Presentation is loading. Please wait.

Presentation is loading. Please wait.

IS4680 Security Auditing for Compliance

Published byHengki Indradjaja Modified over 5 years ago

Similar presentations

Presentation on theme: "IS4680 Security Auditing for Compliance"— Presentation transcript:

1 IS4680 Security Auditing for Compliance
Unit 9 Compliance Within the System/Application Domain

2 Class Agenda 8/15/16 Covers Chapter 14 Learning Objectives
Lesson Presentation and Discussions. Discussion on Assignments. Discussion on Lab Activities. Lab will be perform in class. Break Times as per School Regulation Discussion on Project.

3 Learning Objective Describe information security systems compliance requirements within the System/Application Domain.

4 Key Concepts Compliance law requirements and business drivers for System/Application Domain Devices and components found in the System/Application Domain Application traffic and performance and maximizing availability, integrity, and confidentiality (A-I-C) for System/Application Domain

5 Key Concepts (Continued)
System/Application Domain—policies, standards, procedures, and guidelines Best practices for System/Application Domain compliance requirements

6 EXPLORE: CONCEPTS

7 Compliance Law and Business Drivers
Centralizing core business functions on networked servers can increase the security of your data in many ways. You can centrally control how you store your data and how you allow users to access it.

8 Compliance Law and Business Drivers (Continued)
The System/Application Domain provides an environment for the applications you run as clients on your network and the computer systems that store them. The domain provides an engine for distributed applications and empowers the concept of providing individual components of applications, as opposed to entire applications in one footprint.

9 Devices You can find the following servers in today’s environments:
File server Web server Authentication server Database server

10 Devices (Continued) Application server Mail server Media server

11 Access Controls Access controls protect the confidentiality and integrity of data as long as the operating system enforces the controls. The first attack method is to boot the computer that contains the data by using removable media: Removable media, such as a Compact Disc (CD), Digital Versatile Disc (DVD), or Universal Serial Bus (USB) drive, can contain an alternate operating system that allows the attacker to access any file with no access controls.

12 Access Controls (Continued)
The second type of attack can result in disclosing large amounts of confidential data This second type of attack involves acquiring a copy of a backup image. Many organizations make the mistake of not securing backups once they are created.

13 Vulnerability and Change Management
All application software and operating system are susceptible to software vulnerabilities. Operating systems use a form of change management called patch management to update and ‘patch’ vulnerabilities.

14 Vulnerability and Change Management (Continued)
Application software also use the patch management form of change management to provide the same types of processes to reduce vulnerabilities that exist. Always remember that if you know about a vulnerability, the chances are that some attacker knows about it too.

15 EXPLORE: PROCESSES

16 Performance Monitoring and Application Traffic
Identify a software tool that provides highest level of monitoring and analysis. Ensure that the monitoring tool provides proactive monitoring by providing assurance that everything is working as planned.

17 Performance Monitoring and Application Traffic (Continued)
Ensure that the application raises alerts whenever issues occur in the System/Application Domain. Use tools like Zeus to raise alerts along with other vendor software to aid in the process of performance and traffic monitoring.

18 Maximize AIC The overall purpose of compliance requirements is to enforce the basic pillars or tenets of security, the AIC properties of security, and some compliance requirements might seem to be unnecessary, they all should work together to support the AIC properties of secure systems.

19 Maximize AIC (Continued)
Availability—Assurance that the information is available to authorized users in an acceptable time frame when the information is requested. Integrity—Assurance that the information cannot be changed by unauthorized users. Confidentiality—Assurance that the information cannot be accessed or viewed by unauthorized users.

20 Maximize AIC (Continued)
To achieve AIC functions, data must be confidential or private and encrypted within databases and hard drives.

21 EXPLORE: ROLES

22 Roles and Responsibilities
Senior Managers Responsible for support and funding approval. Information technology (IT) Managers Overall IT function leadership and support.

23 Roles and Responsibilities (Continued)
IT Auditors System/Application Domain control auditors. Data Owners Grant access to data in applications.

24 Roles and Responsibilities (Continued)
System Administrators Monitor systems/applications for anomalies. Application Developers Monitor system applications and works with system administrators to access the data.

25 EXPLORE: RATIONALE

26 Information Systems Security (ISS) Compliance
The components in the System/Application Domain are so specific to the organization and not generic. In many cases, it is imperative to create specific documents to direct actions that apply to this domain. Security policies state high-level goals for security. Standards state specific performance metrics to meet goals.

27 ISS Compliance (Continued)
Procedures document the steps to meet stated performance metrics. Guidelines provide general direction for situations that don’t have specific procedures.

28 Best Practices for Compliance Requirements
Establish physical controls to protect the data center. Use at least one firewall to limit network traffic from other domains to only authorized traffic. Use Network Access Control (NAC) devices to restrict computers and other devices from connecting to System/Application Domain components.

29 Best Practices for Compliance Requirements (Continued)
Define user- or group-based access controls for each computer in the domain. Use application-defined access controls to limit access to data. Allow only low-privilege users to establish connections between the Internet-facing servers in the Demilitarized Zone (DMZ) and System/Application Domain servers.

30 Best Practices for Compliance Requirements (Continued)
Allow only escalated privilege user connections that originate from protected Web servers where users can only connect by using a secure VPN. Update operating systems frequently with the latest security patches on all computers.

31 Best Practices for Compliance Requirements (Continued)
Update all application software frequently with the latest security patches. Follow these best practices if your organization engages in software development or software modifications: Use software configuration management software to control software changes. Create separate environments for development, testing, and production. Prohibit developers from accessing the production environment. Follow formal procedures for approving software to move from development to testing and from testing to production.

32 Best Practices for Compliance Requirements (Continued)
Create a Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP) that includes each component in the System/Application Domain: Keep the BCP and DRP up to date to reflect any changes to the domain. Test the BCP and DRP at least annually. Protect all backup media in transit and storage. Ensure all backup media is encrypted.

33 Best Practices for Compliance Requirements (Continued)
Encrypt all sensitive data when it is stored on disks. Use application-monitoring software to identify performance or availability issues.

34 Summary In this presentation, the following were covered:
Compliance laws and business drivers for System/Application Domain Process to monitor application traffic and performance Ways to maximize A-I-C Roles and responsibilities associated with System/Application Domain compliance Best practices for System/Application Domain compliance requirements

35 Unit 9 Assignment and Lab
Discussion 9.1 Maximizing Availability, Integrity, and Confidentiality (A-I-C) for System/Application Lab 9.2 Auditing the Systems/Application Domain for Compliance Assignment 9.3 Best Practices for System/Application Domain Compliance

Download ppt "IS4680 Security Auditing for Compliance"

Similar presentations

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Database Administration and Security Transparencies 1.

Database Administration and Security Transparencies 1.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.

INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Policies and Implementation Issues.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
New Data Regulation Law 201 CMR 17.00. TJX Video.

New Data Regulation Law 201 CMR TJX Video.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Concepts of Database Management Sixth Edition

Concepts of Database Management Sixth Edition
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter.
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.

Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
Hands-On Microsoft Windows Server 20081 Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.

Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
Chapter 6 of the Executive Guide manual Technology.

Chapter 6 of the Executive Guide manual Technology.
Module 4: Planning, Optimizing, and Troubleshooting DHCP

Module 4: Planning, Optimizing, and Troubleshooting DHCP
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,

Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
Information Systems Security

Information Systems Security

Similar presentations

Ads by Google