GROUP 7

IS SECURITY AND CONTROL

GOLDEN CHIHUMBIRI R211126B

GODWIN TASHAYA R211223B
CONVERSE KUCHICHA R211382H
EUNICE MAJAWA R211847H
Introduction of Information security

• In today's interconnected digital landscape, ensuring the security of information systems is

paramount for organizations.
• Information system security refers to the protection of data, networks, and systems from
unauthorized access, use, disclosure, disruption, modification, or destruction.
• It is essential in today's digital world, as businesses and individuals rely heavily on technology
and store a vast amount of information online.
• Information security measures help to ensure the confidentiality, integrity, and availability of
data.
• There are various aspects of information security, including data encryption, access control,
network security, and security awareness training. Organizations often employ a combination of
technical controls, policies, and procedures to safeguard their information assets.
.
Key Concepts in Information System Security

• Confidentiality: Ensuring that sensitive data is only accessible to authorized

individuals.
• Integrity: Maintaining the accuracy, completeness, and consistency of data.
• Availability: Ensuring that information systems and data are accessible to
authorized users when needed.
Components of Information System Security

• People: Users, administrators, and security professionals who interact with the
system.
• Policies and Procedures: Guidelines, standards, and rules that define how users
interact with the system and how security measures are implemented.
• Technology: Hardware, software, and networking components that support security,
such as firewalls, antivirus software, and encryption tools.
Threats to Information System Security
Cyberattacks: Malicious attempts by individuals or groups to breach information
systems, including malware, phishing, and denial-of-service attacks.
Insider Threats: Security breaches caused by employees, contractors, or other
insiders with authorized access to systems and data.
Human Error: Accidental data breaches or system disruptions caused by user
mistakes, such as misconfigurations, misplaced devices, or lost passwords.
Best Practices for Ensuring Information System Security

• Develop Security Policies: Establish clear, comprehensive security policies that

outline roles and responsibilities, acceptable use guidelines, and incident response
procedures.
• Implement Technical Controls: Deploy technical security measures, such as
firewalls, intrusion detection systems, and access controls, to protect systems and data.
• Regularly Update Software: Keep software, firmware, and operating systems up-to-
date with the latest patches and security updates.
• Conduct Security Awareness Training: Train users on security best practices, such as
password management, identifying phishing attacks, and reporting security incidents.
• Monitor and Audit Systems: Regularly monitor systems for security incidents,
conduct security audits, and review logs to identify potential threats or vulnerabilities.
 Vulnerability and abuse

• This refers to potential weaknesses in a system that can be exploited by malicious individual
to gain unauthorized access, steal data, disrupt operations, or cause other harm.
• it is very critical issue that can have serious consequences for individuals, organizations, and
society as a whole.
• There are various ways in which information systems can be vulnerable to abuse, including
• Weak cybersecurity measures: if a system lacks proper security controls , such as firewalls,
encryption and access controls, it becomes more susceptible to unauthorized access and
abuse.
• Human error: Employees may inadvertently expose confidential information through
actions like clicking on phishing emails or sharing sensitive data with unauthorized parties.
• Lack of regular updates and patches : failure to keep software and systems up to date with
the latest security patches can leave them vulnerable to known vulnerabilities that can be
exploited by attackers.

• Insider threats: Employees or contractors with authorized access to a system can abuse
their privileges for personal gain or to harm the organisation.
• Weak cybersecurity measures: if a system lacks proper security controls , such as firewalls,
encryption and access controls, it becomes more sesceptible to unauthorized access and
abuse.
• Human error: Employees may inedvertently expose confidential information through
actions like clicking on phishing emails or sharing sensitive data with unauthorized parties.
• Lack of regular updates and patches : failure to keep software and systems up to date with
the latest security patches can leave them vulnerable to known vulnerabilities that can be
exploited by attackers.

• Insider threats: Employees or contractors with authorized access to a system can abuse
their privileges for personal gain or to harm the organisation.
• These vulnerabilities can be exploited by malicious actors to gain unathorized access,
steal data, disrupt services or cause other harm.

• Information systems can be abused in various ways, such as through hacking, phishing,
malware attacks or social engineering. this abuse can lead to data breaches, financial
losses, reputational damage and other negative impacts.
• To prevent and mitigate the vulnerabilities and abuse in information systems,
organisations should implement robust cyber security measures, regulary update
software , train employees on best practices, monitor system activity for suspicious
behavior, and enforce strict access controls.

• Additionally having incident responce plans in place can help organisations quickly
respond to and recover from security incidents.
• Given the evolving nature of cybersecurity threats collaboration among
stakeholders is essential. this includes sharing threat intelligence, coodinating
incident response effort, and working together to strengthen the overall
security posture.

• By taking poactive steps to address vulnerabilities and prevent abuse of

information systems, organisations can better protect their assets, data, and
reputation in an increasingly digital world.
 Creating computer operation controls

What are computer application controls

• Every time information is transmitted from one user or application to another, the
organization could be compromising its data.
• Application controls include both automated and manual procedures that ensure that
only authorized data are completely and accurately processed by that application
• Computer application controls help mitigate the risks of using these tools by putting
various checks in place.
• These checks authenticate applications and data before it’s allowed into or out of the
company’s internal IT environment, ensuring that only authorized users can take action
with the company’s digital assets
• Application controls are specific controls unique to each computerized application,
such as payroll or order processing.
• They include both automated and manual procedures that ensure that only authorized
data are completely and accurately processed by that application.
• Application controls can be classified as:
• input controls,
• processing controls,
• output controls
Access Controls

•Not all users need the same level of access to the application.
•Application controls establish which actions a user has access to; some users may only be
able to view data, whereas others might be able to modify existing data or even add inputs.
• Systems with effective access controls should have checks verifying each user’s identity.
• It might be a two-factor authentication upon login or requiring that a user enter a unique
code in addition to their credentials
Input Controls
• This application control governs the data inputs in an application. Input controls
prevent users from entering unvalidated information into the system.
• These controls might require data to be entered in a given format or authorization on
all inputs before adding them to the information system
• Input controls check data for accuracy and completeness when they enter the system.
• There are specific input controls for input authorization, data conversion, separating
the functions of each user, data editing and error handling.
Input Controls

• Input controls check data for accuracy and completeness when they enter the system.
• There are specific input controls for input authorization, data conversion, separating
the functions of each user, data editing and error handling.
Processing Controls
• With processing controls, organizations verify that incoming data is correctly
processed before it’s added to the information system or establish that data are
complete and accurate during updating
• This verification involves establishing rules for processing data, then ensuring that
these rules are followed every time the application transmits data.
• For instance, it may mean limiting the number of checks or verifying that the totals
are reasonable
• Validity checks are a type of processing control that requires the application to
confirm that all processed data is valid.
• It then means ensuring that the data is in the required format or sent to the correct
user.
Output Controls
• These controls ensure that the results of computer processing are accurate, complete,
and properly distributed.
• These controls safeguard data when transmitting it between applications.
• With output controls, organizations verify that the data gets sent to the right user by
tracking what the data is, whether or not the data is complete and the data’s final
destination.
• When implemented correctly, output controls ensure that data won’t be transmitted
until all checks are successfully passed
• Authentication is an example of an output control, in which the system
authenticates data before it leaves the system.
• Authorization is another tool that requires the application to confirm that the user
has the approval to complete the action
 Application Controls

NAME OF TYPE OF DESCRIPTION

CONTROL APPLICATION
CONTROL
Control totals Input, Processing Totals established beforehand for input and processing transactions. These
totals can range from a simple document count to totals for quantity fields,
such as total sales amount (for a batch of transactions). Computer programs
count the totals from transactions input or processed
Edit checks Input Programmed routines that can be performed to edit input data for errors
before they are processed. Transactions that do not meet edit criteria are
rejected. For example, data might be checked to make sure they are in the
right format (for instance, a nine-digit social security number should not
contain any alphabetic characters).
 Application Controls
NAME OF TYPE OF DESCRIPTION
CONTROL APPLICATION
CONTROL
Computer Input, processing Matches input data with information held on master or suspense files and
matching notes unmatched items for investigation. For example, a matching program
might match employee time cards with a payroll master file and report
missing or duplicate time cards.
Run control totals Processing, output Balance the total of transactions processed with total number of
transactions input or output.

Report distribution Output Documentation specifying that authorized recipients have received their
logs reports, checks, or other critical documents.
 Data security controls

• These are policies, procedures, and mechanisms organizations use to protect

themselves.

• The controls include confidentiality , integrity and availability.(CIA)

 Confidentiality
• If a piece of data is confidential, only some people should see it.
• Therefore, confidentiality controls enforce who can see information
• This goal comes first so the acronym is easy to remember.
• Managing access is the primary role of data security.
• A control can’t manage who has access to data if it doesn’t know who they are.
• As a result, the control needs to identify users.
• Then it needs tools to control who sees the data. So, with just the first letter in CIA, we
need both authorization and access control lists.
 Confidentiality activities include;
• Access Control Lists (ACLS) to enforce entitlements.
• Encryption to control who can decode and view information.
• OAuth systems that identify users.
• Two-factor systems that add an extra layer of protection to authentication.
 Integrity
• Data integrity ensures data is whole and accurate. You can’t do that without controlling who
can access it.
• You also need to track who does access it and how.
• How complete an access log you need varies. It depends on legal requirements and
regulatory rules.
• But you can’t maintain integrity without knowing when someone altered data.
 Integrity cont…
• Data can change because of actions taken by users.
• So, many of the integrity and security controls overlap those for confidentiality.
• ACLs and authorization systems prevent unauthorized users from changing data.
• But, it can change because of faulty copies or transfers, too. Integrity requires more controls.
• Examples
• Hashing that verifies data payloads.
• Signatures that verify message or file ownership
 Availability

• Availability means users can get their data when they need it.
• It works hand-in-hand with integrity. If the contents of your data aren’t correct, it’s not
available.
• Creating archives is an example of a data security control.
• So is storing data on high availability file systems and in reliable databases.
 Administrative controls.

• Administrative Control is a set of security rules, policies, procedures, or

guidelines specified by the management to control access and usage of
confidential information.
These include:
• User management
• Privilege management
• Employee security, clearance and evaluation
• Employee training and awareness
 Application controls
• Application control is a security practice that blocks or restricts unauthorized applications
from executing in ways that put data at risk.
• The control functions vary based on the business purpose of the specific application, but the
main objective is to help ensure the privacy and security of data used by and transmitted
between applications.
 Application control includes…
• completeness and validity checks,
• identification,
• authentication,
• authorization,
• input controls,
• forensic controls among others
Completeness checks – controls ensure records processing from initiation to completion
• Validity checks – controls ensure only valid data is input or processed
• Identification – controls ensure unique, irrefutable identification of all users
• Authentication – controls provide an application system authentication mechanism
Authorization – controls ensure access to the application system by approved business users
only.
• Input controls – controls ensure data integrity feeds into the application system from
upstream sources.
• Forensic controls – controls ensure scientifically and mathematically correct data, based on
inputs and outputs .
 Conclusion
• For computer systems and networks to be secure and stable, protection against system flaws
and misuse is crucial. System misuse and flaws may have far-reaching effects, including
people, companies, and even national security.
• Organizations may safeguard sensitive information, avoid the failure of crucial systems,
keep stakeholders and customers’ trust, adhere to rules, and avoid financial loss by taking
precautions against these kinds of risks.
• This entails employing firewalls, antivirus programs, and intrusion detection systems;
educating employees; working with software and hardware manufacturers; putting in place
strong passwords and two-factor authentication; and routinely adopting security updates and
patches.
• People and organizations must be aware of the possible dangers of system misuse and take
proactive measures to safeguard against these kinds of threats