Standards for Information Integrity (cont.) Spam Protection– Spam protection in gateways, messaging,
servers and devices– Keeping spam signature database updated– Combine multiple software to strengthen
protection Information Input Restrictions– Role based authorization, location/schedule
based access, etc. Information Input Accuracy, Completeness,
Validity and Authenticity– Input validation based on format, context, length,
source, etc.– Completeness check based on transaction
definition, etc.
Control & Standards for Information Access Control Access Control Policy and Procedures– Formal document outlining information access
policy Identification and Authentication Policy &
Procedures– Access identification guidelines formally
documented Account Management– User / group / system ID definitions with
authorization matrix– Account add/move/delete processes and
procedures Account Review– Automated account and access audit– Reviewing, analyzing and reporting on audit
records
Control & Standards for Information Access Control (cont.) User Identification and Authentication– User authentication with single and multifactor
verification Device Identification and Authentication– Bidirectional negotiation and authentication of
devices Passwords– Changing default passwords– Complexity of passwords– Expiration and repeatability of passwords– Keeping passwords away from login IDs– Control and log for master passwords
Questions Explain the physical security control and
logical security controls What do you mean by Information System
Security Standards?
Thank You
