Chapter 4. Protection of Information Assets

Previous page
Table of content
Next page

Key concepts you will need to understand:

The processes of design, implementation, and monitoring of security (gap analysis baseline, tool selection)

Encryption techniques (DES, RSA)

Public key infrastructure (PKI) components (certification authorities, registration authorities)

Digital signature techniques

Physical security practices

Techniques to identify, authenticate, and restrict users to authorized functions and data (dynamic passwords, challenge/response, menus, profiles)

Security software (single sign-on, intrusion-detection systems [IDS], automated permission, network address translation)

Security testing and assessment tools (penetration testing, vulnerability scanning)

Network and Internet security (SSL, SET, VPN, tunneling)

Voice communications security

Attack/fraud methods and techniques (hacking, spoofing, Trojan horses, denial of service, spamming)

Sources of information regarding threats, standards, evaluation criteria, and practices in regard to information security

Security monitoring, detection, and escalation processes and techniques (audit trails, intrusion detection, computer emergency response team)

Viruses and detection

Environmental protection practices and devices (fire suppression, cooling systems)

Techniques you will need to master:

Evaluate the design, implementation, and monitoring of logical access controls to ensure the integrity, confidentiality, and availability of information assets

Evaluate network infrastructure security to ensure integrity, confidentiality, availability, and authorized use of the network and the information transmitted

Evaluate the design, implementation, and monitoring of environmental controls to prevent and/or minimize potential loss

Evaluate the design, implementation, and monitoring of physical access controls to ensure that the level of protection for assets and facilities is sufficient to meet the organizations business objectives

The IT organization is responsible for ensuring the protection of information assets through effective policy, controls, and standardized procedures and control testing. The security controls implemented within the organization will probably use a defense-in-depth strategy. Defense-in-depth strategies provide layered protection for the organization's information systems and data. Realization of this strategy reduces the overall risk of a successful attack in the event of a single control failure using multiple layers of controls to protect an asset. These controls ensure the confidentiality, integrity, and availability of the systems and data, as well as prevent financial losses to the organization.

The organization should have a formalized security function that is responsible for classifying assets and the risks associated with those assets, and mitigating risk through the implementation of security controls. The combination of security controls ensures that the organization's information technology assets and data are protected against both internal and external threats.

The security function protects the IT infrastructure through the use of physical, logical, environmental and administrative (that is, policies, guidelines, standards, and procedures) controls. Physical controls guard access to facilities, computers, and telecommunications equipment, and ensure that only authorized users have access to facilities and equipment. Physical security controls can include security guards, biometric devices (retina scanners, hand geometry, fingerprint scanners), keys and locks, and electronic card readers. Physical access controls should be monitored and reviewed periodically to ensure their effectiveness. Physical security controls can be defeated through social engineering, whereby unauthorized persons gain access to the facility by posing as someone they are not. As stated earlier, social engineering involves playing psychological tricks on authorized users to gain access to the system. These might include "shoulder surfing," or looking over the shoulder of authorized users to identify key codes that access the building; claiming to have "lost" badges or key cards and persuading an authorized user to permit access; or piggybacking behind an authorized user with a valid key card.

Logical security controls are more complex to implement and maintain. Access controls are security features that control how users and systems communicate or interact with other users and systems. Furthermore, logical controls are the hardware and software tools that are used to restrict access to resources such as the following:

  • System access

  • Network architecture

  • Network access

  • Encryption and protocols

  • Systems auditing

Authorization according to the principle of least privilege (need to know) should be applied, meaning that authorized users should have access to only the applications and data they need to perform authorized tasks. In addition, the IT organization should regularly log and monitor logical access to the systems and data. Policies and procedures also should include segregation of duties and access and transaction logs.

Environmental security controls are designed to mitigate the risk associated with naturally occurring events such as storms, earthquakes, hurricanes, tornadoes, and floods. The controls might vary according to the type of event, but the process of classification, mitigation, and monitoring is similar in nature to that of physical and logical security controls.

It is important to remember that unauthorized users can gain access to applications and data from both inside and outside the organization. Unauthorized users might include the following:

  • Internal employees

  • Contracted employees

  • Suppliers or vendors

  • Cleaning and maintenance contractors

  • Partners

  • Remote users

  • Entities who have access to external information systems (such as general public)

To ensure the effectiveness of the security program and its associated controls, regular penetration tests should be performed. These tests might include breaking into access points through persuasion or brute force, or gaining admission as a visitor and trying to access areas for which someone is not authorized. The combination of regular review, monitoring, and testing of physical, logical, and environmental security controls will identify weaknesses and areas for improvement. In addition to monitoring, the IT organization should define incident response and reporting procedures to react to disruptive events when they occur. The incident response procedures should provide detailed procedures for the identification, notification, evidence collection, continued protection, and reporting of such disruptive events.


Previous page
Table of content
Next page
Exam Cram 2. CISA
Cisa Exam Cram 2
ISBN: B001EEFNHG
EAN: N/A
Year: 2005
Pages: 146
BUY ON AMAZON
The CISSP and CAP Prep Guide: Platinum Edition
Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Input Validation & More
Cisco IOS in a Nutshell (In a Nutshell (OReilly))
Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century: Prevention and Detection for the Twenty-First Century
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
GDI+ Programming with C#
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy