Professional Documents
Culture Documents
R CHANDRASEKHAR
Prep With RC 1
CISA Chapter - 5 - Part A 1
INFORMATION ASSET SECURITY FRAMEWORK, STANDARDS AND
GUIDELINES
• The most important factor in protecting information assets and privacy is to have effective
information security management system in place.
• Preserve the confidentiality of sensitive data. Ensure adherence to trust and obligation in relation to any
information pertaining to an identified or identifiable individual (i.e., data subject) in accordance with its
privacy policy or applicable privacy laws and regulations.
• Senior management commitment and support should exist for establishment and continuance of an
information security management program.
• Policy and procedures start with a general organization policy providing concise top management
declaration of direction addressing the importance of information assets, need for security, and the
importance of defining sensitive and critical assets to protect in regard to confidentiality, integrity and
availability of those assets.
• Responsibilities for the protection of individual assets and for carrying out specific security processes should
be clearly defined.
• The information security policy should provide general guidance on the allocation of security roles and
responsibilities in the organization
Education •
•
Nondisclosure statements signed by the employee
• Periodic audits
Data Ownership
Security
New IT Users: Need to adhere to security
policy, follow password policy, acceptable
Administrators/New
usage etc. IT Users/Data
Users
• Example: Security Baseline for OS configuration may require unwanted services to be disabled,
patches to be update etc.
• To minimize damage from security incidents and to monitor and learn from such incidents, a formal
incident response capability should be established.
Planning and
Detection Initiation Evaluation
preparation
Post-incident
Closure Lessons learned
review
Management Team:
• Security specialists who detect, investigate, contain and recover from incidents
• Non security technical specialists who provide assistance based on subject matter expertise
• Business unit leader liaisons (legal, human resources, public relations, etc
IS auditors should review privacy impact analysis or assessments carried out by the management. Such assessments
should:
a) Identify the nature of personally identifiable information associated with business processes.
b) Document the collection, use, disclosure and destruction of personally identifiable information
c) Provide management with a tool to make informed policy, operations and system design decisions based on an
understanding of privacy risk and the options available for mitigating that risk
d) Create a consistent format and structured process for analyzing both technical and legal compliance with relevant
regulations
• Ensure that accountability for privacy issues exists
• Reduce revisions and retrofitting of the information systems for privacy compliance
e) Provide a framework to ensure that privacy is considered, from the conceptual and requirements analysis stage to
the final design approval, funding, implementation and communication stage
Prep With RC
Identity and Access Management
Screening
HR Security
Acceptable usage policy
• Logical system access controls provide a technical means of controlling what information users can utilize, the
programs or transactions they can run, and the modifications they can make
• Physical system access controls restrict the entry and exit of personnel, and often equipment and media, from an
area such as an office building, etc.
c) Access to computerized information should be on a documented need-to-know basis, where there is a legitimate
business requirement based on least privilege and segregation of duty principles.
d) The information owner or manager who is responsible for the accurate use and reporting of information should
provide written authorization for users to gain access to information resources under their control.
e) Layered Security For System Access: Provides greater scope and granularity of control to information resources.
For example:
• network and Operating system layers provide general systems control over users authenticating into systems,
system software and application configurations, datasets, load libraries, and any production dataset libraries.
• Database and application controls generally provide a greater degree of control over user activity within a
particular business process by controlling access to records, specific data fields and transactions.
f) Access authorization should be evaluated regularly to ensure they are still valid
g) Non-employees with access to company systems should also be held responsible for security compliance and
accountable for security breaches.
Identity and corporate security policy or security rules that deal with sharing of
information resources.
Access • Only administrators (not owners of resources) may make decisions
Management that are derived from policy. Only an administrator may change the
category of a resource, and no one may grant a right of access that
is explicitly forbidden in the access control policy.
33
CISA Chapter - 5 - Part A Prep With RC
Trojan horses/ Salami
Rounding down
backdoors Techniques
TECHNICAL EXPOSURES
Asynchronous
Data leakage War driving
attacks
Computer Denial-of-
shutdown service attack
Prep With RC 34
Paths of Logical Access
• The purpose of access control software is to prevent unauthorized access and modification to
an organization's sensitive data and use of system critical functions
• The greatest degree of protection in applying access control software is at the network and
platform/operating system levels.
Prep With RC 40
Access Control
XYZ
Remembered
Information
Personal
Possessed Characteristics
objects
LOGON IDS
Each user gets a unique logon ID that can be
identified by the system AND
PASSWORDS
The password provides individual
authentication. Identification/authentication is a
two-step process by which the computer
system first verifies that the user has a valid
logon ID (user identification) and then requires
the user to substantiate his/her authentication
via a password.
Refusal message
ADMINISTRATOR
a) The Administrator has control over the entire system including its operation and security.
b) This is the most powerful user account in the system. The Administrator can have different
names in different OS.
• Root in UNIX
• Administrator in NT
c) The Administrator can create other users and assign access permission to such users.
Password Management
• All users to have a password
• Passwords to be changed frequently
• Passwords not to be repeated for a given number of
changes
• Once the number of allowed trails are exhausted, the user is not
permitted to log on.
Password • The Administrator has to specifically unlock the account and permit
• The User account can also be locked when the user is on leave to
prevent others from logging-in using that account
Prep With RC 54
Password Encryption
Passwords stored in the OS are normally encrypted so that one is
not able to view and read the passwords which is possible if the
passwords are stored as plain text. Encryption is a form of
mutilation.
Prep With RC 55
CISA Chapter - 5 - Part A
56
Biometrics
• Biometrics access controls are the best means of authenticating a user's identity based on a unique,
measurable attribute or trait for verifying the identity of a human being.
• This control restricts computer access, based on a physical (something you are) or behavioral
(something you do) characteristic of the user.
Enrollment phase
Recognition
Recognition phase
False Rejection One type, the false rejection rate (FRR), (or type-1error rate) is the number of times an
individual granted authority to use the system is falsely rejected by the system. An aggregate
Rate (FRR) or measure of type — I error rates is Me failure — to — enroll rate (FER, the proportion of people
type -1error rate who fail to be enrolled successfully.
False
Acceptance Rate The other, referred to as the false-acceptance rate (FAR), or type — II error rate, is the number
(FAR), or type - II of times an individual not granted authority to use a system is falsely accepted by the system.
error rate
An overall metric related to the two error types is the equal error rate (ERR), which is the
Equal Error Rate
percent showing when false rejection and acceptance are equal. The lower the overall
(ERR) measure, the more effective the biometrics.
Management of biometrics should address the security for collection, distribution and processing of biometric data
including:
a) Data Integrity, authentication, non-repudiation
b) Management of bio-metric data across its life cycle- from enrollment, transmission, storage , verification and
termination
c) One-to-one and one to many matching
d) Encapsulation of bio-metric data
e) Secure transmission and storage
f) Security of physical hardware used through the life cycle
g) Integrity and privacy of bio-metric data
Requires 2 out of 3 of
Examples
Password
ATM: Card and Credit card: Card Smartcard with
generator: Device
PIN and signature password/PIN
and PIN
a) Multiple passwords are no longer required; therefore, whereby a user may be more inclined and
motivated to select a stronger password.
b) It improves an administrator's ability to manage users' accounts and authorizations to all associates
systems.
c) It reduces administrative overhead in resetting forgotten passwords over multiple platforms and
applications.
d) It reduces the time taken by users to log into multiple applications and platforms
Disadvantages include:
a) Support for all major operating system environments is difficult. SSO implementations will often
require a number of solutions integrated into a total solution for an enterprise's IT architecture.
b) The costs associated with SSO development can be significant when considering the nature and
extent of interface development and maintenance that may be necessary.
c) The centralized nature of SSO presents the possibility of a single point of failure and total compromise
of an organization's information assets.
Authentication enhancement
b) Two-factor authentication
e) One-time passwords
73
Authorization
to users of only those accesses required to
perform their duties.
Restrictions on
Authorization --- Are you actions of
Authentication allowed to do that? authenticated
users
vs
Authorization Authorization is a form of access control
Access Control
Authorization enforced by Lists
Capabilities
Alice rx rx r rw rw
Accounting
program rx rx rw rw rw
• Read (view)
• Write (modify)
• Delete (remove)
• Execute
ACCESS RIGHTS /
CRITERIA Criteria for controlling access
for testing
• Logging and reporting of computer access
violations
security
• Follow-up access violations
• Bypassing security and compensating
controls
• Review of access controls and password
admin
Data Leakage
Building
Security guards
Electronic systems
Bio-metric techniques
Video camera
Prohibit eating & smoking Universal use of badges Stringent security for
Physical access control
in restricted areas by staff & visitor sensitive areas
Restrictions on usage of
Minimal traffic & access to
terminals and
work areas
workstations
Fire
Windstorm
Natural Disasters Accidental
Lightning
Flood
Incompetence
Curiosity
Manmade Accidental
Civil Riots
Industrial Action
Internal Sabotage
Manmade Deliberate
External Sabotage
Fire Control
▪ Both automatic and manual fire alarms are placed at strategic locations throughout the installation
▪ When a fire alarm is activated, a signal is sent automatically to a permanently manned station
▪ An automatic extinguisher system exists that dispenses the appropriate suppressant : water, carbon
96
dioxide, halon
▪ A control panel shows where in the installation an automatic or manual alarm has been triggered
▪ Besides the control panel, master switches exists for power ( including air conditioning and the
automatic extinguisher system )
▪ The building has been constructed from fire resistant materials, and it is structurally stable when fire
damage occurs
▪ Fire extinguishers and fire exits are marked clearly
Prep With RC
▪ Have waterproof ceilings walls and floors wherever
possible
▪ Ensure that the drainage system is adequate
▪ Install alarms within the installation at strategic
locations
Protection Against ▪ In flood areas have the installation above the high-
water level
Water Damage ▪ Have a master switch for all water mains
▪ Use a dry pipe automatic sprinkler system that is
charged by an alarm and activated by the fire
▪ Cover hardware with a protective fabric when it is
not in use
Protection
➢ Voltage regulators
➢ Circuit breakers
➢ Backup batteries
➢ Generators
Causes
• Dust
• Food
Protection
• Regular cleaning
• Vacuuming
• Dust collecting rugs at entrances
• Segregate dust generating activities
• Pests and rodent controls
• Geographical location
• Neighborhood
• Accessibility in an emergency
• Socio-economic conditions
• Layout of building
• Location of doors / windows
• Fire protection
• Computer centre
• Electrical power supply
• Air - conditioning
• Electro - magnetic fields
Causes
• Earthquake
• Wind
• Snow
• Rain
• Accidents
• Sabotage
Protection
• Structural Engineering
• Location of building
Security policies and procedures must be up-to-date and reflect business objectives,
generally accepted security standards and practice
The development of the information systems security policy, is the responsibility of the
top level of management in an organization which delegates its implementation to the
appropriate level of management with required control.