Presentation is loading. Please wait.

Presentation is loading. Please wait.

Managing the IT Function

Published byἸούδας Κασιδιάρης Modified over 5 years ago

Similar presentations

Presentation on theme: "Managing the IT Function"— Presentation transcript:

1 Managing the IT Function
CISB424, Sulfeeza Revised on 2014

2 Content What is IT Function?
How to plan, measure and monitor IT function in an organization Managing IT function in terms of: Organizing the IT function Funding the IT function Staffing the IT function Directing the IT function Controlling the IT function Security Applications Database Backup and Recovery CISB424, Sulfeeza

3 5.Controlling the IT Function
The major control categories involved in the IT function are Security Application Databases Backup and Recovery Each of these categories is intended to minimize risks via internal controls CISB424, Sulfeeza Part II

4 a) Security Controls Mechanism to safeguard, avoid, counteract or minimize risks relating to computing infrastructure or corporate information from internal and external threats Can be categorized as: Physical Security Controls Logical Security Controls CISB424, Sulfeeza

5 a) Security Controls - Physical
Focuses on keeping facilities, computers, communication equipment and other tangible aspects of the computing infrastructure safe from harm Can be enforced by: Access control – to restrict access to computing facilities Deterrence methods - to convince potential attackers that a successful attack is unlikely due to strong defences Intrusion detection and electronic surveillance systems Security personnel CISB424, Sulfeeza

6 a) Security Controls - Physical
Access control Access is granted to personnel with a proper credential Credential – can be in a form of a physical/tangible object (eg: keys), a piece of knowledge (eg: PIN), or a facet of a person's physical being (eg: retina, thumbprint) that enables an individual access to a given physical facility or computer-based information system Only authorized personnel should be allowed into the facility Visitors should be accompanied by authorized personnel at all times Should be enforced at all entrance and exit points Penetration points should be adequately secured CISB424, Sulfeeza

7 a) Security Controls - Physical
Deterrence methods Physical barriers such as fences, walls, and vehicle barriers act as the outermost layer of security Security lighting is another effective form of deterrence. Intruders are less likely to enter well-lit areas for fear of being seen. Doors, gates, and other entrances, in particular, should be well lit to allow close observation of people entering and exiting CISB424, Sulfeeza

8 a) Security Controls - Physical
Intrusion detection and electronic surveillance An alarm device or system gives an audible, visual or other form of alarm signal about a problem or condition Surveillance cameras can be a deterrent when placed in highly visible locations, and are also useful for incident verification and historical analysis CISB424, Sulfeeza

9 a) Security Controls - Physical
Security personnel Play a central role in all layers of security All of the technological systems that are employed to enhance physical security are useless without a security force that is trained in their use and maintenance, and which knows how to properly respond to breaches in security. Security personnel perform many functions: as patrols and at checkpoints to administer electronic access control to respond to alarms to monitor and analyze video CISB424, Sulfeeza

10 a) Security Controls - Physical
IT Auditor should review: a) Data center personnel – All data center personnel should be authorized to access the data center (key cards, login ID’s, secure passwords, etc.). Data center employees are adequately educated about data center equipment and properly perform their jobs. Vendor service personnel are supervised when doing work on data center equipment. CISB424, Sulfeeza

11 a) Security Controls - Physical
b) Equipment – IT auditor should verify that all data center equipment is working properly and effectively. IT auditor should review the equipment utilization reports, equipment inspection for damage and functionality, system downtime records and equipment performance measurements in determining the state of data center equipment. IT auditor should interview employees to determine if preventative maintenance policies are in place and performed. CISB424, Sulfeeza

12 a) Security Controls - Physical
c) Policies and Procedures – All data center policies and procedures should be documented and located at the data center. Example: data center personnel job responsibilities, back up policies, security policies, employee termination policies, system operating procedures and an overview of operating systems. CISB424, Sulfeeza

13 a) Security Controls - Physical
d) Physical security / environmental controls – The auditor should assess the security of the client’s data center Physical security includes bodyguards, locked cages, man traps, single entrances, bolted down equipment, and computer monitoring systems Additionally, environmental controls should be in place to ensure the security of data center equipment These include: Air conditioning units, raised floors, humidifiers and uninterruptible power supply. CISB424, Sulfeeza

14 a) Security Controls - Physical
e) Backup procedures – The auditor should verify that the organization has backup procedures in place in the case of system failure. CISB424, Sulfeeza

