Please enable JavaScript.
Coggle requires JavaScript to display documents.
Controls for Information Security - Coggle Diagram
Controls for Information Security
Introduction
Security
Confidentiality
. Privacy
Processing Integrity
. Availability
Two Fundamental Information Security Concepts
Security is a management issue, not just a technology issue
Assess threats & select risk response
Develop and communicate policy
Acquire & implement solutions
Monitor performance
The time-based model of information security
Implementing a combination of preventive, detective and corrective controls that protect information assets long enough to enable an organization to recognize that an attack is occurring and take step to thwart it before any information is lost or compromised
Defense-in-depth
Employing multiple layers of controls to avoid a single point-of-failure
Understanding Targeted Attacks
. Conduct reconnaissance
Attempt social engineering
Scan and map the target
Research
Execute the attack
Cover tracks
Protect Information Resources
People
Creation Of A Security Conscious Culture
Training
Process
User Access Controls
Authentication
Verifying the identify of the person or device attempting to access the system
biometric identifier
A physical or behavioral characteristic that is used as an authentication credential
multifactor authentication
The use of two or more types of authentication credentials in conjunction to achieve a greater level of security
Multimodal authentication
The use of multiple authentication credentials of the same type to achieve a greater level of security
Authorization
The process of restricting access of authenticated users to specific portions of the system and limiting what actions they are permitted to perform
access control matrix
A table used to implement authorization controls
compatibility tes
Matching the user's authentication credentials against the access control matrix to determine whether that employee should be allowed to access that resource and perform the requested action
PENETRATION TESTING
An authorized attempt to break into the organization's information system
: CHANGE CONTROLS AND CHANGE MANAGEMENT
The formal process used to ensure that modifications to hardware, software or processes do not reduce systems reliability
IT Solutions
Antimalware Controls
can damage or destroy information or provide a means for unauthorized access
Network Access Controls
PERIMETER DEFENSE: ROUTERS, FIREWALLS, AND INTRUSION PREVENTION SYSTEMS
Controlling Access by Filtering Packets
Using Defense-in-Depth to Restrict Network Access
SECURING WIRELESS ACCESS
DEVICE AND SOFTWARE HARDENING CONTROLS
ENDPOINT CONFIGURATION
USER ACCOUNT MANAGEMENT
SOFTWARE DESIGN
: ENCRYPTION
Encryption provides a final layer of defense to prevent unauthorized access to sensitive information
ACCESS CONTROLS
It is absolutely essential to control physical access to information resources
Detecting Attacks
LOG ANALYSIS
INTRUSION DETECTION SYSTEMS
CONTINUOUS MONITORING
Responding to Attacks
Computer Incident Response Team (CIRT )
Chief Information Security Officer (CISO)
Security Implications of Virtualization, Cloud Computing and the Internet of Things
Virtualization
Running multiple systems simultaneously on one physical computer
Cloud computing
Using a browser to remotely access software, data storage, hardware and applications
Internet of Things (IoT)