SlideShare a Scribd company logo

SECURE DATA WITH CONTROLS

Download as PPTX, PDF
H
HardikKundra

Security Controls in Audit and Setting Control Formulation, Types of Audits

Education
1 of 17
SECURITY CONTROLS Controls are a security mechanism, policy, or procedure that can successfully counter attacks, reduce risk, resolve vulnerabilities and otherwise improve security within an organization. Whether an organization is considering a technical or operational control to mitigate risk, or an administrative solution such as training and new procedures or policies, the control needs to focus on the hardware, telecommunications, and software that protect sensitive information in one of the following three states:  Data at rest  Data in transit  Data in process
GOAL-BASED SECURITY CONTROLS
IMPLEMENTATION-BASED CONTROLS
SECURITY CONTROL FORMULATION Any information resource with value to an organization requires some degree of security protection. This provides a starting point for formulation and development of security controls. The wide variety of ICT system components within an organization’s supply chain result in significantly different security requirements, with the potential for equally different corresponding protective mechanisms to satisfy the requirements. Security Categorization of ICT Systems - The first step in the formulation and development of security controls establishes the security categorization for the ICT system. In addition to categorizing each ICT component and the data stored and processed within them, the security team begins the process of developing the system security plan by documenting security categorization and system description information.
SECURITY CONTROL FORMULATION • Identifying Information Types: organizations may group information types into categories defined by guidelines such as FIPS 199 or CNSSI 1253. However, organizations have the flexibility to define or identify their own information types and to select their own impact levels. • Each information system categorization can be represented as SC information type = {(confidentiality, impact), (integrity, impact), (availability, impact)}, where the acceptable values for potential impact are LOW, MODERATE, HIGH, or NOT APPLICABLE • The resulting level, is subsequently used to determine overall system security categorization and serve as the basis for selecting a security control baseline.
Setting stage for Control Implementation • Coming out of the security control selection process, the security plan will provide criteria relative to what controls and control enhancements will be implemented for the ICT system. • Prior to engaging in control implementation, functional and technical members of the implementation project group facilitate decisions related to how each control will be implemented and assign responsibility of activities to be performed within the process, to individuals with the appropriate skill level and knowledge of the system; including hardware, software, and associated configurations. • Managers that assign responsibilities need to be mindful that the nature of the work required to implement a control varies considerably across management, operational, and technical controls.
Setting stage for Control Implementation Control Implementation through Security Engineering: • Identify the organizational security risks Define the security needs to counter identified risks • Transform the security needs into activities • Establish confidence and trustworthiness in correctness and effectiveness in a system • Determine that operational impacts due to residual security vulnerabilities in a system or its operation are tolerable (acceptable risks) • Integrate the efforts of all engineering disciplines and specialties into a combined understanding of the trustworthiness of a system
TYPES OF IT AUDITS • Technological position audit : - This audit reviews the technologies that the business currently has and that it needs to add. Technologies are characterized as being either "base", "key", "pacing" or "emerging". • Systemsand ApplicationsAudit :- An audit to verify that systems and applications are appropriate, are efficient, and are adequately controlled to ensure valid, reliable, timely, and secure input, processing, and output at all levels of a system's activity. System and process assurance audits form a subtype, focussing on business process-centric business IT systems. Such audits have the objective to assist financial auditors. • Information ProcessingAudit :- An audit to verify that the processing facility is controlled to ensure timely, accurate, and efficient processing of applications under normal and potentially disruptive conditions.
TYPES OF IT AUDITS • SystemsDevelopment Audit :- An audit to verify that the systems under development meet the objectives of the organization, and to ensure that the systems are developed in accordance with generally accepted standards for systems development. • Management of IT and Enterprise Architecture Audit :- An audit to verify that IT management has developed an organizational structure and procedures to ensure a controlled and efficient environment for information processing. • Client/Server, Intranets, and Extranets Audit :- An audit to verify that telecommunications controls are in place on the client (computer receiving services), server, and on the network connecting the clients and servers
Implementing a Multi-tired Governance Making Information Governance Tangible: • The mandate of information governance is to add value to the business as well as to help it achieve its goals. • Therefore, capable information governance will link technology processes, resources, and information to the overall purposes of the enterprise. • Since information is an asset, all organizations have the obligation to assure its uninterrupted confidentiality, integrity, and availability for use. • Therefore, managers have the responsibility to establish a tangible internal control system, which will explicitly protect the everyday functioning of the information processing and retrieval processes of the particular business.
Implementing a Multi-tired Governance There are seven universally desirable characteristics, which an information governance infrastructure should embody: Effectiveness—that is, the organization’s information must be ensured relevant and pertinent to the business process that it serves as well as delivered in a timely, correct, consistent, and usable manner. Efficiency—in the simplest terms information must be made readily available through the most optimal (productive and economical) means possible. Confidentiality—sensitive information must be protected from unauthorized disclosure or access as well as tampering. Integrity—the accuracy and completeness of information as well as its validity must be assured in accordance purpose. .
Implementing a Multi-tired Governance Availability—information must be accessible when required by the business Process Compliance—all information and information processing must comply with those laws, regulations, and contractual arrangements to which the business process is subject, that is, externally imposed business criteria. Reliability—relates to the provision of appropriate information for management to operate the entity and for management to exercise its financial and compliance reporting responsibilities. These generic qualities are operationalized through an explicit set of control behaviors that are executed in a practical, day-to-day systematic fashion.
Establish Real, Working Control Framework • The process of implementing a set of controls entails the identification, prioritization, assurance, and sustainment of an effective response to every plausible threat. • This control deployment function is not a one-shot “front- end” to setting up a static security solution. • It is a constant and organized probing of the environment to sense the presence of and respond appropriately to any potential sources of harm to the organization’s information assets.
AUDIT PROCESS • One of the best practices for an audit function is to have an audit universe.The audit universe is an inventory of all the potential audit areas within an organization. • Basic functional audit areas within an organization include sales,marketing, customer service, operations, research and development,finance, human resource,information technology,and legal. • An audit universeincludes the basic functional audit area, organization objectives,key business processesthat support those organization objectives,specific audit objectives,risks of not achieving those objectives,and controls that mitigate the risks
QUESTIONS ??
THANK YOU !!

