Chapter 5 - Protection of Information Assets - Part A - Updated

PROTECTION OF INFORMATION ASSETS
PART A- INFORMATION ASSET

SECURITY AND CONTROL
CISA CHAPTER 5 - (27%)
R CHANDRASEKHAR
Prep With RC 1
CISA Chapter - 5 - Part A 1
INFORMATION ASSET SECURITY FRAMEWORK, STANDARDS AND
GUIDELINES
CISA Chapter - 5 - Part A Prep With RC 2

Prep With RC
Importance of information security management
• The most important factor in protecting information assets and privacy is to have effective
information security management system in place.
• International Organization for Standardization (ISO) published a comprehensive set of controls

comprising best practices for information security management – ISO 27001
• Other standards include PCI-DSS, HIPAA etc.

Prep With RC
Security objectives of organization's business requirements include the following:

• Ensure the integrity of the information stored on their computer systems.
• Preserve the confidentiality of sensitive data. Ensure adherence to trust and obligation in relation to any
information pertaining to an identified or identifiable individual (i.e., data subject) in accordance with its
privacy policy or applicable privacy laws and regulations.
• Ensure the continued availability of their information systems.
• Ensure conformity to applicable laws, regulations and standards

Prep With RC
Key elements of information security management/Aspects to review during audit:

• Senior management commitment and support
• Policies and procedures
• Organization
• Security awareness and education
• Data Ownership
• Security Admin/New IT Users/Data Users
• Access Standards/ Documented Authorizations
• Security Baseline
• Incident handling and response
• Monitoring and compliance

Senior Management Commitment and Support
• Senior management commitment and support should exist for establishment and continuance of an
information security management program.

Policies and Procedures
• Policy and procedures start with a general organization policy providing concise top management
declaration of direction addressing the importance of information assets, need for security, and the
importance of defining sensitive and critical assets to protect in regard to confidentiality, integrity and
availability of those assets.

Organization
• Responsibilities for the protection of individual assets and for carrying out specific security processes should
be clearly defined.
• The information security policy should provide general guidance on the allocation of security roles and
responsibilities in the organization
CISA Chapter - 5 - Part A

Prep With RC 8
Prep With RC
a) All employees of an organization and third-party users should receive

appropriate training and regular updates on the importance of security
in organizational policies and procedures.
b) Mechanisms available for raising security awareness include:

Security • Written security policies and procedures (and updates)
Awareness • Statements signed by employees agreeing to follow the written
and security policy and procedures
Education •
•
Nondisclosure statements signed by the employee
Use of different media in promulgating security (e.g., company

newsletter, web page, videos, etc.)
• Visible enforcement of security rules
• Simulated security incidents for improving security procedures
• Rewarding employees who report suspicious events
• Periodic audits

Prep With RC
Data Ownership
• Classification of data elements and allocation of responsibilities to protect data

• Accountability is established
• Data owners- managers and directors responsible for using the info for business-
responsible for authorizing access, review of access granted
• Data Custodians- responsible for storing and safeguarding data- ex: IS Personnel,
computer operators etc.

Security Admins: Responsible for providing
adequate physical and logical security-
aligned with Info Sec Policy
Security
New IT Users: Need to adhere to security
policy, follow password policy, acceptable
Administrators/New
usage etc. IT Users/Data
Users
Data Users: Authorised by Data owners-

monitored by security admins-to comply
with general security guidelines- prevent
unauthorized access

• Access Standards: to adhere to
segregation of duties (SOD), minimize
risk of unauthorized access - at generic
level (like password characteristics),
Access
specific machines (OS level PW configs), Standards/Documented
Application level (ERP, CBS) Authorizations
12 • Authorisation for access granted to be
documented - part of IS Audit review.
Security Baseline
• Refers to set of basic security objectives- to be met by a device, application etc.
• Example: Security Baseline for OS configuration may require unwanted services to be disabled,
patches to be update etc.

Monitoring and Compliance
• Assessing the effectiveness of an organization's security program(s) on a continuous

basis, IS auditors must have an understanding of the organization's monitoring activities in
assessing the effectiveness of security programs and controls established.

Incident Handling and Response
• Incident is an adverse event that threatens some aspect of computer security.
• To minimize damage from security incidents and to monitor and learn from such incidents, a formal
incident response capability should be established.

Incident Handling and Response – Steps Required
Planning and
Detection Initiation Evaluation
preparation
Containment Eradication Response Recovery
Post-incident
Closure Lessons learned
review

Incident Handling and Response
Management Team:
• A coordinator who acts as the liaison to business process owners
• A director who oversees the incident response capability
• Manager(s) who manage individual incidents
• Security specialists who detect, investigate, contain and recover from incidents
• Non security technical specialists who provide assistance based on subject matter expertise
• Business unit leader liaisons (legal, human resources, public relations, etc

Security-related incidents/issues :
Incident • Virus outbreak
Handling and • Web defacement
Response • Abuse notification

• Unauthorized access alert from audit trails
• Security attack alerts from intrusion detection
systems
• Hardware/software theft
• System root compromises
• Physical security breach
• Spyware/malware/Trojans detected on PCs
• Fake defamatory information in media
• Forensic investigations

Information security management roles and
responsibilities:
• Executive management
• Process owners
• User
Importance of • Data owners
Information • Chief privacy officer (CPO )
Security • IS Security committee
Management • Security specialists/advisors
• IT developers
• IS auditors
• External parties
Prep With RC CISA Chapter - 5 - Part A 19

Privacy Principals
Privacy
Privacy issues and information security

• Privacy means adherence to trust and obligation in relation to
any information relating to an identified or identifiable individual
(data subject).
• Management is responsible to adhere to and comply with
privacy in accordance with its privacy policy or applicable
privacy laws and regulations.
• The IS auditor is not responsible for what is stored in the
personal databases.
• The IS auditor should review management's privacy policy

Privacy issues and information security
IS auditors should review privacy impact analysis or assessments carried out by the management. Such assessments
should:
a) Identify the nature of personally identifiable information associated with business processes.
b) Document the collection, use, disclosure and destruction of personally identifiable information
c) Provide management with a tool to make informed policy, operations and system design decisions based on an
understanding of privacy risk and the options available for mitigating that risk
d) Create a consistent format and structured process for analyzing both technical and legal compliance with relevant
regulations
• Ensure that accountability for privacy issues exists
• Reduce revisions and retrofitting of the information systems for privacy compliance
e) Provide a framework to ensure that privacy is considered, from the conceptual and requirements analysis stage to
the final design approval, funding, implementation and communication stage

Some key aspects to be considered as part of privacy

reviews:
• Choice and consent
• Legitimate purpose specs and use limitation
Privacy – Audit • PII, Sensitive PII- life cycle
considerations • Accuracy, quality
• Notice
• Security safeguards
• Third party vendor mgmt.
• Breach management etc.
Prep With RC
Identity and Access Management

Identification and Authentication are the first line of defense to prevent
unauthorized access.
Access to systems may be Physical or logical access
Authorisation/privileges/permissions to resources should be based on

documented need-to-know, least privileges, SoD etc.
Asset owners responsible for approving access- provisioning by Security

Admin/IT Teams
Access controls to be defined at various asset levels- granular
Access granted should be reviewed periodically

Risk related to external parties' access to be

evaluated
Contracts with third parties to suitable terms –

External Parties Access
security aspects to be considered
Addressing security while providing access to

customers- customer agreements

Security responsibilities prior to

employment/contract
Screening
HR Security
Acceptable usage policy
Access provisioning and de-provisioning

Maintaining accountability for information assets:
Identity and • Information asset inventories
Access Classification of information assets

• System access
Management
28
• Mandatory and discretionary access

controls
Prep With RC
Prep With RC

System access:
a) System access is the ability to do something with a computer resource .
b) System access to computerized information resources is either logically or physically based .
• Logical system access controls provide a technical means of controlling what information users can utilize, the
programs or transactions they can run, and the modifications they can make
• Physical system access controls restrict the entry and exit of personnel, and often equipment and media, from an
area such as an office building, etc.
c) Access to computerized information should be on a documented need-to-know basis, where there is a legitimate
business requirement based on least privilege and segregation of duty principles.
d) The information owner or manager who is responsible for the accurate use and reporting of information should
provide written authorization for users to gain access to information resources under their control.

Prep With RC

System access:
e) Layered Security For System Access: Provides greater scope and granularity of control to information resources.
For example:
• network and Operating system layers provide general systems control over users authenticating into systems,
system software and application configurations, datasets, load libraries, and any production dataset libraries.
• Database and application controls generally provide a greater degree of control over user activity within a
particular business process by controlling access to records, specific data fields and transactions.
f) Access authorization should be evaluated regularly to ensure they are still valid
g) Non-employees with access to company systems should also be held responsible for security compliance and
accountable for security breaches.

Prep With RC
Mandatory and discretionary access controls:
• Mandatory access control is a mechanism that enforces the
Identity and corporate security policy or security rules that deal with sharing of
information resources.
Access • Only administrators (not owners of resources) may make decisions
Management that are derived from policy. Only an administrator may change the
category of a resource, and no one may grant a right of access that
is explicitly forbidden in the access control policy.
• Discretionary access control mechanism, the data owners give

permission to others for sharing the information resources

Logical Access Control
• Logical access controls are the primary means of

managing and protecting information assets to
reduce risks to a level acceptable to an organization.
• Inadequate logical access controls increase an
organization's potential for losses resulting from
exposures.

Exposures
Technical exposures are the unauthorized (intentional or unintentional) implementation or

modification of data and software at either the network, platform (operating system),
database or application level
33
CISA Chapter - 5 - Part A Prep With RC
Trojan horses/ Salami
Rounding down
backdoors Techniques
Viruses Worms Trap doors
TECHNICAL EXPOSURES
Asynchronous
Data leakage War driving
attacks
Computer Denial-of-
shutdown service attack
Prep With RC 34
Paths of Logical Access
• Access or points of entry to an organization's information systems infrastructure can be

gained through several avenues
• Each avenue is subject to appropriate levels of access security

General Points Of Entry
• General points of entry to either front-end or back-end systems relate to an organizations

networking or telecommunications infrastructure in controlling access into their information
resources (e.g., applications, databases, facilities, networks)
• General modes of access :
• Network connectivity
• Remote access
• Operator console
• Online workstations or terminals

Prep With RC
Prep With RC
Logical Access Control Software
• The purpose of access control software is to prevent unauthorized access and modification to
an organization's sensitive data and use of system critical functions
• The greatest degree of protection in applying access control software is at the network and
platform/operating system levels.

Prep With RC
LOGICAL ACCESS CONTROL SOFTWARE
General operating systems access control functions include:

• Apply user identification and authentication mechanisms.
• Restrict logon IDs to specific terminals/workstations and specific times.
• Establish rules for access to specific information resources (eg., system-level application
resources and data).
• Create individual accountability and audit ability.
• Create or change user profiles Log events Log user activities Report capabilities

Prep With RC
LOGICAL ACCESS CONTROL SOFTWARE
Database and/or application-level access control functions include:

• Create or change data files and database profiles
• Verify user authorization at the application and transaction level
• Verify user authorization within the application
• Verify user authorization at the field level for changes within a database
• Verify subsystem authorization for the user at the file level
• Log database/data communications access activities for monitoring access violations

Identification and Authorization is a critical building
block of computer security, since it is the basis for
most types of access control and for establishing
user accountability
Three steps that must happen 1. Identification
Access Control for a user to access computing

resources
2. Authentication
3. Authorization
The actions of the subjects are captured in an Audit

