8. Controls for Information Security Flashcards
What does the The Trust Services Framework do?
Tip: IT-related control
The Trust Services Framework organizes IT-related controls into five principles that contribute systems reliability
What are the five principles
Tip: chapter 8, 9 og 10
Security Confidentiality/fortroligt (chapter 9) Privacy (chapter 9) Processing Integrity (chapter 10) Availability (chapter 10)
Describe security from chapter 8
- Security – access to the system and its data is controlled and restricted to legitimate user
Why is security a management issues and just not a technical issue?
Tip: security of life cycle 1) response, 2) develop and communicate policy, 3) acquire and implement solutions, 4) monitor performance
Because of the security life cycle
- Assess threats and select risk response (from chapter 7)
- Develop and communicate policy - to all employees, managers must be involved in a high degree and the employees receive training and not only handed out documents
- Acquire and implement solutions – build or acquire specific technological tools to identify threats and achieve the desired level of security
- Monitor performance – regular evaluating the effectiveness of the organizations information security program
Defense-in-depth is about having multiple layers of control (Protection and Detection) to avoid a single point of failure:
Training, firewalls, Multiple authentication methods, log analysis, continuous monitoring.
Explain the time-based model of information security
The time-based model of information security: employ a combination of preventive, detective and corrective controls to protect information assets long enough to enable an organization to recognize that an attack is occurring and take the steps to thwart it before any information is lost or comprised.
How can organizations timely respond to attacks against their information system from COBIT 5?
Tip: CRIT, consist of who? and a) recognize, b) containment, c) recovery and d) patch
Chief information security officer
Establish a computer incident response team (CIRT) that should consist of specialist and senior operations management. It’s CRIT responsibility to
a) recognize that a problem exist,
b) containment of the problem,
c) recovery,
d) follow-up about how and why the system was comprised and patch it.
Also hire a chief information security officer
Distinguish between user access control; authentication and authorization
Authentication: verifies the person, it could be something the person knows or has like biometric characteristic.
Authorization: what a person can get access to.
Describe confidentiality(fortroligt) and privacy from chapter 9
- Confidentiality – sensitive organizational information is protected from unauthorized disclosure
- Privacy – personal information about customers, employees, suppliers or business partners is collected, used, disclosed and maintained only in compliance with internal policies and external regulatory requirements and is protected from unauthorized disclosure
Describe processing integrity and availability from chapter 10
- Processing Integrity – data are processed accurately, completely, in timely manner and only with proper authorization
- Availability – the system and its information are available… to meet operational and contractual obligations
How to improve network access control
Tip: smaller networks
Physical defense using routers and firewalls dividing the total network into smaller networks.
Some networks are open for public (homepage, web shop, Wi-Fi, etc.) in the demilitarized zone.
Remaining network is only for internal use at different locations and departments