Recommended

Information system audit 2
Information system audit 2 Information system audit 2
Information system audit 2 Jayant Dalvi
 
Compliance
ComplianceCompliance
CompliancePriyank Hada
 
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docxRunning head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docxjoellemurphey
 
Presentation1.pptx
Presentation1.pptxPresentation1.pptx
Presentation1.pptxJunaidAhmed976315
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...abhichowdary16
 
Security management concepts and principles
Security management concepts and principlesSecurity management concepts and principles
Security management concepts and principlesDivya Tiwari
 
The Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentThe Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentAdetula Bunmi
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA Information Security
 

Recommended

Information system audit 2
Information system audit 2 Information system audit 2
Information system audit 2 Jayant Dalvi
 
Compliance
ComplianceCompliance
CompliancePriyank Hada
 
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docxRunning head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docxjoellemurphey
 
Presentation1.pptx
Presentation1.pptxPresentation1.pptx
Presentation1.pptxJunaidAhmed976315
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...abhichowdary16
 
Security management concepts and principles
Security management concepts and principlesSecurity management concepts and principles
Security management concepts and principlesDivya Tiwari
 
The Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentThe Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentAdetula Bunmi
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA Information Security
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ InfrastructurePriyank Hada
 
crisc_wk_2a.pptx
crisc_wk_2a.pptxcrisc_wk_2a.pptx
crisc_wk_2a.pptxdotco
 
Security Baselines and Risk Assessments
Security Baselines and Risk AssessmentsSecurity Baselines and Risk Assessments
Security Baselines and Risk AssessmentsPriyank Hada
 
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docxLynellBull52
 
Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by FirstMutualHoldings
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditingPiyush Jain
 
Six Keys to Securing Critical Infrastructure and NERC Compliance
Six Keys to Securing Critical Infrastructure and NERC ComplianceSix Keys to Securing Critical Infrastructure and NERC Compliance
Six Keys to Securing Critical Infrastructure and NERC ComplianceLumension
 
CISM_WK_2.pptx
CISM_WK_2.pptxCISM_WK_2.pptx
CISM_WK_2.pptxdotco
 
it grc
it grc it grc
it grc 9535814851
 
ISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochureISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochureThilak Pathirage -Senior IT Gov and Risk Consultant
 