Trail for review and accountability
Prep With RC 40
Access Control
• Method of determining who the user is, based on

Identification information supplied by the user
• Example : username
• Verification of the identity of the user by the authentication

system or service
Authentication • This may be done based on additional information obtained
from the user: Example, password
• The rights and privileges of the authenticated user to

Authorization access the system resources.
• Example : read access to a file/data

User Identification
Information supplied by the user:
• User ID
• Username
• Employee Badges
• Biometrics
• PIN
• Smart Cards

Authentication Information
XYZ
Remembered
Information
Personal
Possessed Characteristics
objects

Prep With RC
Common vulnerabilities in gaining unauthorized system access

include:
a) Weak authentication methods
Access b) The potential for users to bypass the authentication

mechanism
Control c) The lack of confidentiality and integrity for the stored
authentication information
d) The lack of encryption for authentication information
transmitted over a network

The logon ID provides individual identification.
LOGON IDS
Each user gets a unique logon ID that can be
identified by the system AND
PASSWORDS
The password provides individual
authentication. Identification/authentication is a
two-step process by which the computer
system first verifies that the user has a valid
logon ID (user identification) and then requires
the user to substantiate his/her authentication
via a password.

Identification, Authentication
Successful Authentic login
Check User Id & login Check
Password authentication Tell user to
proceed
Rejected
login
Login > 3
Check no of times
rejected logins
Login < 3 times Approval
User
enters
Message
system
Delay - then ask the Lock user
user to login out
Refusal message
Rejected login attempts

Prep With RC
ADMINISTRATOR
a) The Administrator has control over the entire system including its operation and security.
b) This is the most powerful user account in the system. The Administrator can have different
names in different OS.
• Root in UNIX
• Administrator in NT
c) The Administrator can create other users and assign access permission to such users.

Prep With RC
• Some OS support a Guest account. Such users can log on

to the system without password as such accounts are
Guest established with a blank password.
Account and • Special Users include Operators, Network Administrators,

Printer Managers, etc. who perform specific tasks
Others • General Users are users created by Administrators and
they have to be assigned specific permissions to access
files, data and other computer resources.

Prep With RC
Password Management
• All users to have a password
• Passwords to be changed frequently
• Passwords not to be repeated for a given number of
changes

Password Management
OS have facilities for password management These may
include:
• Forcing users to have passwords
• Setting a minimum and maximum password length
• Maintaining of password history
• Setting a minimum password age
• Setting a password expiry limit and forcing users to
change their passwords

Prep With RC
• User Accounts can be locked if the password is given wrongly.
• Normally a specific number of trials are allowed for users to log on to

the system. This is given because the user could make typing
mistakes while keying in the username or password.
• Once the number of allowed trails are exhausted, the user is not
permitted to log on.
Password • The Administrator has to specifically unlock the account and permit
Management the user to log on again.
• The User account can also be locked when the user is on leave to
prevent others from logging-in using that account

Bad passwords Good Passwords
• frank • jfIej,43j-EmmL+y
• Fido • 09864376537263
• password • P0kem0N
Good and • 4444

• Pikachu
• FSa7Yago
• 0nceuP0nAt1m8
Bad • 102560 • PokeGCTall150
• AustinStamp
Passwords
Prep With RC 54
Password Encryption
Passwords stored in the OS are normally encrypted so that one is
not able to view and read the passwords which is possible if the
passwords are stored as plain text. Encryption is a form of
mutilation.
Prep With RC 55
56
• A two-factor authentication technique, such as a

microprocessor-controlled smart card, generates one-
time passwords that are good for only one logon
session.
• Users enter this password along with a password they

Token devices, have memorized to gain access to the system.
One-time • This technique involves something you have (a device

subject to theft) and something you know (a personal
Passwords identification number).
• Such devices gain their one-time password status

because of a unique session characteristic (e.g., ID or
time) appended to the password
Prep With RC
Biometrics

Biometrics Access Controls
• Biometrics access controls are the best means of authenticating a user's identity based on a unique,
measurable attribute or trait for verifying the identity of a human being.
• This control restricts computer access, based on a physical (something you are) or behavioral
(something you do) characteristic of the user.

