Frigør det fulde potentiale i dine projekter.
Vis hele kortet
Kopier og rediger map Kopier

Chapter 8 : Controls for Information Security

Andre
Artos 07

accounting Information System

Kom i gang. Det er Gratis
eller tilmeld med din email adresse
Lignende mindmaps Mindmap-oversigt
Chapter 8 : Controls for Information Security af Mind Map: Chapter 8 : Controls for Information Security

1. How to Mitigate Risk of Attack

1.1. Preventive Controls

1.1.1. People

1.1.1.1. Culture of security - Tone set at the top with management

1.1.1.2. Training - Follow safe computing practices

1.1.1.2.1. Never open unsolicited e-mail attachments

1.1.1.2.2. Follow safe computing practices

1.1.1.2.3. Protect against social engineering

1.1.2. Process

1.1.2.1. Authentication—verifies the person

1.1.2.1.1. Something person knows

1.1.2.1.2. Something person has

1.1.2.1.3. Some biometric characteristic

1.1.2.1.4. Combination of all three

1.1.2.2. Authorization—determines what a person can access

1.1.2.3. Formal process used to ensure that modifications to hardware, software, or processes do not reduce systems reliability

1.1.2.4. Good change management and control requires

1.1.2.4.1. Documentation

1.1.2.4.2. Approval

1.1.2.4.3. Testing

1.1.2.4.4. Develop “backout” plan

1.1.2.4.5. Monitoring

1.1.3. IT Solutions

1.1.3.1. Antimalware controls

1.1.3.2. Network access controls

1.1.3.3. Device and software hardening controls

1.1.3.4. Encryption

1.1.4. Physical security

1.1.4.1. Physical security access controls

1.1.4.1.1. Limit entry to building

1.1.4.1.2. Restrict access to network and data

1.2. Detective Controls

1.2.1. Log analysis

1.2.2. Intrusion detection systems

1.2.3. Continuous monitoring

1.3. Response

1.3.1. Computer Incident Response Teams (CIRT)

1.3.2. Chief Information Security Officer (CISO)

2. Detecting Attacks

2.1. Log Analysis—examining logs to identify evidence of possible attacks

2.2. Intrusion Detection Systems (IDSs) —system that creates logs of network traffic that was permitted to pass the firewall and then analyzes those logs for signs of attempted or successful intrusions

2.3. Continuous Monitoring—employee compliance with organization’s information security policies and overall performance of business processes

3. Trust Services Framework

3.1. Security - Access to the system and data is controlled and restricted to legitimate users.

3.1.1. Security Life Cycle - Security is a management issue

3.1.2. Time-based model, security is effective if: P > D + C where =

3.1.2.1. P is time it takes an attacker to break through preventive controls

3.1.2.2. D is time it takes to detect an attack is in progress

3.1.2.3. C is time it takes to respond to the attack and take corrective action

3.2. Confidentiality - Sensitive organizational data is protected.

3.3. Privacy - Personal information about trading partners, investors, and employees are protected.

3.4. Availability - System and information are available.

4. Understanding Targeted Attacks

4.1. Conduct reconnaissance

4.2. Attempt social engineering

4.3. Scan and map the targe

4.4. Research

4.5. Execute the attack

4.6. Cover tracks

5. Security Implications of Virtualization, Cloud Computing, and the Internet of Things

5.1. Virtualization and Cloud Computing

5.1.1. Positive impact on security

5.1.1.1. Implementing strong access controls is good security over all the systems

5.1.2. Negative impact on security

5.1.2.1. Reliability issues

5.1.2.2. Risk of theft or destruction if unsupervised physical access