Control and security frameworks
1 / 19

- PowerPoint PPT Presentation

  • Updated On :

Raval • Fichadia John Wiley & Sons, Inc. 2007. Control and Security Frameworks. Chapter Three Prepared by: Raval, Fichadia . Chapter Three Objectives. Understand risks faced by information assets.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about '' - aquarius

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Control and security frameworks l.jpg

Raval • Fichadia

John Wiley & Sons, Inc. 2007

Control and Security Frameworks

Chapter Three

Prepared by: Raval, Fichadia

Chapter three objectives l.jpg
Chapter Three Objectives

  • Understand risks faced by information assets.

  • Comprehendthe relationship between risk and asset vulnerabilities, and comprehend the nature and types of threats faced by the asset.

  • Understandthe objectives of control and security of information assets and how these objectives are interrelated.

  • Understandthe building blocks of control and security frameworks for information systems.

  • Apply a controls framework to a financial accounting system.

Protecting information assets l.jpg
Protecting Information Assets

  • It is necessary to protect information assets

    • There is a potential for compromises of such assets.

      • There may attacks on the information assets.

      • There may be unintentional compromises of information assets.

    • Systems are subject to regulatory protection requirements.

Vulnerabilities and threats l.jpg
Vulnerabilities and Threats

  • Vulnerability: A weakness in the information assets that leads to risk.

  • Threat: The probability of an attack on the information asset.

  • Attack: A series of steps taken by an attacker to achieve an unauthorized result.

  • Threat agent: An entity, typically a person, who triggers a threat.

  • Countermeasure: An antidote or an action that dilutes the potential impact of a known vulnerability.

Internal control l.jpg
Internal Control

  • Definition of internal control

    • A process, affected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives.

  • Classification of internal controls

    • General controls and application controls

    • Detective, preventive, and corrective controls

Information security l.jpg
Information Security

  • Definition of information security

    • Protection of information assets from harm

  • Classification of information security measures

    • Physical and logical security

Relationship between internal control and information security l.jpg
Relationship between internal control and information security

  • Steps taken to protect a system are called measures, or countermeasures.

  • These measures are essentially various types of controls.

  • Thus, security is ensured through the implementation of controls.

  • Reference to specific controls implemented for information security is often made as “security controls.”

  • Terms security and control are often used as if they are synonyms.

  • General controls often overlap with security measures.

Frameworks for control and security l.jpg
Frameworks for Control and Security security

  • COBIT: Control Objectives for Information and related Technology

    • The framework helps bridge the gap between business risk, control needs, and technical issues.

    • The framework’s approach is process oriented.

    • IT Processes are classified into five categories (domains): Manage IT investment, acquire and implement, deliver and support, and monitor and evaluate.

    • The framework includes 34 high level control objectives, which are translated into over 300 detailed objectives.

    • Control activities support control objectives.

    • Control activities, linked to IT processes, include policies, organizational structures, and practices and procedures.

Frameworks for control and security11 l.jpg
Frameworks for Control and Security security

  • ISO 17799

    • Is a standard focused on the protection of information assets.

    • It is broadly applicable across industries, therefore it is a high-level standard.

    • It is a general model that follows from Part I of British Standard 7799 (BS 7799).

    • The standard is organized into ten categories (sections).

    • Each section is divided into subcategories, each of which includes a broad implementation approach (method).

Frameworks for control and security12 l.jpg
Frameworks for Control and Security security

  • COSO: The Committee of Sponsoring Organizations

  • It is an integrated framework of internal controls.

  • It proposes five components of internal controls.

  • Together, the five components and relationships among them make a holistic framework of internal controls.

Coso components of internal control l.jpg
COSO: Components of Internal Control security

  • Risk assessment

  • Control environment

  • Control activities

  • Information and communication

  • Monitoring

Internal control and information security objectives l.jpg
Internal Control and Information Security Objectives security

  • Internal control objectives

    • Efficiency of operations

    • Effectiveness of operations

    • Reliability of information

    • Compliance with applicable laws and regulations

  • Information security objectives

    • Information integrity

      • Message integrity

    • Confidentiality

    • User authentication

    • Nonrepudiation

    • Systems availability

Assurance considerations l.jpg
Assurance Considerations Objectives

  • Without a framework, no objectives can be achieved with a high degree of assurance.

  • A first step toward assurance is to adopt a holistic framework.

    • Elements of more than one framework can be combined into the framework adopted by an entity, to provide necessary granularity.

  • The framework allows for a systematic approach to the design, implementation, and audit of control and security systems.

  • The business may seek assurance regarding proper implementation of a chosen framework.