Prep With RC
Enrollment phase
• Subject’s biometric info put into database

• Must carefully measure the required info
• OK if slow and repeated measurement needed
• Must be very precise for good recognition
Enrollment vs • A weak point of many biometric schemes
Recognition
Recognition phase
• Biometric detection when used in practice

• Must be quick and simple
• But must be reasonably accurate

Performance of Biometrics Control Devices
False Rejection One type, the false rejection rate (FRR), (or type-1error rate) is the number of times an
individual granted authority to use the system is falsely rejected by the system. An aggregate
Rate (FRR) or measure of type — I error rates is Me failure — to — enroll rate (FER, the proportion of people
type -1error rate who fail to be enrolled successfully.
False
Acceptance Rate The other, referred to as the false-acceptance rate (FAR), or type — II error rate, is the number
(FAR), or type - II of times an individual not granted authority to use a system is falsely accepted by the system.
error rate
An overall metric related to the two error types is the equal error rate (ERR), which is the
Equal Error Rate
percent showing when false rejection and acceptance are equal. The lower the overall
(ERR) measure, the more effective the biometrics.

• Palm
• Hand geometry
• Iris
• Retina
• Fingerprint
• Face
Biometrics devices with the

best response
Fingerprint Comparison
• Examples of loops, whorls and arches

• Minutia extracted from these features
Loop (double) Whorl Arch

Fingerprint Biometric
• Capture image of fingerprint

• Enhance image
• Identify minutia

Fingerprint Biometric
• Extracted minutia are compared with user’s minutia stored in a database

• Is it a statistical match?

Hand Geometry
a) Popular form of biometric
b) Measures shape of hand
◼ Width of hand, fingers
◼ Length of fingers, etc.
c) Human hands not unique
d) Hand geometry sufficient for many situations
e) Suitable for authentication
f) Not useful for ID problem

IRIS Patterns

Management of Bio Metrics
Management of biometrics should address the security for collection, distribution and processing of biometric data
including:
a) Data Integrity, authentication, non-repudiation
b) Management of bio-metric data across its life cycle- from enrollment, transmission, storage , verification and
termination
c) One-to-one and one to many matching
d) Encapsulation of bio-metric data
e) Secure transmission and storage
f) Security of physical hardware used through the life cycle
g) Integrity and privacy of bio-metric data

2-FACTOR AUTHENTICATION
Requires 2 out of 3 of
Something you Something you

Something you are
know have
Examples
Password
ATM: Card and Credit card: Card Smartcard with
generator: Device
PIN and signature password/PIN
and PIN

Single Sign-on
• A hassle to enter password(s) repeatedly
a) Users want to authenticate only once
b) “Credentials” stay with user wherever he goes
c) Subsequent authentication is transparent to user
• Single sign-on for the Internet:
• Microsoft: Passport / Hello
• This function would provide the appropriate interfaces to the organization's information resources,
which may include:
a) Client-server and distributed systems
b) Mainframe systems
c) Network security including remote access mechanisms

Prep With RC
Single Sign-on - Advantages
SSO advantages include:
a) Multiple passwords are no longer required; therefore, whereby a user may be more inclined and
motivated to select a stronger password.
b) It improves an administrator's ability to manage users' accounts and authorizations to all associates
systems.
c) It reduces administrative overhead in resetting forgotten passwords over multiple platforms and
applications.
d) It reduces the time taken by users to log into multiple applications and platforms

Prep With RC
Single Sign On - Disadvantages
Disadvantages include:
a) Support for all major operating system environments is difficult. SSO implementations will often
require a number of solutions integrated into a total solution for an enterprise's IT architecture.
b) The costs associated with SSO development can be significant when considering the nature and
extent of interface development and maintenance that may be necessary.
c) The centralized nature of SSO presents the possibility of a single point of failure and total compromise
of an organization's information assets.

