IT Security and Management - Semi Finals by Mark John Lado

1. Incident Response
2. Operational Security
3. Physical and Environmental Security
4. Supplier Relationships
Semi Finals – Bachelor of Science in information System
IT Security and Management

Drill
•Havoc
•Wreak Havoc
•Data Breach
•Alienate

Drill
• Havoc - widespread destruction
• Wreak Havoc - to cause great damage
• Data Breach - a security incident in which
information is accessed without
authorization.
• Alienate - a withdrawing or separation of
a person

Learning Objectives:
At the end of this chapter, you will be able to;
• Recognize the incident response.
• Know how the incident response important.
• Engage with the three elements of incident response
management.
• Familiarize the six steps of incident response plan.

What is Incident Response?
A term used to describe the process by
which an organization handles a data
breach or cyber attack, including the way
the organization attempts to manage the
consequences of the attack or breach
(the “incident”).

• Incident response is the methodology an
organization uses to respond to and
manage a cyber-attack. An attack or data
breach can wreak havoc potentially
affecting customers, intellectual property
company time and resources, and brand
value.

• An incident response aims to reduce this
damage and recover as quickly as
possible. Investigation is also a key
component in order to learn from the
attack and better prepare for the future.

• Because many companies today
experience a breach at some point in
time, a well-developed and repeatable
incident response plan is the best way to
protect your company.

Why is
Incident Response
Important?

Why is Incident Response
Important?
• As the cyber-attacks increase in scale
and frequency, incident response plans
become more vital to a company’s cyber
defenses. Poor incident response can
alienate customers.

Who is the Incident Response
Team?
• The company should look to their
“Computer Incident Response Team
(CIRT)” to lead incident response efforts.

Who is the Incident Response
Team?
• This team is comprised of experts from
upper-level management, IT, information
security, IT auditors when available, as
well as any physical security staff that
can aid when an incident includes direct
contact to company systems. Incident
response should also be supported by
HR, legal, and PR or communications.

The Responsible for Incident
Response
Incident Response Manager
Who oversees and prioritizes action during the
detection, analysis and containment of an
incident

Response
Security Analyst
Who supports the manager and work directly
with the affected network to research the time,
location and details of an incident.

Response
Triage Analyst
Filter out false positives and keep an eye out
for potential intrusions.

Elements of Incident Response
Management
1. Incident Response Plan
2. Incident Response Team
3. Incident Response Tools

Incident Response Plan
An incident response plan should prepare
your team to deal with threats, indicate how to
isolate incidents and identify their severity,
how to stop the attack and eradicate the
underlying cause, how to recover production
systems, and how to conduct a post-mortem
analysis to prevent future attacks.

Steps of Incident Response
Plan
1. Preparation
2. Identification
3. Containment
4. Eradication
5. Recovery
6. Lessons learned

Steps of Incident Response Plan
1. Preparation
Listing all possible threat scenarios.
Develop policies to implement in the event
of a cyber attack.
Develop a communication plan.
Outline the roles, responsibilities, and
procedures of your team.

1. Preparation
Establish a corporate security policy
Recruit and train team members, ensure
they have access to relevant systems.
Ensure team members have access to
relevant technologies and tools.

2. Identification
Identify and assess the incident and
gathered evidence.
Decide on the severity and type of the
incident and escalate if necessary.

2. Identification
Document actions taken, addressing “who,
what, where, why, and how.” This information
may be used later as evidence if the incident
reaches a court of law.

3. Containment
The act of preventing the expansion of
harm.
Typically involves disconnecting affected
computers from the network.

4. Eradication
Finding the root cause of the incident and
removing affected systems from the
production environment.

4. Eradication
These steps may change the configuration of the
organization. The aim is to make changes while
minimizing the effect on the operations of the
organization. You can achieve this by stopping the
bleeding and limiting the amount of data that is
exposed.

5. Recovery
Ensure that affected systems are not in danger
and can be restored to working condition. The
purpose of this phase is to bring affected systems
back into the production environment carefully, to
ensure they will not lead to another incident.

5. Recovery
Ensure another incident doesn’t occur by restoring
systems from clean backups, replacing
compromised files with clean versions, rebuilding
systems from scratch, installing patches, changing
passwords and reinforcing network perimeter
security.