15 a) Security Controls - Logical
Consists of software that safeguards for an organization’s systems, including user identification and password access, authenticating, access rights and authority levels These measures are to ensure that only authorized users are able to perform actions or access information in a network or a workstation CISB424, Sulfeeza

16 a) Security Controls - Logical
Access to data and software nature known as ‘logical’ components of the computing infrastructure: Corporate data Computer software user applications network systems communication systems operating systems CISB424, Sulfeeza

17 a) Security Controls - Logical
Can be enforced by: Authentication Access rights CISB424, Sulfeeza

18 a) Security Controls - Logical
Authentication The process of determining whether someone or something is, in fact, who or what it is declared to be Two (2) types of authentications: Password Authentication uses secret data to control access to a particular resource Token Authentication comprises security tokens which are small devices that authorized users of computer systems or networks carry to assist in identifying that who is logging in to a computer or network system is actually authorized CISB424, Sulfeeza

19 a) Security Controls - Logical
Access rights Level of authorization to read and/or modify a record or data file CISB424, Sulfeeza

20 Sample Authorization Matrix
User #3 [ID = XXXXX, Password = YYYYY] User #2x [ID = XXXXX, Password = YYYYY] User #1 [ID = XXXXX, Password = YYYYY] Applications Information A/R A/P Add Edit Read Delete Sample Authorization Matrix Customers Vendors Sales Purchasing Receipts Payments Add Edit Read Delete Add Edit Read Delete CISB424, Sulfeeza Add Edit Read Delete Figure 5-5: Sample Authorization Matrix Add Edit Read Delete x Add Edit Read Delete

21 a) Security Controls - Logical
When auditing logical security the IT auditor should investigate what security controls are in place, and how they work. In particular, the following areas are key points in auditing logical security: Passwords - Every company should have written policies regarding passwords or other authentication methods, and employee’s use of them. Passwords or authentication information should not be shared and employees should have mandatory scheduled changes. Employees should have user rights that are in line with their job functions. They should also be aware of proper log on/ log off procedures. CISB424, Sulfeeza

22 a) Security Controls - Logical
b) Termination Procedures – Proper termination procedures so that old employees can no longer access the network. This can be done by changing passwords and codes. Also, all id cards and badges that are in circulation should be documented and accounted for. CISB424, Sulfeeza

23 a) Security Controls - Logical
c) Special User Accounts - Special User Accounts and other privileged accounts should be monitored and have proper controls in place d) Remote Access – Remote access is often a point where intruders can enter a system. The logical security tools used for remote access should be very strict. Remote access should be logged. CISB424, Sulfeeza

24 Physical vs Logical Controls
Security Issue Physical Controls Logical Controls Access Controls Security Guards Locks & Keys Biometric Devices ID and Passwords Authorization Matrix Firewalls & Encryption Monitor Controls Video Cameras Penetration Alarms Access logs Supervisory Oversight Penetration alarms Review Controls Formal Reviews Signage Logs Violation Investigations Activity Logs Penetrating Tests Unauthorized attempts to enter IT facilities Attempts to break in through vulnerable points As authorized visitor, attempts to leave authorized personnel and wander around the facility without oversight Unauthorized attempts to enter servers and networks Attempts to override access controls (hacking) As authorized user, attempts to use unauthorized applications and view unauthorized information CISB424, Sulfeeza Figure 5-4: Physical and Logical Security

Download ppt "Managing the IT Function"

Similar presentations

1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.

1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
In-depth look at ISACS 05.20 Stockpile Management: Weapons Photo: MAG.

In-depth look at ISACS Stockpile Management: Weapons Photo: MAG.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Auditing Computer Systems

Auditing Computer Systems
Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.

Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.
9 - 1 Computer-Based Information Systems Control.

9 - 1 Computer-Based Information Systems Control.
PHYSICAL SECURITY Attacker. Physical Security Not all attacks on your organization's data come across the network. Many companies focus on an “iron-clad”

PHYSICAL SECURITY Attacker. Physical Security Not all attacks on your organization's data come across the network. Many companies focus on an “iron-clad”
Security Controls – What Works

Security Controls – What Works
 Controls that provide security against internal and external threats  2 Types of access controls: › Physical controls › Logical controls.

 Controls that provide security against internal and external threats  2 Types of access controls: › Physical controls › Logical controls.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Factors to be taken into account when designing ICT Security Policies

Factors to be taken into account when designing ICT Security Policies
Session 3 – Information Security Policies

Session 3 – Information Security Policies
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
Physical Security SAND No. 2005-3288 C Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States.

Physical Security SAND No C Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.

Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Similar presentations

Ads by Google