Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Save to My Library
Look up keyword
Like this
18Activity
0 of .
Results for:
No results containing your search query
P. 1
Chapter 4 (Protection of Information Assets)

Chapter 4 (Protection of Information Assets)

Ratings:

3.0

(1)
|Views: 4,753|Likes:
Published by Danish Iqbal
Useful summary of CISA for ICMAP Stage-6 students
Useful summary of CISA for ICMAP Stage-6 students

More info:

Published by: Danish Iqbal on Aug 31, 2010
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as DOC, PDF, TXT or read online from Scribd
See more
See less

07/26/2013

pdf

text

original

 
Information Management and AuditingInformation Assets Protection
Effective information security arrangement is the foundation for protecting assets and privacy.The security objective of information assets could be enlisted as under:
Information
integrity 
.
Confidentiality 
of sensitive data.
Adherence
to piracy or copy right arrangement.
Continued
availability 
of data.
Conformity 
to applicable laws.
KEY ELEMENTS:
Following are the key elements of information security management:
Senior management commitment and support.
Policies and procedures.
Organization of the responsibilities.
Security awareness and education.
Monitoring and compliance.
Incident handing and response.
KEY TERMS:
CSIRT 
– Computer Security Incident Response team.
CERT 
– Computer Emergency Response Team.These teams should be formulated, with clearly defined responsibilities, for incident handling.
ROLES AND RESPONSIBILITIES:
All defined and documented responsibilities and accountabilities must be established andcommunicated to all members. These responsibilities include:
ROLERESPONSIBILITIESa)Executive management:
Overall protection of information assets.
b)Process owners:
Ensures appropriate security measures consistent withorganizational established policies.
c)Users:
Follow the procedures. (See below)
d)Data owners:
Determine classification levels to ensure degree of 
CIA
1
.
e)Chief Privacy Officer:
Articulate privacy laws to protect customers’ and employees’privacy issues.
f)IS security committee:
Devise security guidelines, policies, and procedures.
g)Security specialist:
Promulgate and assist with the design and implementation of security policies. 
h)IT developers:
Implement information security.
i)IS auditors:
Provide independent assurance to management as to theeffectiveness of information security.
 j)External Parties:
Include all external stakeholders.
1
Confidentiality, Integrity, and Availability
1
Prepared by: Muhammad Umar Munir 
 
Information Management and AuditingInformation Assets Protection
Some procedures that
USERS
follow are as under:
Reading and agreeing security policies.
Keeping login (username, and password) secret.
Locking their screen when idle.
Reporting suspected security violations.
Maintaining good physical security.
Adhering to applicable laws.
Key point:
Management should assign ownership and accountability for major information assets.
INFORMATION ASSETS INVENTORIES:
Inventory records of major information asset would include the following:
Identification.
Location.
Security classification.
Asset group.
Owner.
INFORMATION ASSETS CLASSIFICATION:
Different information has different degrees of sensitivity. Assigning classes of sensitivity helpsestablish access control. Classification should be simple and should consider legal/contractualterms.
KeyPoint:
Classification reduces risk of OVERPROTECTING or UNDERPROTECTING the information.Data classification should define:
Access person.
Access level (read, write, execute etc).
Person to define access person and level.
Approvals required.
SYSTEM ACCESS:
The ability to do something with a computer is termed as system access such as CREATE,MODIFY, DELETE, EXECUTE, CONNECT etc.
TYPES OF SYSTEM ACCESS CONTROLS:
System access could be logical or physical:
a)
Logical system access control:
It provides technical means of controlling…
Information users can utilize.
Program or transactions they can run.
Modification they can make.It can be through O/S, separate software, or application built-in etc.
 b)
Physical system access control:
It restricts entry and exit of personnel. They include badges, memory cards, guard keys,locks, and biometrics.
Keynote:
System access (logical or physical) should be on a documented
need-to-know 
basis.
2
Prepared by: Muhammad Umar Munir 
 
Information Management and AuditingInformation Assets ProtectionOther points:
Information owner is responsible to establish system access.
Access capabilities are implemented by security administrator.
Review of access responsibilities should periodically be reviewed.
Non-employees (contract employees, vendor employees, maintenance personnel, clients,auditors, and consultants) should also adhere to the security policies.
IMPORTANT:
Access controls could either be mandatory or discretionary:
Mandatory access control
is a mechanism to enforce corporate security policy or securityrules dealing with information resource sharing.
Discretionary access controls
are data data-owner-defined sharing of access control.
PRIVACY ISSUES:
Privacy defined:
Adherence to trust and obligation of any information relating to an identified/identifiableindividual is called privacy.
Critical points:
Management is responsible to adhere to privacy issues. IS auditor is NOT responsible of thecontents of database. IS auditors could also take expert opinion.IS auditor e has to review management’s privacy policies, which include:
Nature of information.
Documentation.
Accountability of privacy issues.
Reduction in privacy modifications.
CRITICAL SUCCESS FACTORS:
Managerial commitment and support.
Updated policies and procedures reflecting business objectives.
CRIMES AND EXPOSURES:
Committing crimes can damage reputation, morale, and viability of an organization. Threatsrelated to crimes could be classified as under:
Financial loss.
Legal repercussions (consequences).
Loss of credibility (competitive edge).
Blackmail/industrial espionage.
Disclosure of confidential sensitive information.
Sabotage – bad corporate image.
CRIME PERPETRATORS
Following could be the computer crime perpetrators:
a)
Hackers –
person able to explore the system details and exploit.
 b)
Script kiddies –
person who uses written scripts and programs to perform their own tasks.
c)
Crackers –
person who illegally tries to break security measures.
d)
Employees (authorized or unauthorized).
e)
IS personnel –
custodian of information.
f)End users.
3
Prepared by: Muhammad Umar Munir 

You're Reading a Free Preview

Download
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->