72
Prep With RC Remote authentication protocols:
a) RADIUS( Remote Access Dial-in User
Services)
b) Kerberos
c) TACACS( Terminal Access Control Access
Control System)
Authentication enhancement
AUTHENTICATION a) Single sign-on
b) Two-factor authentication
c) Password and token, or challenge response

methods

d) Biometric and password
e) One-time passwords
73

Prep With RC
a) The authorization process of access control

often requires that the system be able to
identify and differentiate among users.
b) For example, access control is often based

on least privilege, which refers to the granting
Authorization
to users of only those accesses required to
perform their duties.
c) Access rules (authorization) specify who can

access what. Access should be on a
documented need-to-know and need-to-do
basis by type of access.
Restrictions on who
Authentication --- Who
(or what) can
goes there?
access system
Restrictions on
Authorization --- Are you actions of
Authentication allowed to do that? authenticated
users
vs
Authorization Authorization is a form of access control
Access Control
Authorization enforced by Lists
Capabilities

Access Control Matrix
• Subjects (users) index the rows
• Objects (resources) index the columns
Accounting Accounting Insurance Payroll

OS program data data data
Bob rx rx r --- ---
Alice rx rx r rw rw
Sam rwx rwx r rw rw
Accounting
program rx rx rw rw rw

Rights
• Read (view)
• Write (modify)
• Delete (remove)
• Execute
ACCESS RIGHTS /
CRITERIA Criteria for controlling access
• User groups having common user rights

• Based on physical location
• Based on time-of-day (allowed only during office
hours)
• Based on transaction type (view balances only,
cannot enter transactions

Logical Access Security Administration
Security administration can be either centralised or decentralized.
Advantages of decentralizing administration are:
• It can be onsite at distributed locations
• Timely resolution of security issues
• More frequent monitoring of security controls
Disadvantages of decentralizing are:
• Local standards may not be in line with organisational standards
• Level of security management be below what can be maintained centrally
• Unavailability of frequent audits and checks.

Software level controls over access to systems, files
and remote access
Secure physical control environment
Mechanisms Access via modems to be limited
to controls Securing system documentation and manuals- to

remote sites prevent unauthorised personnel from gaining access
Data transmission controls
Integrity of files if replicated and stored.

REMOTE ACCESS USING MOBILE
DEVICES

REMOTE ACCESS USING MOBILE
DEVICES

SYSTEM LOGS
System Logs are

The system
created by the OS to
administrator needs
log such events as The OS may
to set the size of the
startup and shutdown if the log
log file depending
shutdown, hardware size becomes full.
upon the organization
and other system
requirements.
failures.

Tools for log
analysis
• Log reduction tools

• Trend/variance detection tools
• Attack-signature detection tools
• SIEM

Prep With RC
Federated • Arrangement between multiple enterprises to use common

identification data- to provide access within the group
Identity • Links users identity across multiple security domains- once
Management authenticated no need to separately authenticate to other
resources.
• Based on Trust, secure message transmission
• Needs clearly defined policies/monitoring

• Familiarization with IT environment
• Assessing and documenting access paths
Auditing • Interviewing systems personnel
• Reviewing reports from access control
Logical software
• Reviewing application systems operations
Access manual

• Terminal cards and keys
• Terminal identification
• Logon IDs and Passwords
Techniques • Controls over Production Resources
for testing
• Logging and reporting of computer access
violations
security
• Follow-up access violations
• Bypassing security and compensating
controls
• Review of access controls and password
admin

