information systems security operational control for information security
TRANSCRIPT
Information Systems Security
Operational Control for Information Security
Operational Control
The controls that due with the everyday operation of an organization to ensure that all objectives are achieved
This covered a wide spectrum of procedures associated with the users and how to get the work done
A continual effort and discipline to maintain the system in a high level of security
Aspects of operational control
Staffing Management Application control User management Change control Backup and restore Incident handling Awareness, training and education Physical and environmental security
Staffing
Defining the job Determine the sensitivity of the position Filling the post, which involves background
check, screening and selecting an individual Employee handbook Training Mandatory vacation Job rotation
Management
Make sure the policies, standards, guidelines and procedures are in place and being followed
Administrative management practice to prevent and eliminate the chance of fraud
Act with due care and due diligence
Management
Proper organization structure Clear duties and responsibilities Proper authorization procedure Check and balance Schedule of work Checking of result
Application of security principles
Separation of duties: to ensure a single individual cannot subvert a critical process (check and balance)
Least privilege: only granting those rights to perform their official duties
Application controls
It refers to the transactions and data relating to each computer-level and are therefore specific to each application
The objective is to ensure the completeness and accuracy of the records and the validity of the entries
Application controls
They are controls over input, processing and output functions. They include methods to ensure Only complete, accurate and valid data
are entered and updated Processing do the correct task Data are maintained
Input controls
Sequence check Limit check Range check Validity check Check digit Duplicate check Logical relationship check
Process controls
Manual re-calculation Run to run totals Programmed controls Exception reports
Output controls
Logging Storage of sensitive forms and reports in a
secure place Report distribution
Data files control
Source document retention Before and after imaging Version control Transaction log Labeling Authorization for access
Media control
Media library might be set up and procedure adopted to ensure the physical safety of the media and that the information security is ensured Date of creation Who created it Period of retention Classification Volume name and version
Disposal
Error handling
Transaction log Error correction procedure
Logging Timely correction Upstream resubmission Suspense file Error file
Cancellation of source document
User administration
User account management Detecting unauthorized/illegal activities Temporary assignment and transfers Termination: friendly and unfriendly Contractor access consideration Public access consideration
User account management
Process of requesting, establishing, issuing and closing of user accounts
Assign user access authorization and rights Tracking users and their respective access
authorizations Password policy and guidelines
Detecting unauthorized/illegal activities
Monitoring and keep log Audit and review log Set clipping level
Change management
Request for change Approval of change Documentation of the change Test and presentation
Test system Production system
Implementation Report to management
Backup and Restore
Loss of data due to: Hardware failure Software failure File system corruption Accidental deletion Virus infection Theft Sabotage Natural disaster
6 steps to backup and recovery
Preparation Identify assets and requirement Select backup strategy Develop data protection strategy Backup process and monitoring Recovery drill test
Refer IS Guide to SME
Comparison of backup media
Computer security incident handling
How to respond to malicious technical threats Closely related to support and operations and
contingency planning
Computer security incident handling
Reporting of the security accident How to contain the damage What technical expertise required Liaise with other organizations, e.g. CERT,
police How to respond to the public Awareness of staff important
Incident Response
Objectives Minimise business loss and subsequent
liability of company Minimise the impact of the accident in terms
of information leakage, corruption of system etc
Ensure the response is systematic and efficient
Incident Response Ensure the required resources are available
to deal with accidents Ensure all concerned parties have clear
understanding about the task they should perform
Ensure the response activities are coordinated
Prevent future attack and damages Deal with related legal issues
Incident Response
Preparation Detection Containment Eradication Recovery Follow up
Refer IS Guide to SME
Disaster recovery andBusiness Continuity Planning
Identify the mission critical functions Identify the resources that support the critical
functions Anticipating potential contingencies or
disasters Select and devise contingency plans Implement contingency plans Test and revise the plans
Awareness, training and education
People being a very important part of an information system
How to improve their behaviour Increase the ability to hold employees
accountable
Awareness
Stimulates and motivates employees to take security seriously and to remind them of security practices to be taken
Physical and environmental security
Measures to protect systems, buildings and related supporting infrastructure against threats associated with the physical environment
Natural threats Man-made threats
Physical and environmental security
Threats Physical damage Physical theft Interruption of computing services Unauthorized disclosure of information Loss of control over system integrity
Physical and environmental security
Controls Physical access control: biometrics Fire safety Supporting facilities Structural collapse Plumbing leaks Interception of data Mobile and portable systems