Information system and security control

transcript

Information System and Security Control

Anthony D.J. Matutino

7 CRITERIA TO BE MET BY INFORMATION SYSTEM

Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability

BUSINESS RISK INVOLVING INFORMATION SYSTEM

Strategic Risk Security Risk Legal Risk Reputational Risk

STRATEGIC RISK

Strategic assessment and risk analysis Integration within strategic goal Selection and management of

technological infrastructure Comprehensive process for managing

outsourcing relationships with third party providers

SECURITY RISK

Customer security practices Authentication of customers Non-repudiation and accountability of

transactions Segregation of duties Authorization controls within the systems,

databases and applications Internal or external fraud

SECURITY RISK

Audit trails for transactions Confidentiality of data during transactions Third-party security risk

LEGAL RISK

Disclosures of information to customers Privacy Compliance to laws, rules and statements

of the regulators Exposure to foreign jurisdictions

REPUTATIONAL RISK

Service level delivery Level of customer care Business continuity and contingency

planning

ACCESS LAYERS

SECURITY MEASURES

Policies Firewalls Password Penetration testing and test software Intrusion Detection and Prevention System Encryption

SECURITY MEASURES

Digital Signatures Virtual Private Network Anti-virus Program Anti-spyware program Logging and monitoring

INTERNET SERVICE AS A MEANS OF INFORMATION SYSTEM

E-mail World Wide Web (WWW) File Transfer Protocol (FTP) News Telnet/remote interactive access Internet Relay Chat (IRC)/Instant

Messaging

E-MAIL THREATS

Sender – No one can be sure that the sender of an e-mail is the real sender.

Use of digital signatures

THREATS RECOMMENDATION

E-MAIL THREATS

Messages in plain test – It is possible that the message can be intercepted, read and change the message..

Encrypt the message

E-MAIL THREATS

There are no guarantees of secure delivery

Certificate of posting function

E-MAIL THREATS

Large attachments can clog the e-mail system and/or server

Set a limit on how large the attachments are that e-mail is allowed to receive and make guidelines for downloading, archiving and deletion of e-mails.

E-MAIL THREATS

Spam (unwanted e-mails)

Set filter to remove/separate spams from legitimate messages.

WORLD WIDE WEB

Information quality Reader should be cautious and as much as possible, try to verify the information.

WORLD WIDE WEB

Tracks Browser Plug-ins Cookies

Firewall Set your computer to

clear history Use InPrivate

browsing

FILE TRANSFER PROTOCOL

File Transfer Protocol has basically no security.

Proper configuration can only minimize the risk Scan all incoming

Reputation risk – the news/blog can be regarded as organization’s official view.

It is possible to block access to news. This is a matter of organizational policy

TELNET

Username and password are usually sent in plain text. It is simple for intruders to read user information and use it for unauthorized access.

One-time or frequent password change and other encryptions should be used

INTERNET RELAY CHAT

Most IRCs bypass the anti-virus softwares

IRCs with external access should be avoided. If it is necessary to download a file, avoid direct execution of files.

COMMON SIGNS OF VIRUS

Unusual message appear on your screen Decreased system performance Missing data Inability to access your hard drives Settings are automatically changed

Chrome - Incognito

IE – InPrivate Browsing

Firefox – Private Browsing

Always test policy on a test computer before applying it to

any other computers

Videos

Anti-spyware

Basic PC Security

Anti-virus and other malware

SUMMARY

Information system and security control

Technology