Managing the IT Function

Slides:



Advertisements
Similar presentations
1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.
Advertisements

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
In-depth look at ISACS Stockpile Management: Weapons Photo: MAG.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Auditing Computer Systems
Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.
9 - 1 Computer-Based Information Systems Control.
PHYSICAL SECURITY Attacker. Physical Security Not all attacks on your organization's data come across the network. Many companies focus on an “iron-clad”
Security Controls – What Works
 Controls that provide security against internal and external threats  2 Types of access controls: › Physical controls › Logical controls.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Computer Security: Principles and Practice
Factors to be taken into account when designing ICT Security Policies
Session 3 – Information Security Policies
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
Physical Security SAND No C Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
1 Chapter Five MANAGING THE IT FUNCTION. 2 Organizing the IT Function Locating the IT Function – to whom should the IT manager? Locating the IT Function.
SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Proving Your Case - Computer Security Terrence P. Maher Abrahams Kaslow & Cassman
Understanding Security Layers
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Physical Security By: Christian Hudson. Overview Definition and importance Components Layers Physical Security Briefs Zones Implementation.
Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 2 This material was developed by Oregon Health & Science University,
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.
What does “secure” mean? Protecting Valuables
Asset & Security Management Chapter 9. IT Asset Management (ITAM) Is the process of tracking information about technology assets through the entire asset.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Today’s Lecture Covers < Chapter 6 - IS Security
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
Information Systems Security
OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.
Note1 (Admi1) Overview of administering security.
CPS ® and CAP ® Examination Review OFFICE SYTEMS AND TECHNOLOGY, Fifth Edition By Schroeder and Graf ©2005 Pearson Education, Inc. Pearson Prentice Hall.
IT Risks and Controls Revised on Content Internal Control  What is internal control?  Objectives of internal controls  Types of internal controls.
Auditing Internal Control Studies & Risk Assessment Chapter 9 Internal Control Studies & Risk Assessment Chapter 9.
Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.
Physical security By Ola Abd el-latif Abbass Hassan.
Physical Security Concerns for LAN Management By: Derek McQuillen.
Access Control Jeff Wicklund Computer Security Fall 2013.
Access Control for Security Management BY: CONNOR TYGER.
Information Security Office: Function, Alignment in the Organization, Goals, and Objectives Presentation to Sacramento PMO March 2011 Kevin Dickey.
Physical Security Ch9 Part I Security Methods and Practice CET4884 Principles of Information Security, Fourth Edition.
ASHRAY PATEL Protection Mechanisms. Roadmap Access Control Four access control processes Managing access control Firewalls Scanning and Analysis tools.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Physical Security at Data Center: A survey. Objective of the Survey  1. To identify the current physical security in data centre.  2.To analyse the.
Unit 1: Protecting the Facility (Virtual Machines)
UNIT V Security Management of Information Technology.
Onsite CRM Security
Information Systems Security
Blackboard Security System
Review of IT General Controls
Risk management.
Security Standard: “reasonable security”
Controlling Computer-Based Information Systems, Part II
INFORMATION SECURITY The protection of information from accidental or intentional misuse of a persons inside or outside an organization Comp 212 – Computer.
Managing the IT Function
Lesson 16-Windows NT Security Issues
County HIPAA Review All Rights Reserved 2002.
Physical Security.
Module 2 OBJECTIVE 14: Compare various security mechanisms.
Welcome to all Participants
PLANNING A SECURE BASELINE INSTALLATION
Protection Mechanisms in Security Management
Global One Communications
Presentation transcript:

Managing the IT Function CISB424, Sulfeeza Revised on 2014

Content What is IT Function? How to plan, measure and monitor IT function in an organization Managing IT function in terms of: Organizing the IT function Funding the IT function Staffing the IT function Directing the IT function Controlling the IT function Security Applications Database Backup and Recovery CISB424, Sulfeeza

5.Controlling the IT Function The major control categories involved in the IT function are Security Application Databases Backup and Recovery Each of these categories is intended to minimize risks via internal controls CISB424, Sulfeeza Part II

a) Security Controls Mechanism to safeguard, avoid, counteract or minimize risks relating to computing infrastructure or corporate information from internal and external threats Can be categorized as: Physical Security Controls Logical Security Controls CISB424, Sulfeeza

a) Security Controls - Physical Focuses on keeping facilities, computers, communication equipment and other tangible aspects of the computing infrastructure safe from harm Can be enforced by: Access control – to restrict access to computing facilities Deterrence methods - to convince potential attackers that a successful attack is unlikely due to strong defences Intrusion detection and electronic surveillance systems Security personnel CISB424, Sulfeeza

a) Security Controls - Physical Access control Access is granted to personnel with a proper credential Credential – can be in a form of a physical/tangible object (eg: keys), a piece of knowledge (eg: PIN), or a facet of a person's physical being (eg: retina, thumbprint) that enables an individual access to a given physical facility or computer-based information system Only authorized personnel should be allowed into the facility Visitors should be accompanied by authorized personnel at all times Should be enforced at all entrance and exit points Penetration points should be adequately secured CISB424, Sulfeeza

a) Security Controls - Physical Deterrence methods Physical barriers such as fences, walls, and vehicle barriers act as the outermost layer of security Security lighting is another effective form of deterrence. Intruders are less likely to enter well-lit areas for fear of being seen. Doors, gates, and other entrances, in particular, should be well lit to allow close observation of people entering and exiting CISB424, Sulfeeza