6. Lessons learned
Completing incident documentation, performing
analysis to learn from incident and potentially
improving future response efforts. Complete
documentation that couldn’t be prepared during
the response process. The team should identify
how the incident was managed and eradicated.

The Incident Response Team
• To prepare for and attend to incidents, you
should form a centralized incident response
team, responsible for identifying security
breaches and taking responsive actions.

The Incident Response Team
The team should include:
Incident response manager (team leader)
Security analysts
Lead investigator
Threat researchers
Communications lead
Documentation and timeline lead
Legal representation

Incident Response Tools
• Cyber incident response tools are more often
used by security industries to test the
vulnerabilities and provide an emergency
incident response to compromised network
and applications and helps to take the
appropriate incident response steps.

Summary
Incident response is an approach to handling
security breaches. The aim of incident response is
to identify an attack, contain the damage, and
eradicate the root cause of the incident. An incident
can be defined as any breach of law, policy or
unacceptable act that concerns information assets,
such as networks, computers, or smartphones.

Chapter II
Operational
Security

Learning Objectives
• Familiarize of what is operational security.
• Engage with the five steps of operational security.
• Recognize the best practices for operational security
• Apply the confidentiality, integrity, availability, and
nonrepudiation in the corporate world.

Learning Outline
1. OPERATIONAL SECURITY
2. THE FIVE STEPS OF OPERATIONAL
SECURITY
3. BEST PRACTICES FOR OPERATIONAL
SECURITY

OPERATIONAL SECURITY
• Operational security (OPSEC), also known as
procedural security, is a risk management process
that encourages managers to view operations
from the perspective of an adversary in order to
protect sensitive information from falling into the
wrong hands.

• Though originally used by the military, OPSEC is
becoming popular in the private sector as well.
Things that fall under the OPSEC umbrella
include monitoring behaviors and habits on social
media sites as well as discouraging employees
from sharing login credentials via email or text
message.

THE FIVE STEPS OF
The processes involved in operational security can be
neatly categorized into five steps:
1. Identify your sensitive data.
2. Identify possible threats.
3. Analyze security holes and other vulnerabilities.
4. Appraise the level of risk associated with each
vulnerability.
5. Get countermeasures in place.

THE FIVE STEPS OF
1. Identify your sensitive data
including your product research,
intellectual property, financial statements,
customer information, and employee
information. This will be the data you will need
to focus your resources on protecting.

THE FIVE STEPS OF
2. Identify possible threats.
For each category of information that you deem
sensitive, you should identify what kinds of threats
are present. While you should be wary of third
parties trying to steal your information, you should
also watch out for insider threats, such as negligent
employees and disgruntled workers.

THE FIVE STEPS OF
3. Analyze security holes and other
vulnerabilities.
Assess your current safeguards and
determine what, if any, loopholes or
weaknesses exist that may be exploited to
gain access to your sensitive data.

THE FIVE STEPS OF
4. Appraise the level of risk associated with each
vulnerability.
Rank your vulnerabilities using factors such as the
likelihood of an attack happening, the extent of damage
that you would suffer, and the amount of work and time
you would need to recover. The more likely and
damaging an attack is, the more you should prioritize
mitigating the associated risk.

THE FIVE STEPS OF
The last step of operational security is to create and
implement a plan to eliminate threats and mitigate
risks. This could include updating your hardware,
creating new policies regarding sensitive data, or
training employees on sound security practices and
company policies.

THE FIVE STEPS OF
Countermeasures should be straightforward and
simple. Employees should be able to implement the
measures required on their part with or without
additional training.

BEST PRACTICES FOR
Follow these best practices to implement a robust,
comprehensive operational security program:

BEST PRACTICES FOR
1. Implement precise change management
processes that your employees should follow when
network changes are performed. All changes
should be logged and controlled so they can be
monitored and audited.

BEST PRACTICES FOR
2. Restrict access to network devices using AAA
authentication. In the military and other government
entities, a “need-to-know” basis is often used as a
rule of thumb regarding access and sharing of
information.

• AAA authentication
Authentication, authorization, and accounting (AAA) is a
term for a framework for intelligently controlling access to
computer resources, enforcing policies, auditing usage,
and providing the information necessary to bill for
services. These combined processes are considered
important for effective network management and security.

BEST PRACTICES FOR
3. Give your employees the minimum
access necessary to perform their jobs. Practice
the principle of least privilege.

