1. Controls for Information Security
Chapter 8

2. Learning Objectives
Explain how information security affects information systems reliability.
Discuss how a combination of preventive, detective, and corrective controls can be employed to provide reasonable assurance about the security of an organization’s information system.

3. Trust Services Framework
Security
Access to the system and data is controlled and restricted to legitimate users.
Confidentiality
Sensitive organizational data is protected.
Privacy
Personal information about trading partners, investors, and employees are protected.
Processing integrity
Data are processed accurately, completely, in a timely manner, and only with proper authorization.
Availability
System and information are available.
The trust services framework is a means to organize IT controls to help ensure systems reliability. At the foundation of this framework is security which is absolutely necessary for success and for achieving the other four principles.
Security procedures:
Restrict access to authorized users only
which protects confidentiality of sensitive organizational data and the privacy of personal
data collected from customers, suppliers, employees, and so on.
Security protects the processing integrity by preventing submission of unauthorized transactions or unauthorized changes to the data.
Security provides protection from unwanted attacks that could bring down the system and make it unavailable.

4. This is a good visual of the Trust Services Framework
Using an analogy of building a house, you need a good foundation; otherwise the house will fall apart. Then to keep the roof over your head, you need to have wel-constructed walls.
Similarly, for good systems reliability you need a good foundation of Security. The walls are the four pillars focused on maintaining good systems reliability.

5. Security is a management issue
Security Life Cycle
Security is a management issue
See pages for
details.
Although technologies tools are used for security and the security expertise is within an IT department, effective security must have the support of senior management to understand the potential threats to an organizations information systems which would impede the organization from achieving its goals.
As we previously discussed about threats to an AIS, management must assess the threat to an AIS and determine how to respond (reduce, accept, share, avoid). The second step is to develop security policies (e.g., employees should not click on any links embedded into s) and make sure that those policies are communicated (best way is through training).
The third step is to invest in the necessary resources (human and technology) to reduce the security threats. Finally, active monitoring to evaluate the security effectiveness provides a feedback loop as management may need to make updates based upon new threats or techniques that affect security.
Overall, management is responsible for maintaining a “culture of security”. The fourth step requires monitoring of performance because if you do not monitor how well you are doing with your objectives, how do you know if it is achieved?

6. Security Approaches Defense-in-depth
Multiple layers of control (preventive and detective) to avoid a single point of failure
Time-based model, security is effective if:
P > D + C where
P is time it takes an attacker to break through preventive controls
D is time it takes to detect an attack is in progress
C is time it takes to respond to the attack and take corrective action

7. Steps criminals use to attack an organization’s information systems
Conduct reconnaissance
Attempt social engineering
Scan and map the target
Research
Execute the attack
Cover tracks

8. How to Mitigate Risk of Attack
Table 8-1
Preventive Controls
Detective Controls
People
Process
IT Solutions
Physical security
Change controls and change management
Log analysis
Intrusion detection systems
Penetration testing
Continuous monitoring

9. Preventive: People Culture of security Training
Tone set at the top with management
Training
Follow safe computing practices
Never open unsolicited attachments
Use only approved software
Do not share passwords
Physically protect laptops/cellphones
Protect against social engineering

10. Preventive: Process Authentication—verifies the person
Something person knows
Something person has
Some biometric characteristic
Combination of all three
Focus 8-1 on Effective of passwords
Authorization—determines what a person can access Access control matrix
These two concepts are related, to get into a system, you need to be authenticated, then authorization is where you are allowed to go once you are in the system.

11. Preventive: IT Solutions
Antimalware controls
Network access controls
Device and software hardening controls
Encryption

12. Preventive: Other Physical security access controls
Limit entry to building
Restrict access to network and data
Change controls and change management
Formal processes in place regarding changes made to hardware, software, or processes

13. Corrective Computer Incident Response Team (CIRT)
Chief Information Security Officer (CISO)
Patch management

14. Key Terms Defense-in-depth Time-based model of security
Social engineering
Authentication
Biometric identifier
Multifactor authentication
Multimodal authentication
Authorization
Access control matrix
Compatibility test
Border router
Firewall
Demilitarized zone (DMZ)
Routers
Access control list (ACL)
Packet filtering
Deep packet inspection
Intrusion prevention system
Remote Authentication Dial-in User Service (RADIUS)
War dialing
Endpoints
Vulnerabilities
Vulnerability scanners
Hardening
Change control and change management
Log analysis
Intrusion detection system (IDS)

15. Key Terms (continued) Penetration test
Computer incident response team (CIRT)
Exploit
Patch
Patch management
Virtualization
Cloud computing