Bài giảng Romney_ais13 - Chapter 8: Controls for Information Security

Controls for Information SecurityChapter 88-1Learning ObjectivesExplain how information security affects information systems reliability.Discuss how a combination of preventive, detective, and corrective controls can be employed to provide reasonable assurance about the security of an organization’s information system.8-2Trust Services FrameworkSecurityAccess to the system and data is controlled and restricted to legitimate users.ConfidentialitySensitive organizational data is protected. PrivacyPersonal information about trading partners, investors, and employees are protected.Processing integrityData are processed accurately, completely, in a timely manner, and only with proper authorization.AvailabilitySystem and information are available.8-38-4Security Life CycleSecurity is a management issue8-5Security ApproachesDefense-in-depthMultiple layers of control (preventive and detective) to avoid a single point of failureTime-based model, security is effective if:P > D + C whereP is time it takes an attacker to break through preventive controlsD is time it takes to detect an attack is in progressC is time it takes to respond to the attack and take corrective action8-6How to Mitigate Risk of AttackPreventive ControlsDetective ControlsPeopleProcessIT SolutionsPhysical securityChange controls and change managementLog analysisIntrusion detection systemsPenetration testingContinuous monitoring8-7Preventive: PeopleCulture of securityTone set at the top with managementTrainingFollow safe computing practicesNever open unsolicited e-mail attachmentsUse only approved softwareDo not share passwordsPhysically protect laptops/cellphonesProtect against social engineering8-8Preventive: ProcessAuthentication—verifies the person Something person knowsSomething person hasSome biometric characteristicCombination of all threeAuthorization—determines what a person can access8-9Preventive: IT SolutionsAntimalware controlsNetwork access controlsDevice and software hardening controlsEncryption8-10Preventive: OtherPhysical security access controlsLimit entry to buildingRestrict access to network and dataChange controls and change managementFormal processes in place regarding changes made to hardware, software, or processes8-11CorrectiveComputer Incident Response Team (CIRT)Chief Information Security Officer (CISO)Patch management8-12Key TermsDefense-in-depthTime-based model of securitySocial engineeringAuthenticationBiometric identifierMultifactor authenticationMultimodal authenticationAuthorizationAccess control matrixCompatibility testBorder routerFirewallDemilitarized zone (DMZ)RoutersAccess control list (ACL)Packet filteringDeep packet inspectionIntrusion prevention systemRemote Authentication Dial-in User Service (RADIUS)War dialingEndpointsVulnerabilitiesVulnerability scannersHardeningChange control and change managementLog analysisIntrusion detection system (IDS)8-13Key Terms (continued)Penetration testComputer incident response team (CIRT)ExploitPatchPatch managementVirtualizationCloud computing8-14