BIT2318: Topic 6

PROTECTION OF INFORMATION ASSETS

Contents
Importance of Information Security
Management
Issues and Exposures: Logical Access, Network
Infrastructure, Environmental & Physical Access.
Auditing Information Security Management:
- Auditing IS Management Framework
- Auditing Logical Access
- Auditing Network Infrastructure Security
- Auditing Environmental Controls
- Auditing Physical Access

1. Information Security
Management
Why

Information Security Management

is Important?
What are the key elements of
Information Security Management?
What are the Principles of Information
Security?
What is the Best Approach to
Implement Information Security?

Why is Information Security

Important?
Information and the IS and communications
deliver the information throughout
organizations
There are many direct and indirect benefits
from the use of IS. There are also many direct
and indirect risks relating to these IS.
Organization should provide all users with a
secure IS environment.
Organization needs to protect themselves
against the risks inherent with the use of IS
while recognizing the benefits that can accrue
from having secure IS.

Why is Information Security

Important?
Organizations

depend on timely,
accurate, complete, valid, consistent,
relevant, and reliable information.
Security must be considered as an
integral part of the systems.
Security failures may result in both
financial losses and/or intangible losses
such as unauthorized disclosure of
competitive or sensitive information.

IS Management-Roles &
Responsibilities

Executive management, IS security professionals, data

owners, process owners, technology providers, users,
and IS auditors all have roles and responsibilities in
ensuring the effectiveness of information security.
Executive Management responsible for the overall
security of information.
IS Security Professionals responsible for the design,
implementation, management, and review of the
organizations security policy, standards, measures,
practices, and procedures.
Data Owners responsible for determining sensitivity
or classification levels of the data and maintaining
accuracy and integrity of the data resident on the IS

Process Owners responsible for ensuring that

appropriate security, consistent with the
organizations security policy.
Technology providers responsible for assisting
with the implementation of information security
Users responsible for following the procedures
set out in the organizations security policy
IS Auditors responsible for providing
independent assurance to management whether
the security policy, standards, measures,
practices, and procedures appropriate and
comply with the organizations security
objectives.

What is Information Security?

The concept of security applies to all information.

Security is more than just technology. It also covers
administrative, organizational, operational, and legal
issues.
Security relates to the protection of valuable assets against
loss, disclosure, or damage.
Valuable assets are the data or information recorded,
processed, stored, shared, transmitted, or retrieved from
an electronic medium.
The data or information must be protected against harm
from threats that will lead to its loss, inaccessibility,
alteration or wrongful disclosure.
Threats to IS may arise from intentional or unintentional
acts and may come from internal or external sources.
The protection is through the technological and nontechnological safeguards.

What are the Principles of

Information Security?

Security Objective: The protection of the interests of those

relying on information, and the IS and communications that
deliver the information, from harm resulting from failures
of availability, confidentiality, and integrity. The security
objective is supported by the eight core principles.
Core Principles :
Accountability: Responsibility and accountability must be
explicit.
Awareness: Awareness of risks and security initiatives
must be disseminated.
Multidisciplinary: Security must be addressed taking into
consideration both technological and non-technological
issues.

What are the Principles of

Information Security?
Cost Effectiveness: Security must be costeffective.
Integration: Security must be coordinated
and integrated.
Reassessment: Security must be reassessed
periodically.
Timeliness: Security procedures must provide
for monitoring and timely response.
Societal Factors: Ethics must be promoted by
respecting the rights and interests of others.

What are the Principles of

Information Security?
The

security objective is met when:

Availability: IS are available and usable

when required.
Confidentiality: data and information are
disclosed only to those who have a right to
know it
Integrity: data and information are
protected against unauthorized
modification

What is the Best Approach to

Implement Information Security?-CSF
Integrated approach is necessary to meet the
security objectives and maintain controls.
Top management Commitment
Policy Development:
IS Security Policy.
- Ensure resource conformity with laws and
regulations
- Framework for designing and developing
logical and physical access control.
- Delegates the implementation of control to
appropriate management level.
- Contributes to protection of information
assets integrity, confidentiality, availability
- Protect the information capital against risks.

 Implementation:

The solution should be

implemented on a timely basis, and
then maintained.
Roles and Responsibilities: Individual
roles, responsibilities, and authority are
clearly communicated and understood
by all.
Design: Develop a security and control
framework that consists of standards,
measures, practices, and procedures.

What is the Best Approach to

Implement Information Security- CSF?
Monitoring:

Monitor to detect and

ensure correction of security breaches.
Awareness, Training, and Education:
Awareness to protect information,
training in the skills needed to operate
IS securely, and education in security
measures and practices are of critical
importance for the success of an
organizations security program.

Information Assets
Information
-

Assets Inventories
Classification: assigning classes or level
of sensitivity and criticality to
information resources.
Level of protection: level access
controls that should be applied to each
information asset.
Owner? Access right? Level of access?
Responsibility? Approvals needed?

Information Assets
Information

security
administrators are
responsible for ensuring
that information system
assets are secure
Assets are secure when
the expected losses that
will occur over time are
at an acceptable level

Types of Information Systems

Security

Physical security protects

the physical systems
assets of an organization
Personnel
Hardware
Facilities
Supplies and
Documentation

Logical security protects

Data,
Information and
Software
Security Administrators
tend to have responsibility
over malicious and nonmalicious threats to
physical security and
malicious threats to logical
security

The Security Program

A major task of security administrators is to conduct a security

program.
A security program is a series of ongoing, regular, periodic
reviews conducted to ensure that assets associated with the
information systems function are safeguarded adequately
Security Policy Treasury Board
U of T Computer Security
Disaster-Resource.com

Conducting a Security Program

Preparation

of a project plan
Identification of assets
Valuation of assets
Threats Identification
Threats Likelihood assessment
Exposures Analysis
Controls Adjustment
Report Preparation

Preparation of a Project Plan

Objectives

of the review Physical ?

Logical ? Areas of concern
Scope of the review all sites?
Tasks to be accomplished
Organization of the project team
Resources budgeted
Schedule for task completion

Identification of Assets

Personnel: End users, analysts, programmers, operators,

clerks, guards
Hardware: Mainframe, minicomputers, microcomputer,
disks, printers, communication lines, concentrators,
routers, terminals
Facilities: Furniture, office space
Documentation: Systems and program documentation
Supplies: forms, negotiable instruments
Data / information: files and tapes
Application software
Systems software

Valuation of assets

Threats Identification

Threats Identification

Nature / Acts of god: earthquake, flood, fire, mud, gases,

projectiles, living organisms, extreme temperatures,
electromagnetic radiation
Hardware suppliers: unreliable hardware, ineffective hardware,
incompatible, improper maintenance, lawsuits
Software suppliers: erroneous, ineffective, poor
documentation, improper maintenance, lawsuits
Contractors: erroneous, ineffective, poor documentation,
improper maintenance, lawsuits
Other resource suppliers: power outages, disruption to
communication services, untimely provision of resources
Competitors: Sabotage, espionage, lawsuits, financial distress
Debt and Equity holders:
Governments
Unions: strikes, sabotage, harassment
Criminals: Theft, sabotage, espionage, extortion

Threats likelihood assessment

Likelihood

of occurrence
Statistical data might be available
Elicit likelihood from stakeholders
Related to value of the asset for some
kinds of threats

Exposures Analysis

Identify the controls in place

Assess the reliability of the controls in place
Evaluate the likelihood a threat will be successful
Assess the resulting loss if the threat is successful

Expected Loss =
probability of threat occurring x probability of control
failure x Loss

Major Security Threats

Fire Damage
Water Damage
Energy Variations
Structural Damage
Pollution
Unauthorized Intrusion
Viruses and Worms
Misuse of software, Data and Services
Hacking and Cracking

System Access Permission

Technical

privilege
System access is controlled at physical
/ logical level.
Identification and authentication of the
users may be built into OS, access
control SW or applications program, db
system, network access device.
Documented on need-to-know basis.