• Involves siphoning or leaking information out of
computers- physically or logically
Data • Involves unauthorised transfer of sensitive data from

organisation to outside world.
Leakage • Data Leak Prevention – DLP Solutions- suite of tech.,
processes to locate, monitor and protect sensitive
information from unauthorised use
Data Leakage
DLP Key objectives include:
a) Locate, inventory, catalogue information stored throughout
enterprise
b) Monitor and control movement of sensitive information :
• across networks
• On end points
c) Covers :
• Data at rest/storage
• Data in transit/motion- network
• Data in use- End points

Data Leakage
Common functions/features of DLP: Risks and Limitations include:

• Policy creation and management • Improperly tuned network DLP
modules
• Directory service integration
88
• High false positives/excess reporting
• Work flow management
• Inability to decrypt- implies cannot
• Back-up /restoration filter/analyse
• Report/MIS • Cannot interpret/analyse graphic
files/content
Prep With RC
Physical Access and Environment Controls

Physical Security Environmental Controls
• Physical access control

• Environmental hazards
• Natural disaster

Physical Access Control
Building
Control to computer department
Computer department Other

buildings
Building access control

Boundary areaPrep With RC 91
Physical Access Control
Security guards
Mechanical locks & keys
Employee badges & cards
Electronic systems
Bio-metric techniques
Video camera

Physical Security Checklist
Fire protection measures
a) Fire detection & fighting
Electrical equipment Electrical power shut equipment
Environmental protection
protection down & recovery b) Procedures to be followed in
case of a fire
c) Fire fighting training
Prohibit eating & smoking Universal use of badges Stringent security for
Physical access control
in restricted areas by staff & visitor sensitive areas
Restrictions on usage of
Minimal traffic & access to
terminals and
work areas
workstations

Physical Security
Source Example Type of Threat
Fire
Windstorm
Natural Disasters Accidental
Lightning
Flood
Incompetence
Curiosity
Manmade Accidental
Civil Riots
Industrial Action
Internal Sabotage
Manmade Deliberate
External Sabotage

Fire
Function of Control Example
• Construction materials for buildings

Preventive
• Administrative procedures to prevent fire
Detective • Heat and smoke detectors
• Sprinkler system using water or Gas

• Training of fire marshals and all personnel
Corrective
• Clear signposts for exists
• Fire fighting equipment

Fire Control
▪ Both automatic and manual fire alarms are placed at strategic locations throughout the installation
▪ When a fire alarm is activated, a signal is sent automatically to a permanently manned station
▪ An automatic extinguisher system exists that dispenses the appropriate suppressant : water, carbon
96
dioxide, halon
▪ A control panel shows where in the installation an automatic or manual alarm has been triggered
▪ Besides the control panel, master switches exists for power ( including air conditioning and the
automatic extinguisher system )
▪ The building has been constructed from fire resistant materials, and it is structurally stable when fire
damage occurs
▪ Fire extinguishers and fire exits are marked clearly
Prep With RC
▪ Have waterproof ceilings walls and floors wherever
possible
▪ Ensure that the drainage system is adequate
▪ Install alarms within the installation at strategic
locations
Protection Against ▪ In flood areas have the installation above the high-
water level
Water Damage ▪ Have a master switch for all water mains
▪ Use a dry pipe automatic sprinkler system that is
charged by an alarm and activated by the fire
▪ Cover hardware with a protective fabric when it is
not in use

ENERGY VARIATION
➢ Increase in power ( spikes )
➢ Decrease in power(brown outs)
➢ Loss of power ( blackouts )
Protection
➢ Voltage regulators
➢ Circuit breakers
➢ Backup batteries
➢ Generators

POLLUTION
Causes
• Dust
• Food
Protection
• Regular cleaning
• Vacuuming
• Dust collecting rugs at entrances
• Segregate dust generating activities
• Pests and rodent controls

SITE / BUILDING
• Geographical location
• Neighborhood
• Accessibility in an emergency
• Socio-economic conditions
• Layout of building
• Location of doors / windows
• Fire protection
• Computer centre
• Electrical power supply
• Air - conditioning
• Electro - magnetic fields

Structural Damage
Causes
• Earthquake
• Wind
• Snow
• Rain
• Accidents
• Sabotage
Protection
• Structural Engineering
• Location of building

Importance Of Information Security Management
An effective information security management process requires senior management

commitment and support.
Security policies and procedures must be up-to-date and reflect business objectives,
generally accepted security standards and practice
The development of the information systems security policy, is the responsibility of the
top level of management in an organization which delegates its implementation to the
appropriate level of management with required control.

