Information system and security control
-
Upload
cheng-olayvar -
Category
Technology
-
view
783 -
download
2
description
Transcript of Information system and security control
Information System and Security Control
Anthony D.J. Matutino
7 CRITERIA TO BE MET BY INFORMATION SYSTEM
Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability
BUSINESS RISK INVOLVING INFORMATION SYSTEM
Strategic Risk Security Risk Legal Risk Reputational Risk
STRATEGIC RISK
Strategic assessment and risk analysis Integration within strategic goal Selection and management of
technological infrastructure Comprehensive process for managing
outsourcing relationships with third party providers
SECURITY RISK
Customer security practices Authentication of customers Non-repudiation and accountability of
transactions Segregation of duties Authorization controls within the systems,
databases and applications Internal or external fraud
SECURITY RISK
Audit trails for transactions Confidentiality of data during transactions Third-party security risk
LEGAL RISK
Disclosures of information to customers Privacy Compliance to laws, rules and statements
of the regulators Exposure to foreign jurisdictions
REPUTATIONAL RISK
Service level delivery Level of customer care Business continuity and contingency
planning
ACCESS LAYERS
SECURITY MEASURES
Policies Firewalls Password Penetration testing and test software Intrusion Detection and Prevention System Encryption
SECURITY MEASURES
Digital Signatures Virtual Private Network Anti-virus Program Anti-spyware program Logging and monitoring
INTERNET SERVICE AS A MEANS OF INFORMATION SYSTEM
E-mail World Wide Web (WWW) File Transfer Protocol (FTP) News Telnet/remote interactive access Internet Relay Chat (IRC)/Instant
Messaging
E-MAIL THREATS
Sender – No one can be sure that the sender of an e-mail is the real sender.
Use of digital signatures
THREATS RECOMMENDATION
E-MAIL THREATS
Messages in plain test – It is possible that the message can be intercepted, read and change the message..
Encrypt the message
THREATS RECOMMENDATION
E-MAIL THREATS
There are no guarantees of secure delivery
Certificate of posting function
THREATS RECOMMENDATION
E-MAIL THREATS
Large attachments can clog the e-mail system and/or server
Set a limit on how large the attachments are that e-mail is allowed to receive and make guidelines for downloading, archiving and deletion of e-mails.
THREATS RECOMMENDATION
E-MAIL THREATS
Spam (unwanted e-mails)
Set filter to remove/separate spams from legitimate messages.
THREATS RECOMMENDATION
WORLD WIDE WEB
Information quality Reader should be cautious and as much as possible, try to verify the information.
THREATS RECOMMENDATION
WORLD WIDE WEB
Tracks Browser Plug-ins Cookies
Firewall Set your computer to
clear history Use InPrivate
browsing
THREATS RECOMMENDATION
FILE TRANSFER PROTOCOL
File Transfer Protocol has basically no security.
Proper configuration can only minimize the risk Scan all incoming
files
THREATS RECOMMENDATION
NEWS
Reputation risk – the news/blog can be regarded as organization’s official view.
It is possible to block access to news. This is a matter of organizational policy
THREATS RECOMMENDATION
TELNET
Username and password are usually sent in plain text. It is simple for intruders to read user information and use it for unauthorized access.
One-time or frequent password change and other encryptions should be used
THREATS RECOMMENDATION
INTERNET RELAY CHAT
Most IRCs bypass the anti-virus softwares
IRCs with external access should be avoided. If it is necessary to download a file, avoid direct execution of files.
THREATS RECOMMENDATION
COMMON SIGNS OF VIRUS
Unusual message appear on your screen Decreased system performance Missing data Inability to access your hard drives Settings are automatically changed
Chrome - Incognito
IE – InPrivate Browsing
Firefox – Private Browsing
Always test policy on a test computer before applying it to
any other computers
Videos
Anti-spyware
Basic PC Security
Anti-virus and other malware
SUMMARY