Please enable JavaScript.

Coggle requires JavaScript to display documents.

Section 2: Information Security (25%) - Coggle Diagram

- - - - Applies to all system components, processes & data in org/system environment
        Effectiveness of ITGC is measured by:
        
        Incidents that damage the enterprise's public reputation
        
        Systems that do not meet security criteria
        
        Violations in SOD
      - 1.A.1 Program Change Mgt Controls
        
        IA should look for:
        
        Adequate change controls
        
        Audit trails
        
        Quality Assurance
        
        Provision for emergency changes
        
        Source
        
        Tracking
        
        1.A.1.1 - Change Management Controls
        Includes:
        
        Application code revisions
        
        System upgrades
        
        Infrastructure changes (routers, servers, cabeling, firewall)
        
        Processes should be repeatable, predictable & defined
        
        Poor Change Management result in:
        
        low success for IT change (due to project delays/scope creep)
        
        Suffer from unexpected outages
        
        Frequently in crisis mode
        
        Many emergency/unauthorized changes
        
        Creates stress & high turnover for IT staff
        
        Lack of control over problem escalation
        
        Increases risk that a change will cause unintended consequences
        
        Downtime, material error in system data
        
        Change Management Process Steps:
        
        Identify need for change
        
        Prepare, document step by step procedure for change request
        
        change test plan, change rollback plan
        
        Justify change & request approval. Determine impact & cost benefit
        
        Authorisation
        
        Schedule & implement change
        
        Review implemented change
        
        Measure change success
        
        Close change request & report to stakeholders
        
        Document final changes
        
        Revisit change mgt process for improvement
        
        How to reduce change risk:
        
        Software controls to detect when controls are being overridden
        2 Detective controls to verify production changes against authorization
        
        1.A.1.2 - Patch Management
        
        A bundled set of fixes to a software code to eliminate bugs/security vulnerabilities
      - 1.A.2 - Physical Security Controls
        
        Not possible to mitigate all information/physical security thus, need risk mgt process to manage its exposure to potential info/physical loss
        
        Risk Management Steps to approach security risk:
        1. Identification - Identify exposure to loss/threats & vulnerabilities
        2. Probability Determination - probability that threat/vulnerability will materialize (Virtually certain/ highly probable/moderately probable/Improbable)
        3. Quantification of potential loss - Financial & non Financial
        4. Selection - Evaluate feasibility of alternative risk mgt techniques
        
        IAA can perform assessment of Security Risk using the following tools/techniques:
        
        Analysis of reported incidents
        
        Review of exposure stats
        
        Mapping key processes
        
        Periodic Inspections
        
        Periodic process & product audits
        6.Assessment of mgt system effectiveness
        
        Scenario analysis
      - 1.A.3 - System & Data Backup & Recovery Controls
        
        1.A.3.1 - Off site Storage
        
        Reveal to as little people as possible
        
        Outside facility does not reveal its purpose/use
        
        Provide app control on environmental conditions (raised platform, waterproofing, fire alarm)
        
        1.A.3.2 - Cloud Backup
        
        Satisfies physical distance & secret location
        
        Can be internally owned/3rd party system
        
        1.A.3.3 - Electronic Vaulting
        -Electronically transmit changes to data to offsite facility, create LT backup storage, eliminate physical transportation
        
        hybrid solution (off site vaulting with electronic journaling)
        
        Electronic journaling: log of txn/ changes that happened since last regular backup
      - 1.A.4 - IT Operational Controls
        
        includes planning controls (policies, standards & procedures, Data & Prog security, Insurance & continuity planning, controls over external service providers
        
        Segregation of duties - Follow IAM (identify & access mgt) principle of following access only if job function requires it
        
        Authorization, access to data and recording
        
        Operational Data Security Controls
        
        Control over data as it is being used through the following methods:
        1. Data Policies: Define how things need to be done to meet policy objectives
        2. Data Structure Standards: Rules for consistency of data definition, programming tags (what a data item is used for & its place in data hierarchy)
        
        End user training
        4. Application should be safeguarded: keep in computer prog libraries with restricted physical & logical access controls
        
        Other Considerations in Systems Security levels:
        1. Low Security Data: Must be safeguarded, not great impact on reputation. To have firewalls, hardware locked in data centre, offsite/cloud backup
        2. Moderate security: Have serious impact on org's mission & result in market loss. E.g ERP data, data required to comply with govt agency request, personal data. To have low security data+Electronic vaulting
        3. High Security: Catastrophic loss to reputation, productivity/ market share (R&D data, contingency plan data for court trial. RequiresBiometric device, physical security checkpoint
  - - - ITGC vs. Information Security
        - ITGC: Passwords, Privileges (basis for information protection)
        - Information Security: Data Security & Infrastructure Security
        
        Information Security (Data Security):
        
        Ensure only authorized users can access a system
        
        Their access is restricted by user role
        
        Unauthorized access is denied
        
        All changes to computer systems are logged to provide an audit trail
        
        Information Security (Security Infrastructure):
        
        Part of end user application
        
        Can be integrated to servers & mainframes (security softwares)
        
        Focus primarily at application level
        
        Small environments user access & role based access are generally strong, but controls over expert programmers are weak
        
        Controls provided by Software Security:
        
        Resides at sever, client/mainframe level
        
        Provides enhanced security for key application
        
        only allow certain txn to be entered at specific terminals
        
        able to change list of authorised employees
    - - IA's role:
        
        Perform assessment of info vulnerabilities
        
        Follow with recommendations for improvements related to IS & vulnerability mgt
        
        Assess effectiveness of preventive, detective, mitigation measures against past attacl
        
        Confirm that board has been informed of threats, incidents, vulnerabilities exploited & corrective measures
      - Information Security Controls that can manage IT vulnerabilities
        
        1. Encryption
        
        Private key encryption
        
        Public key encryption: sender places public key (known by many, are brief msg) in directory, private key (known by 1)
        
        2. Firewalls
        
        hardware/software combination through communication to/from outside world are routed. Firewall compares access rules & block unauthorised traffic
        
        Types of Firewall includes:
        1. Packet filtering: May miss may times of attacks as it examines packets in isolation. Can be enhanced though stateful inspection (track data flowing though multiple packets) & Network Address Translation (NAT) which can hide their internal host IP address from packet sniffer
        2.Gateways: Stop traffics flowing into a specific application
        
        Proxy server: intermediary request btw client application & real server
        
        3. controls for Malicious Software (Malware)
        - Malware: software designed to gain access to a computer system without owner's permission for the purpose of controlling/damaging the system/stealing data
        Types of malicious software includes:
        
        3.1 - Virware (Virus, Worms, Ransomware)
        
        3.2 Trojan horse
        
        prog disguised to be useful social engineering
        
        a spyware in backer prog to steal bank acct data
        
        3.3 Pharming
        
        attack on browser bar using Trojan horse/worms to redirect valid URL to hacker site
        
        3.4 Internal threats: Illegal program alteration
        - Asynchronous attack: cause an initial system action & then a subsequent system reaction. E.g system shut down before it restart & changes may have been made to weaken security
        - Data diddling: intentionally manipulating data
  - - - NIT Cybersecurity Framework Core (CSF):
        1. Identify: Identify & communicate cybersecurity objectives & goals
        2. Protect: Develop & implement appropriate safeguards to ensure delivery of critical infrastructure services
        3. Detect: Develop & implement appropriate activities to identify occurrence of cybersecurity events
        4. Respond: Develop & implement appropriate activities to take action on cybersecurity evens
        5. Recover: outline plans for resistance & restore capabilities/services that were impaired due to cybersecurity event