2. Chapter Outline
Information System Security Controls
Physical Security Controls
Logical Security Controls
Control and Standard for Information Integrity
Control and Standard for Information Access Control
Control and Standard for Computer Audit
Control and Standard for System Implementation Phase
Control and Standard for System Maint. and Evaluation
Risks of IT Systems
Controls for Personal Systems
3. Syllabus
In the examination, candidates may be required to
a. describe in detail the controls and standards which are
applied to information systems for the purpose of audit and
security (regulatory and management controls, computer
risk management, back up procedures, controls over data
integrity, computer audit, passwords and logical access
system, personal security planning)
b. explain the risks to IT systems from hackers and viruses
4. Types of Security Control
Physical Security Controls
Lock | Access Control | Fire Protection
Logical Security Controls
Authentication | Anti Virus | Encryption
Environmental Controls
Security Policy | SOP | License | AMC | Warranty
Information System Operating Controls
Performance | Completion | Accuracy | Backup & Restore
5. Information System Security Policy
Information System (IS)
Hardware, Network, Software, Applications, Databases involved
in recording, processing, analyzing, storing and reporting
information.
IS Security Policy
High level statements stating goals regarding control and security
of Information Systems, which also…
– specifies who is responsible of implementation
– is established by management and approved by Board
– does not lay down detailed control procedures or SOPs
6. Sections of a Security Policy
• to provide guidelines on information processing,
reporting, MIS, etc. for management and Board
Purpose &
Responsibility
• guides on system life-cycle management, starting
with evaluation, procurement to monitoring
System Procurement
& Development
• defines access authorization and processes for
management to the information systemsAccess Terminals
• explains equipment & environment, information &
communication security, contingency & recovery
Equipment &
Information Security
• outline the engagement framework and service
levels in regard to development, management
Service Bureau
Programs
7. IS Security Standards
Minimum criteria, rules and procedures established in
an organization that must be implemented for ensuring
achievement of IS Security Policy objectives.
The IS Security Standards….
– are implemented under the direction of Management
– specify detailed requirements of each IS control; e.g. length of
passwords, construction of passwords, backup retention
period, etc.
– are not specific to any particular computer platform. It’s more
generally applicable.
8. Physical Security Controls
Physical Locks
Security Guards
Video Surveillance Cameras
General Emergency and Detection Controls
Heating, Ventilation and Cooling Systems
Insurance Coverage
Periodic Backups
Emergency Power and UPS
Business Resumption Programs
Backup System Security Administrator
9. Logical Security Control
User ID and Passwords
Remote Access Controls
• Dedicated Leased Lines
• Automatic Dial-back
• Secure Socket Layer (SSL)
• Multifactor Authentication
• Virtual Private Network (VPN)
Computer Operations Audit
Backup and Recovery Procedures
Integrity / Completeness Checks
10. Control & Standards for Information
Integrity
Policy & Procedures
– Formal documented policy addressing purpose, scope, roles,
committees, coordination among entities, etc.
– Formal guideline on the process of establishing information
integrity policy
Flaw Remediation
– Establishing a process for proactive identification, reporting
and addressing flaws/vulnerability (that can take effect into
errors/faults)
– Patch management, system updates, service packs, etc.
11. Control & Standards for Information
Integrity (cont.)
Malicious Code Protection
– Gateway filtering/protection for email, web, removable media
– Software for in-depth protection
Security Alerts and Advisories
– Following and keeping up-to-date with different popular alerts
Security Functionality Verification
– Monitoring and notification system for automated security test
failures or exposed vulnerabilities
Software and Information Integrity
– Software integrity with version control, release management, etc.
– Master Data Management (MDM)
12. Control & Standards for Information
Integrity (cont.)
Spam Protection
– Spam protection in gateways, messaging, servers and devices
– Keeping spam signature database updated
– Combine multiple software to strengthen protection
Information Input Restrictions
– Role based authorization, location/schedule based access, etc.
Information Input Accuracy, Completeness, Validity and
Authenticity
– Input validation based on format, context, length, source, etc.
– Completeness check based on transaction definition, etc.
13. Control & Standards for Information
Access Control
Access Control Policy and Procedures
– Formal document outlining information access policy
Identification and Authentication Policy & Procedures
– Access identification guidelines formally documented
Account Management
– User / group / system ID definitions with authorization matrix
– Account add/move/delete processes and procedures
Account Review
– Automated account and access audit
– Reviewing, analyzing and reporting on audit records
14. Control & Standards for Information
Access Control (cont.)
User Identification and Authentication
– User authentication with single and multifactor verification
Device Identification and Authentication
– Bidirectional negotiation and authentication of devices
Passwords
– Changing default passwords
– Complexity of passwords
– Expiration and repeatability of passwords
– Keeping passwords away from login IDs
– Control and log for master passwords
15. Questions
Explain the physical security control and logical security
controls
What do you mean by Information System Security
Standards?