Conceptual security architecture
Conceptual security architectureConceptual security architecture
Conceptual security architectureMubashirAslam5
 
CISA_WK_4.pptx
CISA_WK_4.pptxCISA_WK_4.pptx
CISA_WK_4.pptxdotco
 
Overview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxOverview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxJoshJaro
 
Unit Iii
Unit IiiUnit Iii
Unit IiiRam Dutt Shukla
 
It Security Audit Process
It Security Audit ProcessIt Security Audit Process
It Security Audit ProcessRam Srivastava
 
what is system audit and objectives of system audit.pptx
what is system audit and objectives of system audit.pptxwhat is system audit and objectives of system audit.pptx
what is system audit and objectives of system audit.pptxsimratkaur290104
 
Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010Donald E. Hester
 
Risk Assessment Famework
Risk Assessment FameworkRisk Assessment Famework
Risk Assessment Fameworklneut03
 
L1_Introduction.pptx
L1_Introduction.pptxL1_Introduction.pptx
L1_Introduction.pptxStevenTharp2
 
Securitymetrics
SecuritymetricsSecuritymetrics
SecuritymetricsManish Kumar
 
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxQ4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxlancelewisportillo
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...Nguyen Thanh Tu Collection
 

More Related Content

Similar to SECURE DATA WITH CONTROLS

Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ InfrastructurePriyank Hada
 
crisc_wk_2a.pptx
crisc_wk_2a.pptxcrisc_wk_2a.pptx
crisc_wk_2a.pptxdotco
 
Security Baselines and Risk Assessments
Security Baselines and Risk AssessmentsSecurity Baselines and Risk Assessments
Security Baselines and Risk AssessmentsPriyank Hada
 
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docxLynellBull52
 
Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by FirstMutualHoldings
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditingPiyush Jain
 
Six Keys to Securing Critical Infrastructure and NERC Compliance
Six Keys to Securing Critical Infrastructure and NERC ComplianceSix Keys to Securing Critical Infrastructure and NERC Compliance
Six Keys to Securing Critical Infrastructure and NERC ComplianceLumension
 
CISM_WK_2.pptx
CISM_WK_2.pptxCISM_WK_2.pptx
CISM_WK_2.pptxdotco
 
Conceptual security architecture
Conceptual security architectureConceptual security architecture
Conceptual security architectureMubashirAslam5
 
CISA_WK_4.pptx
CISA_WK_4.pptxCISA_WK_4.pptx
CISA_WK_4.pptxdotco
 
Overview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxOverview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxJoshJaro
 
It Security Audit Process
It Security Audit ProcessIt Security Audit Process
It Security Audit ProcessRam Srivastava
 
what is system audit and objectives of system audit.pptx
what is system audit and objectives of system audit.pptxwhat is system audit and objectives of system audit.pptx
what is system audit and objectives of system audit.pptxsimratkaur290104
 
Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010Donald E. Hester
 
Risk Assessment Famework
Risk Assessment FameworkRisk Assessment Famework
Risk Assessment Fameworklneut03
 
L1_Introduction.pptx
L1_Introduction.pptxL1_Introduction.pptx
L1_Introduction.pptxStevenTharp2
 

Similar to SECURE DATA WITH CONTROLS (20)

Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ Infrastructure
 
crisc_wk_2a.pptx
crisc_wk_2a.pptxcrisc_wk_2a.pptx
crisc_wk_2a.pptx
 
Security Baselines and Risk Assessments
Security Baselines and Risk AssessmentsSecurity Baselines and Risk Assessments
Security Baselines and Risk Assessments
 
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
 
Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditing
 
Six Keys to Securing Critical Infrastructure and NERC Compliance
Six Keys to Securing Critical Infrastructure and NERC ComplianceSix Keys to Securing Critical Infrastructure and NERC Compliance
Six Keys to Securing Critical Infrastructure and NERC Compliance
 
CISM_WK_2.pptx
CISM_WK_2.pptxCISM_WK_2.pptx
CISM_WK_2.pptx
 
it grc
it grc it grc
it grc
 
ISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochureISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochure
 
Conceptual security architecture
Conceptual security architectureConceptual security architecture
Conceptual security architecture
 
CISA_WK_4.pptx
CISA_WK_4.pptxCISA_WK_4.pptx
CISA_WK_4.pptx
 
Overview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxOverview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptx
 
