Please enable JavaScript.
Coggle requires JavaScript to display documents.
CHAPTER 8 Controls for Information Security - Coggle Diagram
CHAPTER 8 Controls for Information Security
Trust Services Framework
Security : Access to the system and data is controlled and restricted to legitimate users.
Confidentiality : Sensitive organizational data is protected.
Privacy : Personal information about trading partners, investors, and employees are protected.
Processing integrity : Data are processed accurately, completely, in a timely manner, and only with proper authorization.
Availability : System and information are available.
Security Life Cycle
Assess threats & select risk response
Develop and communicate Policy
Acquire & implement solutions
Monitor performance
Back to no 1
Corrective
Patch management
Chief Information Security Officer (CISO)
Computer Incident Response Team (CIRT)
How to Mitigate Risk of Attack
Preventive Controls
People
Culture of security : Tone set at the top with management
Training
Protect against social engineering
Follow safe computing practices
Never open unsolicited e-mail attachments
Use only approved software
Do not share passwords
Physically protect laptops/cellphones
Process
Authentication—verifies the person
1.Something person knows
Something person has
3.Some biometric characteristic
4.Combination of all three
Authorization—determines what a person can access
IT Solutions
Antimalware controls
Network access controls
Device and software hardening controls
Encryption
Physical security
Limit entry to building
Restrict access to network and data
Change controls and change management
Formal processes in place regarding changes made to hardware, software, or processes
Detective Controls
Intrusion detection systems
Penetration testing
Log analysis
Continuous monitoring
Security Approaches
Defense-in-depth
Multiple layers of control (preventive and detective) to avoid a single point of failure
Time-based model, security is effective if
P > D + C where
P is time it takes an attacker to break through preventive controls
D is time it takes to detect an attack is in progress
C is time it takes to respond to the attack and take corrective action