BEST PRACTICES FOR
4. Implement dual control.
Make sure that those who work on your network are
not the same people in charge of security.

BEST PRACTICES FOR
5. Automate tasks to reduce the need for human
intervention. Humans are the weakest link in any
organization’s operational security initiatives
because they make mistakes, overlook details,
forget things, and bypass processes.

BEST PRACTICES FOR
6. Incident response and disaster recovery
planning are always crucial components of a
sound security posture. Even when operational
security measures are robust, you must have a plan
to identify risks, respond to them, and mitigate
potential damages.

Operational Security (OPSEC)
• Risk management involves being able to identify
threats and vulnerabilities before they become
problems. Operational security forces managers
to dive deeply into their operations and figure out
where their information can be easily breached.

Operational Security (OPSEC)
• Looking at operations from a malicious third-
party’s perspective allows managers to spot
vulnerabilities they may have otherwise missed so
that they can implement the proper
countermeasures to protect sensitive data.

Chapter III
Physical and
Environmental
Security

• Elaborate what is physical and environmental
security.
• Engage with the objectives of physical and
environmental security.
• Distinguish the physical security measures.
• Recognize the physical controls.
• Appreciate the essence of technical controls

Learning Outline
• Physical and environmental security
• Objectives of Physical and Environmental
Security
• Physical Security Measures
• Physical Controls
• Technical Controls

What does physical and
environmental security
mean?

What does physical and
environmental security mean?
The protection of personnel, hardware, software,
networks and data from physical actions and events
that could cause serious loss or damage to an
enterprise, agency or institution. This
includes protection from fire, flood, natural
disasters, burglary, theft, vandalism and terrorism.

Objectives of Physical and
Environmental Security
1. Prevent unauthorized physical access, damage, and
interference to premises and information.
2. Ensure sensitive information and critical information
technology are housed in secure areas.
3. Prevent loss, damage, theft, or compromise of assets.
4. Prevent interruption of activities.

Objectives of Physical and
Environmental Security
5. protect assets from physical and environmental
threats.
6. ensure appropriate equipment location,
removal, and disposal.
7. ensure appropriate supporting facilities (e.g.,
electrical supply, data and voice cabling
infrastructure).

PHYSICAL AND
ENVIRONMENTAL SECURITY
The term physical and environmental security refers
to measures taken to protect systems, buildings,
and related supporting infrastructure against threats
associated with their physical environment.

PHYSICAL AND
Physical and environmental safeguards are often
overlooked but are very important in protecting
information. Physical security over past decades
has become increasingly more difficult for
organizations. Technology and computer
environments now allow more compromises to
occur due to increased vulnerabilities.

PHYSICAL AND
USB hard drives, laptops, tablets and smartphones
allow for information to be lost or stolen because of
portability and mobile access. In the early days of
computers, they were large mainframe computers
only used by a few people and were secured in
locked rooms.

PHYSICAL AND
Today, desks are filled with desktop computers and
mobile laptops that have access to company data
from across the enterprise. Protecting data,
networks and systems has become difficult to
implement with mobile users able to take their
computers out of the facilities.

PHYSICAL AND
Fraud, vandalism, sabotage, accidents, and theft
are increasing costs for organizations since the
environments are becoming more “complex and
dynamic”. Physical security becomes tougher to
manage as technology increases with complexity,
and more vulnerabilities are enabled.

PHYSICAL AND
Buildings and rooms that house information and
information technology systems must be afforded
appropriate protection to avoid damage or
unauthorized access to information and systems. In
addition, the equipment housing this information
(e.g., filing cabinets, data wiring, laptop computers,
and portable disk drives) must be physically
protected.

PHYSICAL AND
Equipment theft is of primary concern, but other
issues should be considered, such as damage or
loss caused by fire, flood, and sensitivity to
temperature extra.

PHYSICAL AND
Physical and environmental security programs
define the various measures or controls that protect
organizations from loss of connectivity and
availability of computer processing caused by theft,
fire, flood, intentional destruction, unintentional
damage, mechanical equipment failure and power
failures.

Physical security measures should be
sufficient to deal with foreseeable threats
and should be tested periodically for their
effectiveness and functionality.

Physical Security Measures
1. Determine which managers are responsible for
planning, funding, and operations of physical
security of the Data Center.