a) Security Controls - Physical Intrusion detection and electronic surveillance An alarm device or system gives an audible, visual or other form of alarm signal about a problem or condition Surveillance cameras can be a deterrent when placed in highly visible locations, and are also useful for incident verification and historical analysis CISB424, Sulfeeza

a) Security Controls - Physical Security personnel Play a central role in all layers of security All of the technological systems that are employed to enhance physical security are useless without a security force that is trained in their use and maintenance, and which knows how to properly respond to breaches in security. Security personnel perform many functions: as patrols and at checkpoints to administer electronic access control to respond to alarms to monitor and analyze video CISB424, Sulfeeza

a) Security Controls - Physical IT Auditor should review: a) Data center personnel – All data center personnel should be authorized to access the data center (key cards, login ID’s, secure passwords, etc.). Data center employees are adequately educated about data center equipment and properly perform their jobs. Vendor service personnel are supervised when doing work on data center equipment. CISB424, Sulfeeza

a) Security Controls - Physical b) Equipment – IT auditor should verify that all data center equipment is working properly and effectively. IT auditor should review the equipment utilization reports, equipment inspection for damage and functionality, system downtime records and equipment performance measurements in determining the state of data center equipment. IT auditor should interview employees to determine if preventative maintenance policies are in place and performed. CISB424, Sulfeeza

a) Security Controls - Physical c) Policies and Procedures – All data center policies and procedures should be documented and located at the data center. Example: data center personnel job responsibilities, back up policies, security policies, employee termination policies, system operating procedures and an overview of operating systems. CISB424, Sulfeeza

a) Security Controls - Physical d) Physical security / environmental controls – The auditor should assess the security of the client’s data center Physical security includes bodyguards, locked cages, man traps, single entrances, bolted down equipment, and computer monitoring systems Additionally, environmental controls should be in place to ensure the security of data center equipment These include: Air conditioning units, raised floors, humidifiers and uninterruptible power supply. CISB424, Sulfeeza

a) Security Controls - Physical e) Backup procedures – The auditor should verify that the organization has backup procedures in place in the case of system failure. CISB424, Sulfeeza

a) Security Controls - Logical Consists of software that safeguards for an organization’s systems, including user identification and password access, authenticating, access rights and authority levels These measures are to ensure that only authorized users are able to perform actions or access information in a network or a workstation CISB424, Sulfeeza

a) Security Controls - Logical Access to data and software nature known as ‘logical’ components of the computing infrastructure: Corporate data Computer software user applications network systems communication systems operating systems CISB424, Sulfeeza

a) Security Controls - Logical Can be enforced by: Authentication Access rights CISB424, Sulfeeza

a) Security Controls - Logical Authentication The process of determining whether someone or something is, in fact, who or what it is declared to be Two (2) types of authentications: Password Authentication uses secret data to control access to a particular resource Token Authentication comprises security tokens which are small devices that authorized users of computer systems or networks carry to assist in identifying that who is logging in to a computer or network system is actually authorized CISB424, Sulfeeza

a) Security Controls - Logical Access rights Level of authorization to read and/or modify a record or data file CISB424, Sulfeeza

Sample Authorization Matrix User #3 [ID = XXXXX, Password = YYYYY] User #2x [ID = XXXXX, Password = YYYYY] User #1 [ID = XXXXX, Password = YYYYY] Applications Information A/R A/P Add Edit Read Delete Sample Authorization Matrix Customers Vendors Sales Purchasing Receipts Payments Add Edit Read Delete Add Edit Read Delete CISB424, Sulfeeza Add Edit Read Delete Figure 5-5: Sample Authorization Matrix Add Edit Read Delete x Add Edit Read Delete

a) Security Controls - Logical When auditing logical security the IT auditor should investigate what security controls are in place, and how they work. In particular, the following areas are key points in auditing logical security: Passwords - Every company should have written policies regarding passwords or other authentication methods, and employee’s use of them. Passwords or authentication information should not be shared and employees should have mandatory scheduled changes. Employees should have user rights that are in line with their job functions. They should also be aware of proper log on/ log off procedures. CISB424, Sulfeeza

a) Security Controls - Logical b) Termination Procedures – Proper termination procedures so that old employees can no longer access the network. This can be done by changing passwords and codes. Also, all id cards and badges that are in circulation should be documented and accounted for. CISB424, Sulfeeza

a) Security Controls - Logical c) Special User Accounts - Special User Accounts and other privileged accounts should be monitored and have proper controls in place d) Remote Access – Remote access is often a point where intruders can enter a system. The logical security tools used for remote access should be very strict. Remote access should be logged. CISB424, Sulfeeza

Physical vs Logical Controls Security Issue Physical Controls Logical Controls Access Controls Security Guards Locks & Keys Biometric Devices ID and Passwords Authorization Matrix Firewalls & Encryption Monitor Controls Video Cameras Penetration Alarms Access logs Supervisory Oversight Penetration alarms Review Controls Formal Reviews Signage Logs Violation Investigations Activity Logs Penetrating Tests Unauthorized attempts to enter IT facilities Attempts to break in through vulnerable points As authorized visitor, attempts to leave authorized personnel and wander around the facility without oversight Unauthorized attempts to enter servers and networks Attempts to override access controls (hacking) As authorized user, attempts to use unauthorized applications and view unauthorized information CISB424, Sulfeeza Figure 5-4: Physical and Logical Security

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.