Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
28 Cards in this Set
- Front
- Back
|
COBIT Framework Provides...
|
Comprehensive guidance for effectively controlling and managing information systems
- 4 Controlled Domains: Plan&Organize, Deliver&Support, Require&Implement, and Monitor&Evaluate |
|
|
COBIT Specifies
|
-210 Control Objectives
- Management control activities and responsibilities -IT, process, and activites goals - Performance evaluation metrics |
|
|
Trust Services Framework for Reliable Systems is...
|
- Developed by the AICPA and Canadian Institute of Chartered Accountants
- Contains best practices for systems reliability - Used by accountants primarily in assurance and advisory engagements |
|
|
Trust Services Framework Principles (5)
|
1. Security
2. Confidentiality 3. Privacy 4. Processing Integrity 5. Availablility |
|
|
Trust Services Broad Areas for Successful Implementation (4)
|
1. Develop and document policies
2. Communicate policies to all authorized users 3. Design and employ control procedures to implement policies 4. Monitor the system and take corrective action to maintain compliance with policies |
|
|
Trust Services Security Principle
|
The system is protected against unauthorized access (physical and logical)
|
|
|
Fundamental Information Security Concepts Issue is for...
|
-Management, not technology
---responsibile for the accuracy of internal reports and F/S produced by IS |
|
|
Fundamental Information Security Concepts (Time)
|
Management should ID cost-effective approaches to:
A) increased time it takes an attacker to breach B) Decrease the time it takes to detect an attack in progress C) Decrease the response time |
|
|
Fundamental Information Security Concepts (Defense)
|
- Employ multiple layers of controls
- Use multiple types of controls (Preventative, Detective, and Corrective) |
|
|
Fundamental Information Authentication (Verification)
|
- Verify the identity using (Usernames and Passwords, Smart cards and ID badgers, biometrics, Media Access Control (MAC) addresses on network interface cards (NIC)
|
|
|
Preventative Controls: Authentication - Effective Passwords
|
- @ least 8 characters
- contain alpha, numeric and special characters - Upper and lower case letters - No dictionary words - Changed periodically |
|
|
Preventative Controls: Authentication (In General)
|
- Restricts access of authenticated users to specific portions of the system
- Specifies what actiosn they are permitted to perform - Implemented by creating an access control matrix and performing compatibility tests |
|
|
Preventive Controls: Training
|
- Top management support
- Employees need to be trained in safe computing and avoiding prey to engineering attacks - Continuous training of information security professionals is important |
|
|
Preventive Controls: Physical Access
|
- Locks, Security guards, Card Readers, Numeric keypads, Biometric devices, Alarms, Security Cameras, Laptops and cell phones require special attention
|
|
|
Preventive Controls: Network Access - Transmission Control Protocol/Internet Protocol (TCP/IP)
|
- A set of rules or standards that allow different kidns of computers on different networks to communicate with eac other
- Basic communication rules of the internet - Higher layer assembles messages or files intro smaller packets to be transmitted over the internet - Lower layer assigns IP addresses and insures that messages are delivered to the appropriate computer |
|
|
Preventive Controls: Network Access - Perimeter Defense
|
- router (reads destination address fields and decides where to send packets)
- firewall (hardware or software running that filters information in or out) - intrusion prevention system identifies and drops packets taht are part of an attack |
|
|
Preventive Controls: Securing a Wireless Network
|
Use encryption, enable MAC address filtering and authentication of devices, configure all authorized wireless NIC to operate only inside infrastructure, Use non-informative names, place access points away from exterior walls and windows, reduce broadcast strength
|
|
|
Preventive Controls: Device and Software Hardening
|
Endpoint configuration:
- include workstations, servers, printers, and other devices - turn of all unnecessary features on endpoints (hardening) - run updated anti virus software - Use software firewall to retain important/sensitive info |
|
|
Preventive Controls: Hardening for Accounts
|
User accounts and privileges: all accounts should be carefully managed, administrative rights accounts are prime for attacks (should have 2 accounts, limited account for routine and admin account when only necessary)
|
|
|
Preventive Controls: Hardening for Software Design
|
- Scrub user input to remove potentially malicious code, treat all input from users as not trustworthy
|
|
|
Detective Controls: Log Analysis
|
- Logs track who accesses the system and what specific actions each performed
- Log analysis is the process of examining logs to monitor security - Special software helps examine logs for anomalous behavior |
|
|
Detective Controls: Intrusion Detection Systems
|
Creates logs of all network traffic that permitted to pass the firewall and analyzes those logs for signs of attempted or successful intrusions
|
|
|
Detective Controls: Managerial Reports
|
Use key performance indicators to monitor and assess control effectiveness (Number of security incidents, downtime cause by security incidents, time to react to security incidents once detected)
|
|
|
Detective Controls: Security Testing
|
1. Vulnerability Scans: Automated tools designed to identify whether a system possess any well-known vulnerabilities
2. Penetration TestsL an authorized attempt by either an internal audit or external security consultant to break into an organization's IS |
|
|
Corrective Controls: Computer Emergency Response Teams
|
Should include both technical specialists and senior operations management
|
|
|
Corrective Controls: Chief Information Security Officer
|
- should be independent, report to COO or CEO, work with CIO to design and implement security policies and procedures, should be an impartial evaluator of the IT environment, conduct vulnerability and risk assessments, audit security measures
|
|
|
Corrective Controls: Patch Management
|
Process for regularly applying patches and updates to all software (fix known vulnerabilities with patches, install updates to programs and systems)
|
|
|
Security Implications of Virtualization and Cloud Computing
|
1. Virtualization: running multiple systems simultaneously on one physical computer
2. Cloud Computing: using a browser to remotely access software, data storage devices, hardware, or application platforms 3. Risks: increased exposure to losses if breach occurs, authentication in cloud computing often relies only on passwords |