2. Review best practices and standards that can
assist with evaluating physical security controls,
such as ISO/IEC 27002:2013.

3. Establish a baseline by conducting a physical
security controls gap assessment that will include
the following as they relate to your campus Data
Center:

3.1 Environmental Controls
An Environmental Control (EC) system can provide
a level of independent control of many devices in
the home for people with significant physical
disabilities. EC may be suitable if you struggle to
control equipment around you because of
difficulties with using your arms or hands.

3.2 Environmental Controls

3.3 Natural Disaster Controls

3.4 Supporting Utility Controls

3.5 Physical Protection and Access Controls

3.6 System Reliability
Which ensures the system is doing the required job, goes
hand in hand with reliability, which ensures the system is
doing its job correctly. Although they come from different
ways of looking at the same problem, they are both
dependent on each other.

3.7 Physical Security Awareness and Training

3.8 Contingency Plans
An alternative Information Systems Security
(INFOSEC) plan that is implemented when normal
business operations are interrupted by emergency,
failover or disaster. A contingency plan is also known as a
disaster recovery plan (DRP).

4. Determine whether an appropriate investment in
physical security equipment (alarms, locks or other
physical access controls, identification badges for
high-security areas, etc.) has been made and if
these controls have been tested and function
correctly.

5. Provide responsible managers guidance in handling
risks. For example, if the current investment in physical
security controls is inadequate, this may allow
unauthorized access to servers and network equipment.
Inadequate funding for key positions with responsibility for
IT physical security may result in poor monitoring, poor
compliance with policies and standards, and overall poor
physical security.

6. Maintain a secure repository of physical and
environmental security controls and policies and
establish timelines for their evaluation, update and
modification.

7. Create a team of physical and environmental
security auditors, outside of the management staff,
to periodically assess the effectiveness of the
measures taken and provide feedback on their
usefulness and functionality.

Physical Controls
Facilities need physical access controls in place that
control, monitor and manage access. Categorizing
building sections should be restricted, private or public.
Different access control levels are needed to restrict
zones that each employee may enter depending on their
role.

Physical Controls
Many mechanisms exist that enable control and isolation
access privileges at facilities. These mechanisms are
intended to discourage and detect access from
unauthorized individuals.

Physical Controls
1. Perimeter Security
Mantraps, gates, fences and turnstiles are used outside of
the facility to create an additional layer of security before
accessing the building.

Physical Controls
2. Badges
Proof of identity is necessary for verifying if a person is an
employee or visitor. These cards come in the forms of
name tags, badges and identification (ID) cards. Badges
can also be smart cards that integrate with access control
systems. Pictures, RFID tags, magnetic strips, computer
chips and employee information are frequently included to
help security validate.

Physical Controls
3. Motion Detectors
Motion detectors offer different technology options
depending on necessity. They are used as intrusion
detection devices and work in combination with alarm
systems. Infrared motion detectors observe changes in
infrared light patterns. Heat-based motion detectors sense
changes in heat levels. Wave pattern motion detectors
use ultrasonic or microwave frequencies that monitor
changes in reflected patterns.

Physical Controls
4. Intrusion Alarms
Alarms monitor various sensors and detectors. These
devices are door and window contacts, glass break
detectors, motion detectors, water sensors, and so on.
Status changes in the devices trigger the alarm.

Technical Controls
The main focus of technical controls is access control
because it is one of the most compromised areas of
security. Smart cards are a technical control that can allow
physical access into a building or secured room and
securely log in to company networks and computers.

Technical Controls
Multiple layers of defense are needed for overlap to
protect from attackers gaining direct access to company
resources. Intrusion detection systems are technical
controls that are essential because they detect an
intrusion.

Technical Controls
Detection is a must because it notifies the security event.
Awareness of the event allows the organization to respond
and contain the incident. Audit trails and access logs must
be continually monitored. They enable the organization to
locate where breaches are occurring and how often.

Technical Controls
This information helps the security team reduce
vulnerabilities.
1. Smart Cards
2. Proximity Readers and RFID
3. Intrusion Detection, Guards and CCTV
4. Auditing Physical Access

Technical Controls
1. Smart Cards
Token cards have microchips and integrated circuits built
into the cards that process data. Microchips and
integrated circuits enable the smart card to do two-factor
authentication. This authentication control helps keeps
unauthorized attackers or employees from accessing
rooms they are not permitted to enter.