 Layer

of Logical Security of IT assets:

- Network
- Platform
- Databases
- Applications
Written Access Rule: users, condition
Review access authorization valid
Access control relates to internal and
external parties, employees and
nonemployees.

Privacy Management
Privacy? Adherence to trust and obligation in
relation to any information.
Ensure all IT projects Comply with privacy
policy, laws and other regulations. IS Auditor
should:
- Identify and understand legal requirements
- Verify correct security measures are adopted
- Review managements privacy policy
- Conduct Compliance and substantive testing

LOGICAL ACCESS
Logical

Access EXPOSURES:
- technical exposures
- computer crimes
IS Auditors need to gain technical and
organizational understanding of the IT
environment reviewing OS, network,
database, application security layers.

LOGICAL ACCESS
Path

of Logical Access general point of

entry
eg,. Network connectivity, Remote Access
Logical Access Control Software to prevent
unauthorized access and modification to
sensitive data and critical functions.
Apply at all layers, with greatest degree of
protection at network / OS levels.

LOGICAL ACCESS

Application access controls:

Create/ change user profiles
Assign user identification and authentication
Logon ID, password, biometrics
Log events, report capabilities
Database access controls:
Create or change data files and db profiles
Verify user authorization at and within
application / transaction level
Verify authorization for changes
Log db activities

LOGICAL ACCESS
Authorization

Issues access rule (who

access what?)
Access restrictions:
- read, inquiry or copy only,
- write, create, update or delete
- Execute only
- Combinations
Least dangerous read only

LOGICAL ACCESS
Access Control Lists
- Authorization Tables ACL
- Register of Users & Types of Access Permitted
Logical Access Security Administration
- Software controls over access to computers
- Physical Control environment
- Access from remote locations
- Access to System documentation & manuals
- Access to data transmission
- Access to backup files

NETWORK INFRASTRUCTURE
SECURITY
Controls through network control terminal
and communications software.
LAN Security
- Risks
- Issues
Client Server Security
Wireless Security
Internet Threats and Security
- firewall, Intrusion & detection system,
encryption
Viruses

AUDITING INFORMATION SECURITY

MANAGEMENT

Auditing Information Security Framework

Review Written Policies, Procedures and
Standards
Logical Access Security Policy
Formal Security Awareness and Training
Data ownership, Data owners, Data Custodians,
Security Administrators, Data users
Documented Authorizations
Terminated Employee Access
IT Security Baseline

AUDITING INFORMATION SECURITY

MANAGEMENT
Auditing

Logical Access
IS Auditors should:
- Obtain general understanding of security
risks
- Document and evaluate controls over
potential access path
- Test control over access path
- Evaluate access control environment
- Evaluate security environment

Auditing Logical Access

Familiar with IT Environment- interviews,
review documents, physical walkthrough
Documenting Access Path- logical route to
access. Terminal ---- LAN----Transaction
Processing SW-Application SW DBMS-Data
Interviewing Systems Personnel
Reviewing Reports from Access Control SW
Reviewing Application Systems Operations
Manual

Auditing Logical Access

Testing
-

Security Techniques
Terminal Identification
Logon IDs and Passwords
Review Access Controls and Password
Administration

Auditing Network Infrastructure

Auditing
-

Remote Access
Internet point of presence
Network Penetration Tests
Full network assessment reviews
Development and Authorization of
network changes

Auditing Environmental Controls

Environmental Issues and Exposures
- Power failures, short term interruptions,
water damage/ flood, man made disaster
Controls for Environmental Exposures
- Alarm control panels, water detectors, fire
alarm and extinguisher, smoke detectors,
strategic location of computer room,
fireproof area, humidity / temperature
control, Wiring, UPS, Documented and
tested environmental controls.
Auditing Environmental Controls

Auditing Physical Access Control

Physical Access Issues and Exposures
Physical Access Controls:
- Door Locked
- Logging
- Identification badge
- Video cameras
- Guards
- Single Entry point
- Alarm system
- Secured Report

Auditing Physical Access

Visually

observing noted safeguards.

Review documents
Testing
Path of physical entry doors, windows,
ceilings, ventilation systems