Scribd Logo
Upload

Welcome to Scribd!

  • Chapter 7 Isa

    Uploaded by

    ru testisa
    2 views13 pages
    This is unit 7

    Original Title

    CHAPTER 7 ISA (2)

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This is unit 7

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    2 views13 pages

    Chapter 7 Isa

    Uploaded by

    ru testisa
    This is unit 7

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 13

    CHAPAPTER 7

    Information Security

    • To understand how to audit data centre


    • Observe how to audit Physical
    Controls
    • Environment Controls
    • Understand security Management
    • Understand the emerging technologies
    • Traditionally, companies have a data processing facility
    to host their information systems and process and store
    data.
    • A data centre is a facility that hosts the servers and
    infrastructure that provide computing power and
    resources to its information systems.
    Data • The data centre is usually geographically isolated.
    • Companies typically have two separate data centres
    Centre (primary and secondary sites) for business resilience and
    Facility continuity purposes.
    • This facility contains business-critical and sensitive
    information that is relied upon for business operations
    and financial reporting.
    • A security officer should guard the outside perimeter to
    monitor movements
    • The security guard should also vet visitors to ensure that
    the users accessing the facility have a valid business
    reason.
    • The data center should have a closed-circuit television
    Auditing (CCTV) system to monitor the facility.
    Physical • If possible, motion detection cameras should be used to
    detect and record motion in these areas.
    Control •

    What type of control is a CCTV
    The facility should have an access control system to
    for a data prevent unauthorized access
    centre • The facility manager/security officer should grant users
    access based on their job roles
    • the data center should have a motion detection alarm
    system connected to a security company / local authorities
    and emergency services to ensure that an intrusion is
    detected in a timely manner
    • The data centre should have a backup power supply
    system to ensure that the facility continues to be
    operational in the event of the loss of electricity
    • A diesel generator, uninterrupted power supply (UPS) or
    any other alternative power source should be used.
    Auditing • The servers within the data centre require a certain
    temperature for optimal performance
    Environm • The data centre should have a thermometer in place to
    ent •
    monitor the temperature within the data centre.
    The data centre requires an effective air cooling system to
    Control direct hot air outside and bring in cooled air.

    for a data The data centre should have smoke detectors to detect
    smoke within the facility and a fire suppression system to
    centre •
    suppress a fire if a fire breaks out
    a dry fire suppression system using agents such as carbon
    dioxide should be utilised within the data centre
    • Security controls can either be administrative or
    technical
    • A policy is an administrative directive put in place
    to lay the foundation of the measures that should
    Auditing be put in place to secure an organisations
    information systems.
    Security • The password settings are examples of technical
    Controls security controls and other controls such as the
    in the segmentation of a corporate network, firewall rules
    to restrict access to the network, virtual private
    data networks (VPN) to restrict access further, data
    centre encryption standards such as MD5 or SHA256.
    Technical controls are the technical measures to
    secure the confidentiality, integrity and availability
    (CIA) of an information system and its data
    Authentication is the bedrock or first gate to access a
    corporate network or information system. As an IS
    auditor, you should review the authentication
    mechanism enforced on the information systems
    within the scope of your audit engagement.
    Type of Authentication
    1. Native authentication
    • Using this method, users are authentication at the
    Authentication application level with a form of identification such as
    a username and password to authenticate the
    validity of the users accessing an application. Using
    an analogy,
    2. Single sign-on (for example, a name and
    password)
    3. Multifactor authentication
    According to Doshi (2020), there are three factors of
    authentication:
     Something you know - for example, a password or
    secret pin
     Something you have - for example, a badge or
    one-time pin
     Something you are - for example, fingerprint or eye
    Authentication scan
    Security Management
    • Technical security controls should be implemented, considering
    other elements of an organisation. The human factor is the weakest
    link within the organisatio
    • Creating security awerness
    • The security awareness training provided to employees should cover
    social engineering exercises. Social engineering exercises have
    resulted in corporations losing millions of dollars in revenue. Let us
    look at some examples of social engineering:
    Example Of Social Engineering
    • Phishing
    • Business email compromise
    • Baiting
    • Tailgating
    • Diversion theft
    Prevention of malicious software
    • Logging
    Ensuring that user activities are logged or kept on the system
    • Penetration testing
    The identification of risks to information systems' confidentiality, integrity,
    and availability.
    Penetration testing aims to check the organization’s control environment and
    take corrective action if a flaw is discovered.
    • Intrusion detection system
    intrusion detection system (IDS) monitors a network (network-based IDS) or
    a single machine to recognise and detect incursion activities
    • Honeypot a honey pot is a decoy system that attracts attackers and
    hackers
    New emerging technologies

    Amazon Web Services defines cloud computing as “the on-demand


    delivery of IT resources over the Internet with pay-as-you-go pricing.
    Instead of buying, owning, and maintaining physical data centers and
    servers, you can access technology services, such as computing power,
    storage, and databases, on an as-needed basis from a cloud provider
    like Amazon Web Services (AWS)”.
    Emerging Technologies
    3.2 Artificial Intelligence
    . For example, A car is programmed to study road
    conditions and be fully autonomous and self-driving.
    3.3 Augmented reality
    • augmented reality (AR) is a technologically
    augmented version of the real world created through
    digital visual elements, music, or other sensory
    stimulation.
    Emerging Technologies
    Internet of things
    • IoT is a new concept that is slowly being accepted by businesses.
    Blockchain
    • blockchain is a decentralised database shared among computer
    network nodes. A blockchain acts as a database, storing information in
    a digital format.
    Metaverse
    • The metaverse is a virtual world that integrates social networking,
    online gaming, augmented reality (AR), virtual reality (VR), and
    cryptocurrency to allow people to connect digitally.

    You might also like