Technical Controls
1. Smart Cards

Technical Controls
2. Proximity Readers and RFID.
Access control systems use proximity readers to scan
cards and determines if it has authorized access to enter
the facility or area.

Technical Controls
2. Proximity Readers and RFID.

Technical Controls
If the equipment is relocated without approval,
intrusion detection systems (IDSs) can monitor and
notify of unauthorized entries. IDSs are essential to
security because the systems can send a warning if
a specific event occurs or if access was attempted
at an unusual time.

Technical Controls

Technical Controls
4. Auditing Physical Access
Auditing physical access control systems require
the use logs and audit trails to surmise where and
when a person gained false entry into the facility or
attempted to break-in.

Summary
Physical protection can be achieved by creating
one or more physical barriers around the
organization’s premises and information processing
facilities. The use of multiple barriers gives
additional protection, where the failure of a single
barrier does not mean that security is immediately
compromised.

Chapter IV
Supplier
Relationships

• Identify the Policy statement.
• Engage with the Cope and application of the policy
• Elaborate the Definitions of Supplier Relationships
• Apprehend about Supplier relationship security policy
• Engage with IT division practices
• Recognize about Remote access monitoring
• Distinguish about the Contract requirements

Learning Outline
• POLICY STATEMENT
• COPE AND APPLICATION OF THE POLICY
• DEFINITIONS
• SUPPLIER RELATIONSHIP SECURITY POLICY
• IT DIVISION PRACTICES
• REMOTE ACCESS MONITORING
• CONTRACT REQUIREMENTS

What is Supplier
Relationships?

How do you manage
supplier relationships?

What do you understand
by supplier relations?

POLICY STATEMENT
• The security of information processed, transmitted or
stored by organizations contracted by Organization to
provide those services needs to be insured. This means
that the Organization must put in place and manage
contracts that protect the confidentiality, integrity and
availability of information handled by suppliers of these
services.

COPE AND APPLICATION OF
THE POLICY
• This policy affects all Organization in information
technology systems that are supported by suppliers,
whether the system or service provided is on-premise or
not.

DEFINITIONS
A. Suppliers
Shall mean vendors, contractors or other third-parties that
provide software or IT services to the Organization
through a contract or other agreement.

DEFINITIONS
B. Soft token
Shall mean a software-based security token that
generates a single-use login PIN.

DEFINITIONS
C. RFP (Request for proposal)
Shall mean either a request for proposal or an invitation
for bid.

SUPPLIER RELATIONSHIP
SECURITY POLICY
A. IT Division Practices
B. Contract Requirements

IT Division Practices
Access Control
1. Supplier Accounts
Access must be granted to suppliers only when required
for performing work and with the full knowledge and prior
approval of the data steward or their designee for the
pertinent data

IT Division Practices
Access Control
2. Multi-factor authentication
a. Suppliers needing access to systems that require multi-
factor authentication must do so from an account tied to an
individual.
b. When an exception to the single individual per supplier
account is approved multi-factor authentication to the
account must be accomplished by utilizing a soft token
mechanism.

Remote Access Monitoring
• When required for regulatory compliance supplier
access to on-premise systems must be monitored
or logged. This may be done using active
monitoring by staff or by session logging done
with software.

Contract Requirements
IT contract requirements
• Contracts that relate to services where data is stored off-
campus must utilize the standard IT contract addendum,
or contract language that sufficiently insures the security
of the data.

Contract Requirements
IT contract requirements
• When purchasing software solutions, either hosted or
on-premise, where the Organization has not issued an
RFP then the supplier must complete the IT Solution
Initial Assessment Tool. Responses to this tool must be
analyzed and approved by IT prior to signing a contract.

Be ready for Termly Examination

IT Security and Management - Semi Finals by Mark John Lado

IT Security and Management - Semi Finals by Mark John Lado

Recomendados

Más contenido relacionado

Was ist angesagt?

Was ist angesagt?(20)

Similar a IT Security and Management - Semi Finals by Mark John Lado

Similar a IT Security and Management - Semi Finals by Mark John Lado(20)

Más de Mark John Lado, MIT

Más de Mark John Lado, MIT(20)

Último

Último(20)

IT Security and Management - Semi Finals by Mark John Lado