hapter 7 l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
HAPTER 7 PowerPoint Presentation
Download Presentation
HAPTER 7

Loading in 2 Seconds...

play fullscreen
1 / 22

HAPTER 7 - PowerPoint PPT Presentation


  • 224 Views
  • Uploaded on

HAPTER 7. Information Systems Controls for Systems Reliability Part 1: Information Security. INTRODUCTION. Questions to be addressed in this chapter: How does security affect systems reliability?

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'HAPTER 7' - keilah


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
hapter 7

HAPTER 7

Information Systems Controls for Systems Reliability

Part 1: Information Security

introduction
INTRODUCTION
  • Questions to be addressed in this chapter:
    • How does security affect systems reliability?
    • What are the four criteria that can be used to evaluate the effectiveness of an organization’s information security?
    • What is the time-based model of security and the concept of defense-in-depth?
    • What types of preventive, detective, and corrective controls are used to provide information security?
    • How does encryption contribute to security and how do the two basic types of encryption systems work?
introduction3
INTRODUCTION
  • The five basic principles that contribute to systems reliability:
    • Security
    • Confidentiality
    • Online privacy
    • Processing integrity
    • Availability

SYSTEMS

RELIABILITY

CONFIDENTIALITY

PROCESSING INTEGRITY

PRIVACY

AVAILABILITY

SECURITY

c obi t and trust services
COBIT and Trust Services
  • Control Objectives for Information Technology (COBIT)
  • Information systems controls required for achieving business and governance objectives

Adequate Controls

c obi t and trust services5
COBIT and Trust Services
  • COBIT IT resources:
    • Applications
    • Information
    • Infrastructures
    • People
c obi t and trust services6
COBIT and Trust Services
  • COBIT information criteria:
    • Effectiveness
    • Efficiency
    • Confidentiality
    • Integrity
    • Availability
    • Compliance
    • Reliability
c obi t and trust services7
COBIT and Trust Services
  • COBIT domains:
    • Basic management activities for IT
    • Help organize 34 generic IT controls
fundamental information security concepts
FUNDAMENTAL INFORMATION SECURITY CONCEPTS
  • There are three fundamental information security concepts that will be discussed in this chapter:
    • Security as a management issue, not a technology issue.
    • The time-based model of security.
    • Defense in depth.
security as a management issue
SECURITY AS A MANAGEMENT ISSUE
  • Management is responsible for the accuracy of various internal reports and financial statements produced by the organization’s IS.
    • SOX Section 302 requires that the CEO and CFO certify the accuracy of the financial statements.
    • SOX Section 404 requires that the annual report include a report on the company’s internal controls. Within this report, management acknowledges their responsibility for designing and maintaining internal controls and assessing their effectiveness.
    • Security is a key component of the internal control and systems reliability to which management must attest.
    • As identified in the COSO model, management’s philosophy and operating style are critical to an effective control environment.
security as a management issue14
SECURITY AS A MANAGEMENT ISSUE
  • The Trust Services framework identifies four essential criteria for successfully implementing the five principles of systems reliability:
    • Develop and document policies.
    • Effectively communicate those policies to all authorized users.
    • Design and employ appropriate control procedures to implement those policies.
    • Monitor the system, and take corrective action to maintain compliance with the policies.
  • Top management involvement and support is necessary to satisfy each of the preceding criteria.
time based model of security
TIME-BASED MODEL OF SECURITY
  • The time-based model evaluates the effectiveness of an organization’s security by measuring and comparing the relationship among three variables:
    • P = Time it takes an attacker to break through the organization’s preventive controls.
    • D = Time it takes to detect that an attack is in progress.
    • C = Time to respond to the attack.
  • These three variables are evaluated as follows:
    • If P > (D + C), then security procedures are effective.
    • Otherwise, security is ineffective.
defense in depth
DEFENSE IN DEPTH
  • Major types of preventive controls used for defense in depth include:
    • Authentication controls (passwords, tokens, biometrics, MAC addresses)
    • Authorization controls (access control matrices and compatibility tests)
    • Training
    • Physical access controls (locks, guards, biometric devices)
    • Remote access controls (IP packet filtering by border routers and firewalls using access control lists; intrusion prevention systems; authentication of dial-in users; wireless access controls)
    • Host and application hardening procedures (firewalls, anti-virus software, disabling of unnecessary features, user account management, software design, e.g., to prevent buffer overflows)
    • Encryption
defense in depth17
DEFENSE IN DEPTH
  • Detective controls include:
    • Log analysis
    • Intrusion detection systems
    • Managerial reports
    • Security testing (vulnerability scanners, penetration tests, war dialing)
defense in depth18
DEFENSE IN DEPTH
  • Corrective controls include:
    • Computer emergency response teams
    • Chief Security Officer (CSO)
    • Patch Management
preventive controls
PREVENTIVE CONTROLS
  • Who has the authority to delete Program 2?
preventive controls20

Training

Control Physical Access

Control Remote Access

Hardening

Encryption

PREVENTIVE CONTROLS
  • These are the multiple layers of preventive controls that reflect the defense-in-depth approach to satisfying the constraints of the time-based model of security.
preventive controls21
PREVENTIVE CONTROLS
  • Perimeter Defense: Routers, Firewalls, and Intrusion Prevention Systems
    • This figure shows the relationship between an organization’s information system and the Internet.
    • A device called a border router connects an organization’s information system to the Internet.
preventive controls22

Plaintext

PREVENTIVE CONTROLS

This is a contract for . . .

Key

+

  • Encryption is the process of transforming normal text, called plaintext, into unreadable gibberish, called ciphertext.
  • Decryption reverses this process.
  • To encrypt or decrypt, both a key and an algorithm are needed.

Encryption algorithm

Key

Xb&j &m 2 ep0%fg . . .

+

Cipher- text

Decryption algorithm

This is a contract for . . .

Plain- text