Unit Iii
Unit IiiUnit Iii
Unit Iii
 
It Security Audit Process
It Security Audit ProcessIt Security Audit Process
It Security Audit Process
 
what is system audit and objectives of system audit.pptx
what is system audit and objectives of system audit.pptxwhat is system audit and objectives of system audit.pptx
what is system audit and objectives of system audit.pptx
 
Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010
 
Risk Assessment Famework
Risk Assessment FameworkRisk Assessment Famework
Risk Assessment Famework
 
L1_Introduction.pptx
L1_Introduction.pptxL1_Introduction.pptx
L1_Introduction.pptx
 
Securitymetrics
SecuritymetricsSecuritymetrics
Securitymetrics
 

Recently uploaded

Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxQ4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxlancelewisportillo
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...Nguyen Thanh Tu Collection
 
ROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxVanesaIglesias10
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Mark Reed
 
Karra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxKarra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxAshokKarra1
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersSabitha Banu
 
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYKayeClaireEstoconing
 
Food processing presentation for bsc agriculture hons
Food processing presentation for bsc agriculture honsFood processing presentation for bsc agriculture hons
Food processing presentation for bsc agriculture honsManeerUddin
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)lakshayb543
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxiammrhaywood
 
Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Celine George
 
Active Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfActive Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfPatidar M
 
Activity 2-unit 2-update 2024. English translation
Activity 2-unit 2-update 2024. English translationActivity 2-unit 2-update 2024. English translation
Activity 2-unit 2-update 2024. English translationRosabel UA
 
Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Seán Kennedy
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxAnupkumar Sharma
 
4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptxmary850239
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4MiaBumagat1
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPCeline George
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...JhezDiaz1
 

Recently uploaded (20)

Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxQ4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
 
ROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptx
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)
 
Karra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxKarra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptx
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for Beginners
 
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
 
Food processing presentation for bsc agriculture hons
Food processing presentation for bsc agriculture honsFood processing presentation for bsc agriculture hons
Food processing presentation for bsc agriculture hons
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
 
Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17
 
Active Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfActive Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdf
 
Activity 2-unit 2-update 2024. English translation
Activity 2-unit 2-update 2024. English translationActivity 2-unit 2-update 2024. English translation
Activity 2-unit 2-update 2024. English translation
 
Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
 
Raw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptxRaw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptx
 
4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERP
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
 

