IS4680 Security Auditing for Compliance Unit 6 Compliance within the Workstation and LAN Domains

1. IS4680 Security Auditing for Compliance Unit 6 Compliance within the Workstation and LAN Domains

2. Class Agenda 7/25/16 • Covers Chapter 9 and 10 • Learning Objectives • Lesson Presentation and Discussions. • Discussion on Assignments. • Discussion on Lab Activities. • Lab will be perform in class. • Break Times as per School Regulation • Discussion on Project.

3. Learning Objective • Describe information security systems compliance requirements within the workstation and local area network (LAN) domains.

4. Key Concepts • Compliance law requirements and business drivers for workstation and LAN domains • Steps to maximize availability, integrity, and confidentiality (AIC) for workstation and LAN domains • Workstation and LAN domains—policies, standards, procedures, and guidelines

5. Key Concepts (Continued) • Vulnerability management in workstation and LAN domains • Best practices for workstation and LAN domain compliance requirements

6. Workstation and LAN Domain component and devices • Name some devices associated to workstation. • Connection Media and devices and protocol • Inter process communications

7. Compliance Law Requirements and Business Drivers • Most businesses require workstations to accomplish business tasks. • Within the workstation domain, the compliance satisfies two main purposes: • Increases information security—Information is a material organizational asset, and in some cases, the primary organizational asset. Thus, ensuring the security of information is equivalent to protecting the viability of the organization. • Reduces liability—If one or more attacks are successful against your organization’s information, you might be liable to damages caused to third parties. If information loss or leakage causes damage to other people or organizations, and the damage is a result of noncompliance; your organization might be liable for part or all of the damages.

8. IT Security Policies Workstation domain includes following policies. These policies are associated with standards, procedures, and guidelines: • E-mail policy • Uninterruptible power supply (UPS) for critical workstations • Information privacy policies • Removable storage device policy • Access rights policy

9. Devices and Access Controls • Removable storage devices include: • Removable hard disk drives • Universal serial bus (USB) flash drives • Removable Compact Disc (CD), read-only-memory (CD-ROM) and Digital Versatile Disc (DVD) drives • Removable tape drives

10. Devices and Access Controls (Continued) • Access control methods may be based on the permissions granted to a user or group, or they may be based on a user’s security clearance. • Operating systems require users to follow the identification steps with authentication. Authentication is the process of providing additional credentials that match the user identification data (ID) or user name.

11. Vulnerability Management • Define policy—Organizations must start out by determining what the desired security state for their environment. • Baseline the environment—Once a policy has been defined, the organization must assess the true security state of the environment and determine where instances of policy violations are occurring.

12. Vulnerability Management (Continued) • Prioritize vulnerabilities—Instances of policy violations are then prioritized by using risk and effort-based criteria. • Mitigate vulnerabilities—Ultimately, the root causes of vulnerabilities must be addressed.

13. Vulnerability Management (Continued) • Maintain and monitor—Organizations' computing environments are dynamic and evolve over time, as do security-policy requirements.

14. EXPLORE: PROCESSES

15. Maximize AIC • The overall purpose of compliance requirements is to enforce the basic pillars or tenets of security, the AIC properties of security, and some compliance requirements that might seem to be unnecessary. All these work together to support the AIC properties of a secure systems.

16. Maximize AIC (Continued) • AIC properties of a secure systems are: • Availability—Assurance that the information is available to authorized users in an acceptable time frame when the information is requested. • Integrity—Assurance that the information cannot be changed by unauthorized users. • Confidentiality—Assurance that the information cannot be accessed or viewed by unauthorized users.

17. Roles • Senior Managers • Responsible for organizational governance and compliance. • IT Managers • Responsible for application of controls to be in compliance.

18. Roles (Continued) • IT Auditors • Responsible for auditing IT controls for compliance. • Data Owners • Responsible for the data and who is granted access to it.

19. Roles (Continued) • System Administrators • Responsible to monitor the controls on systems, and follow them as well. • Risk Managers • Responsible for risk.

20. Workstation and LAN Domain Compliance Requirements • Protecting data privacy. • Implementing proper security controls for the workstation and LAN domain. • Workstation and LAN configuration and change management. • Access rights and access controls to the workstation and LAN domain. • Maximizing AIC.

21. Summary • In this presentation, the following were covered: • Workstation and LAN domain compliance requirements • IT security policies, devices and access controls, and vulnerability management • Process to maximize availability, integrity, and confidentiality • Roles and responsibilities related to workstation and LAN domain compliance

22. Assignment and Lab • Discussion 6.1 Vulnerability Management in Workstation and LAN Domains • Lab 6.2 Auditing the Workstation Domain for Compliance • Assignment 6.3 Best Practices for LAN Domain Compliance