PrE 5: Information Security and Management

LESSON 2: THREATS AND ATTACKS SECURITY SECURITY CONTROLS

CONTROLS ETHICS in InfoSec
What are security controls?
Angelina Marie R. Santos, MBA
Security controls are countermeasures or
safeguards used to reduce the chances that a
threat will exploit a vulnerability.
Learning Objectives
Three different sets of security controls:
• Identify different threats and attacks
1. Managerial security controls
• Define security controls
2. Operational security controls
• Elaborate the different sets of security 3. Technical security controls
controls

• Discuss ethics in InfoSec

1. Management Security Controls

Managerial controls focus on the

Threats and Attacks management of the information system and
the management of risk for a system. They are
Threats
techniques and concerns that are normally
A threat represents a potential risk to an addressed by management.
information asset, whereas an attack
The following are managerial security
represents an ongoing act against the asset
controls:
that could result in a loss. Threat agents
damage or steal an organization’s information  Risk assessment
or physical assets by using exploits to take  Planning
advantage of a vulnerability where controls  System and services acquisition
are not present or no longer effective.  Certification, accreditation, and
security assessments

2. Operational Security Controls

Operational controls address security

methods focusing on mechanisms primarily
implemented and executed by people (not
technology). These controls are put in place to
improve the security of a particular system (or
group of systems). They often require
technical or specialized expertise and often
rely on management activities as well as
technical controls.

1
PrE 5: Information Security and Management

The following are operational security The Ten Commandments of Computer Ethics
controls:
1. Thou shalt not use a computer to harm
 Personnel security other people.
 Physical and
2. Thou shalt not interfere with other
 Contingency planning
people’s computer work.
 Awareness and training
3. Thou shalt not snoop around in other
people’s computer files.
3. Technical Security Controls
4. Thou shalt not use a computer to steal.
Technical controls focus on security controls
5. Thou shalt not use a computer to bear
that the computer system executes. The
false witness.
controls can provide automated protection for
unauthorized access or misuse, facilitate 6. Thou shalt not copy or use proprietary
detection of security violations, and support software for which you have not paid.
security requirements for applications and
7. Thou shalt not use other people’s
data. Technical controls use software and data
computer resources without authorization or
to monitor and control access to information
proper compensation.
and computing system.
8. Thou shalt not appropriate other people’s
The following are technical security controls:
intellectual output.
 Encryption
9. Thou shalt think about the social
 Antivirus And Anti-Malware Software
consequences of the program you are writing
 Firewalls
or the system you are designing.

10. Thou shalt always use a computer in ways

Ethics in InfoSec that ensure consideration and respect for
your fellow humans
What is Ethics?

Some define ethics as the organized study of

how humans ought to act. Others define it as
a set of rules we should live by. The student of
information security is not expected to study
ethics in a vacuum, but within a larger
framework. However, InfoSec professionals
may be expected to be more informed about
the topic than others in the organization, and
they must often withstand a higher degree of
scrutiny.