SECURE DATA WITH CONTROLS

  • 1. SECURITY CONTROLS Controls are a security mechanism, policy, or procedure that can successfully counter attacks, reduce risk, resolve vulnerabilities and otherwise improve security within an organization. Whether an organization is considering a technical or operational control to mitigate risk, or an administrative solution such as training and new procedures or policies, the control needs to focus on the hardware, telecommunications, and software that protect sensitive information in one of the following three states:  Data at rest  Data in transit  Data in process
  • 4. SECURITY CONTROL FORMULATION Any information resource with value to an organization requires some degree of security protection. This provides a starting point for formulation and development of security controls. The wide variety of ICT system components within an organization’s supply chain result in significantly different security requirements, with the potential for equally different corresponding protective mechanisms to satisfy the requirements. Security Categorization of ICT Systems - The first step in the formulation and development of security controls establishes the security categorization for the ICT system. In addition to categorizing each ICT component and the data stored and processed within them, the security team begins the process of developing the system security plan by documenting security categorization and system description information.
  • 5. SECURITY CONTROL FORMULATION • Identifying Information Types: organizations may group information types into categories defined by guidelines such as FIPS 199 or CNSSI 1253. However, organizations have the flexibility to define or identify their own information types and to select their own impact levels. • Each information system categorization can be represented as SC information type = {(confidentiality, impact), (integrity, impact), (availability, impact)}, where the acceptable values for potential impact are LOW, MODERATE, HIGH, or NOT APPLICABLE • The resulting level, is subsequently used to determine overall system security categorization and serve as the basis for selecting a security control baseline.
  • 6.
  • 7. Setting stage for Control Implementation • Coming out of the security control selection process, the security plan will provide criteria relative to what controls and control enhancements will be implemented for the ICT system. • Prior to engaging in control implementation, functional and technical members of the implementation project group facilitate decisions related to how each control will be implemented and assign responsibility of activities to be performed within the process, to individuals with the appropriate skill level and knowledge of the system; including hardware, software, and associated configurations. • Managers that assign responsibilities need to be mindful that the nature of the work required to implement a control varies considerably across management, operational, and technical controls.
  • 8. Setting stage for Control Implementation Control Implementation through Security Engineering: • Identify the organizational security risks Define the security needs to counter identified risks • Transform the security needs into activities • Establish confidence and trustworthiness in correctness and effectiveness in a system • Determine that operational impacts due to residual security vulnerabilities in a system or its operation are tolerable (acceptable risks) • Integrate the efforts of all engineering disciplines and specialties into a combined understanding of the trustworthiness of a system
  • 9. TYPES OF IT AUDITS • Technological position audit : - This audit reviews the technologies that the business currently has and that it needs to add. Technologies are characterized as being either "base", "key", "pacing" or "emerging". • Systemsand ApplicationsAudit :- An audit to verify that systems and applications are appropriate, are efficient, and are adequately controlled to ensure valid, reliable, timely, and secure input, processing, and output at all levels of a system's activity. System and process assurance audits form a subtype, focussing on business process-centric business IT systems. Such audits have the objective to assist financial auditors. • Information ProcessingAudit :- An audit to verify that the processing facility is controlled to ensure timely, accurate, and efficient processing of applications under normal and potentially disruptive conditions.
  • 10. TYPES OF IT AUDITS • SystemsDevelopment Audit :- An audit to verify that the systems under development meet the objectives of the organization, and to ensure that the systems are developed in accordance with generally accepted standards for systems development. • Management of IT and Enterprise Architecture Audit :- An audit to verify that IT management has developed an organizational structure and procedures to ensure a controlled and efficient environment for information processing. • Client/Server, Intranets, and Extranets Audit :- An audit to verify that telecommunications controls are in place on the client (computer receiving services), server, and on the network connecting the clients and servers
  • 11. Implementing a Multi-tired Governance Making Information Governance Tangible: • The mandate of information governance is to add value to the business as well as to help it achieve its goals. • Therefore, capable information governance will link technology processes, resources, and information to the overall purposes of the enterprise. • Since information is an asset, all organizations have the obligation to assure its uninterrupted confidentiality, integrity, and availability for use. • Therefore, managers have the responsibility to establish a tangible internal control system, which will explicitly protect the everyday functioning of the information processing and retrieval processes of the particular business.
  • 12. Implementing a Multi-tired Governance There are seven universally desirable characteristics, which an information governance infrastructure should embody: Effectiveness—that is, the organization’s information must be ensured relevant and pertinent to the business process that it serves as well as delivered in a timely, correct, consistent, and usable manner. Efficiency—in the simplest terms information must be made readily available through the most optimal (productive and economical) means possible. Confidentiality—sensitive information must be protected from unauthorized disclosure or access as well as tampering. Integrity—the accuracy and completeness of information as well as its validity must be assured in accordance purpose. .
  • 13. Implementing a Multi-tired Governance Availability—information must be accessible when required by the business Process Compliance—all information and information processing must comply with those laws, regulations, and contractual arrangements to which the business process is subject, that is, externally imposed business criteria. Reliability—relates to the provision of appropriate information for management to operate the entity and for management to exercise its financial and compliance reporting responsibilities. These generic qualities are operationalized through an explicit set of control behaviors that are executed in a practical, day-to-day systematic fashion.
  • 14. Establish Real, Working Control Framework • The process of implementing a set of controls entails the identification, prioritization, assurance, and sustainment of an effective response to every plausible threat. • This control deployment function is not a one-shot “front- end” to setting up a static security solution. • It is a constant and organized probing of the environment to sense the presence of and respond appropriately to any potential sources of harm to the organization’s information assets.
  • 15. AUDIT PROCESS • One of the best practices for an audit function is to have an audit universe.The audit universe is an inventory of all the potential audit areas within an organization. • Basic functional audit areas within an organization include sales,marketing, customer service, operations, research and development,finance, human resource,information technology,and legal. • An audit universeincludes the basic functional audit area, organization objectives,key business processesthat support those organization objectives,specific audit objectives,risks of not achieving those objectives,and controls that mitigate the risks