• Computer crime issues and exposures :

• Computer systems can be used to steal money, goods, software or corporate
information.
• Computer crime can be performed with absolutely nothing physically being taken or
stolen, and it can be done at the ease of logging in from home or a coffee shop
• Committing crimes that exploit the computer and the information it contains can be
damaging to the reputation, morale and the very existence of an organization

Chapter 5 - Protection of Information Assets - Part A - Updated

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter 5 - Protection of Information Assets - Part A - Updated

Uploaded by

Copyright:

Available Formats

PROTECTION OF INFORMATION ASSETS

PART A- INFORMATION ASSET

CISA Chapter - 5 - Part A Prep With RC 2

Importance of information security management

• International Organization for Standardization (ISO) published a comprehensive set of controls

• Other standards include PCI-DSS, HIPAA etc.

CISA Chapter - 5 - Part A 3

Importance of information security management

Security objectives of organization's business requirements include the following:

• Ensure the continued availability of their information systems.

• Ensure conformity to applicable laws, regulations and standards

CISA Chapter - 5 - Part A 4

Importance of information security management

Key elements of information security management/Aspects to review during audit:

CISA Chapter - 5 - Part A 5

CISA Chapter - 5 - Part A Prep With RC 6

CISA Chapter - 5 - Part A Prep With RC 7

CISA Chapter - 5 - Part A

a) All employees of an organization and third-party users should receive

b) Mechanisms available for raising security awareness include:

Use of different media in promulgating security (e.g., company

• Visible enforcement of security rules

• Simulated security incidents for improving security procedures

• Rewarding employees who report suspicious events

CISA Chapter - 5 - Part A 9

• Classification of data elements and allocation of responsibilities to protect data

CISA Chapter - 5 - Part A 10

Data Users: Authorised by Data owners-

CISA Chapter - 5 - Part A Prep With RC 11

• Refers to set of basic security objectives- to be met by a device, application etc.

CISA Chapter - 5 - Part A Prep With RC 13

• Assessing the effectiveness of an organization's security program(s) on a continuous

CISA Chapter - 5 - Part A Prep With RC 14

• Incident is an adverse event that threatens some aspect of computer security.

CISA Chapter - 5 - Part A Prep With RC 15

Containment Eradication Response Recovery

CISA Chapter - 5 - Part A Prep With RC 16

• A coordinator who acts as the liaison to business process owners

• A director who oversees the incident response capability

• Manager(s) who manage individual incidents

CISA Chapter - 5 - Part A Prep With RC 17

Response • Abuse notification

CISA Chapter - 5 - Part A Prep With RC 18

Prep With RC CISA Chapter - 5 - Part A 19

Privacy issues and information security

CISA Chapter - 5 - Part A Prep With RC 21

CISA Chapter - 5 - Part A Prep With RC 22

Some key aspects to be considered as part of privacy

CISA Chapter - 5 - Part A Prep With RC 24

Access to systems may be Physical or logical access

Authorisation/privileges/permissions to resources should be based on

Asset owners responsible for approving access- provisioning by Security

Access controls to be defined at various asset levels- granular

Access granted should be reviewed periodically

Prep With RC CISA Chapter - 5 - Part A 25

Risk related to external parties' access to be

Contracts with third parties to suitable terms –

Addressing security while providing access to

Prep With RC CISA Chapter - 5 - Part A 26

Security responsibilities prior to

Access provisioning and de-provisioning

Prep With RC CISA Chapter - 5 - Part A 27

Maintaining accountability for information assets: