IT Security and Management - Semi Finals by Mark John Lado
1. 1. Incident Response
2. Operational Security
3. Physical and Environmental Security
4. Supplier Relationships
Semi Finals – Bachelor of Science in information System
IT Security and Management
5. Drill
• Havoc - widespread destruction
• Wreak Havoc - to cause great damage
• Data Breach - a security incident in which
information is accessed without
authorization.
• Alienate - a withdrawing or separation of
a person
6. Learning Objectives:
At the end of this chapter, you will be able to;
• Recognize the incident response.
• Know how the incident response important.
• Engage with the three elements of incident response
management.
• Familiarize the six steps of incident response plan.
8. What is Incident Response?
A term used to describe the process by
which an organization handles a data
breach or cyber attack, including the way
the organization attempts to manage the
consequences of the attack or breach
(the “incident”).
9. What is Incident Response?
• Incident response is the methodology an
organization uses to respond to and
manage a cyber-attack. An attack or data
breach can wreak havoc potentially
affecting customers, intellectual property
company time and resources, and brand
value.
10. What is Incident Response?
• An incident response aims to reduce this
damage and recover as quickly as
possible. Investigation is also a key
component in order to learn from the
attack and better prepare for the future.
11. What is Incident Response?
• Because many companies today
experience a breach at some point in
time, a well-developed and repeatable
incident response plan is the best way to
protect your company.
13. Why is Incident Response
Important?
• As the cyber-attacks increase in scale
and frequency, incident response plans
become more vital to a company’s cyber
defenses. Poor incident response can
alienate customers.
14. Who is the Incident Response
Team?
• The company should look to their
“Computer Incident Response Team
(CIRT)” to lead incident response efforts.
15. Who is the Incident Response
Team?
• This team is comprised of experts from
upper-level management, IT, information
security, IT auditors when available, as
well as any physical security staff that
can aid when an incident includes direct
contact to company systems. Incident
response should also be supported by
HR, legal, and PR or communications.
16. The Responsible for Incident
Response
Incident Response Manager
Who oversees and prioritizes action during the
detection, analysis and containment of an
incident
17. The Responsible for Incident
Response
Security Analyst
Who supports the manager and work directly
with the affected network to research the time,
location and details of an incident.
18. The Responsible for Incident
Response
Triage Analyst
Filter out false positives and keep an eye out
for potential intrusions.
19. Elements of Incident Response
Management
1. Incident Response Plan
2. Incident Response Team
3. Incident Response Tools
20. Incident Response Plan
An incident response plan should prepare
your team to deal with threats, indicate how to
isolate incidents and identify their severity,
how to stop the attack and eradicate the
underlying cause, how to recover production
systems, and how to conduct a post-mortem
analysis to prevent future attacks.
21. Steps of Incident Response
Plan
1. Preparation
2. Identification
3. Containment
4. Eradication
5. Recovery
6. Lessons learned
22. Steps of Incident Response Plan
1. Preparation
Listing all possible threat scenarios.
Develop policies to implement in the event
of a cyber attack.
Develop a communication plan.
Outline the roles, responsibilities, and
procedures of your team.
23. Steps of Incident Response Plan
1. Preparation
Establish a corporate security policy
Recruit and train team members, ensure
they have access to relevant systems.
Ensure team members have access to
relevant technologies and tools.
24. Steps of Incident Response Plan
2. Identification
Identify and assess the incident and
gathered evidence.
Decide on the severity and type of the
incident and escalate if necessary.
25. Steps of Incident Response Plan
2. Identification
Document actions taken, addressing “who,
what, where, why, and how.” This information
may be used later as evidence if the incident
reaches a court of law.
26. Steps of Incident Response Plan
3. Containment
The act of preventing the expansion of
harm.
Typically involves disconnecting affected
computers from the network.
27. Steps of Incident Response Plan
4. Eradication
Finding the root cause of the incident and
removing affected systems from the
production environment.
28. Steps of Incident Response Plan
4. Eradication
These steps may change the configuration of the
organization. The aim is to make changes while
minimizing the effect on the operations of the
organization. You can achieve this by stopping the
bleeding and limiting the amount of data that is
exposed.
29. Steps of Incident Response Plan
5. Recovery
Ensure that affected systems are not in danger
and can be restored to working condition. The
purpose of this phase is to bring affected systems
back into the production environment carefully, to
ensure they will not lead to another incident.
30. Steps of Incident Response Plan
5. Recovery
Ensure another incident doesn’t occur by restoring
systems from clean backups, replacing
compromised files with clean versions, rebuilding
systems from scratch, installing patches, changing
passwords and reinforcing network perimeter
security.
31. Steps of Incident Response Plan
6. Lessons learned
Completing incident documentation, performing
analysis to learn from incident and potentially
improving future response efforts. Complete
documentation that couldn’t be prepared during
the response process. The team should identify
how the incident was managed and eradicated.
32. The Incident Response Team
• To prepare for and attend to incidents, you
should form a centralized incident response
team, responsible for identifying security
breaches and taking responsive actions.
33. The Incident Response Team
The team should include:
Incident response manager (team leader)
Security analysts
Lead investigator
Threat researchers
Communications lead
Documentation and timeline lead
Legal representation
34. Incident Response Tools
• Cyber incident response tools are more often
used by security industries to test the
vulnerabilities and provide an emergency
incident response to compromised network
and applications and helps to take the
appropriate incident response steps.
35. Summary
Incident response is an approach to handling
security breaches. The aim of incident response is
to identify an attack, contain the damage, and
eradicate the root cause of the incident. An incident
can be defined as any breach of law, policy or
unacceptable act that concerns information assets,
such as networks, computers, or smartphones.
40. Learning Objectives
At the end of this chapter, you will be able to;
• Familiarize of what is operational security.
• Engage with the five steps of operational security.
• Recognize the best practices for operational security
• Apply the confidentiality, integrity, availability, and
nonrepudiation in the corporate world.
41. Learning Outline
1. OPERATIONAL SECURITY
2. THE FIVE STEPS OF OPERATIONAL
SECURITY
3. BEST PRACTICES FOR OPERATIONAL
SECURITY
42. OPERATIONAL SECURITY
• Operational security (OPSEC), also known as
procedural security, is a risk management process
that encourages managers to view operations
from the perspective of an adversary in order to
protect sensitive information from falling into the
wrong hands.
43. OPERATIONAL SECURITY
• Though originally used by the military, OPSEC is
becoming popular in the private sector as well.
Things that fall under the OPSEC umbrella
include monitoring behaviors and habits on social
media sites as well as discouraging employees
from sharing login credentials via email or text
message.
45. THE FIVE STEPS OF
OPERATIONAL SECURITY
The processes involved in operational security can be
neatly categorized into five steps:
1. Identify your sensitive data.
2. Identify possible threats.
3. Analyze security holes and other vulnerabilities.
4. Appraise the level of risk associated with each
vulnerability.
5. Get countermeasures in place.
46. THE FIVE STEPS OF
OPERATIONAL SECURITY
1. Identify your sensitive data
including your product research,
intellectual property, financial statements,
customer information, and employee
information. This will be the data you will need
to focus your resources on protecting.
47. THE FIVE STEPS OF
OPERATIONAL SECURITY
2. Identify possible threats.
For each category of information that you deem
sensitive, you should identify what kinds of threats
are present. While you should be wary of third
parties trying to steal your information, you should
also watch out for insider threats, such as negligent
employees and disgruntled workers.
48. THE FIVE STEPS OF
OPERATIONAL SECURITY
3. Analyze security holes and other
vulnerabilities.
Assess your current safeguards and
determine what, if any, loopholes or
weaknesses exist that may be exploited to
gain access to your sensitive data.
49. THE FIVE STEPS OF
OPERATIONAL SECURITY
4. Appraise the level of risk associated with each
vulnerability.
Rank your vulnerabilities using factors such as the
likelihood of an attack happening, the extent of damage
that you would suffer, and the amount of work and time
you would need to recover. The more likely and
damaging an attack is, the more you should prioritize
mitigating the associated risk.
50. THE FIVE STEPS OF
OPERATIONAL SECURITY
5. Get countermeasures in place.
The last step of operational security is to create and
implement a plan to eliminate threats and mitigate
risks. This could include updating your hardware,
creating new policies regarding sensitive data, or
training employees on sound security practices and
company policies.
51. THE FIVE STEPS OF
OPERATIONAL SECURITY
5. Get countermeasures in place.
Countermeasures should be straightforward and
simple. Employees should be able to implement the
measures required on their part with or without
additional training.
52. BEST PRACTICES FOR
OPERATIONAL SECURITY
Follow these best practices to implement a robust,
comprehensive operational security program:
53. BEST PRACTICES FOR
OPERATIONAL SECURITY
1. Implement precise change management
processes that your employees should follow when
network changes are performed. All changes
should be logged and controlled so they can be
monitored and audited.
54. BEST PRACTICES FOR
OPERATIONAL SECURITY
2. Restrict access to network devices using AAA
authentication. In the military and other government
entities, a “need-to-know” basis is often used as a
rule of thumb regarding access and sharing of
information.
55. • AAA authentication
Authentication, authorization, and accounting (AAA) is a
term for a framework for intelligently controlling access to
computer resources, enforcing policies, auditing usage,
and providing the information necessary to bill for
services. These combined processes are considered
important for effective network management and security.
56. BEST PRACTICES FOR
OPERATIONAL SECURITY
3. Give your employees the minimum
access necessary to perform their jobs. Practice
the principle of least privilege.
57. BEST PRACTICES FOR
OPERATIONAL SECURITY
4. Implement dual control.
Make sure that those who work on your network are
not the same people in charge of security.
58. BEST PRACTICES FOR
OPERATIONAL SECURITY
5. Automate tasks to reduce the need for human
intervention. Humans are the weakest link in any
organization’s operational security initiatives
because they make mistakes, overlook details,
forget things, and bypass processes.
59. BEST PRACTICES FOR
OPERATIONAL SECURITY
6. Incident response and disaster recovery
planning are always crucial components of a
sound security posture. Even when operational
security measures are robust, you must have a plan
to identify risks, respond to them, and mitigate
potential damages.
60. Operational Security (OPSEC)
• Risk management involves being able to identify
threats and vulnerabilities before they become
problems. Operational security forces managers
to dive deeply into their operations and figure out
where their information can be easily breached.
61. Operational Security (OPSEC)
• Looking at operations from a malicious third-
party’s perspective allows managers to spot
vulnerabilities they may have otherwise missed so
that they can implement the proper
countermeasures to protect sensitive data.
63. Learning Objectives:
At the end of this chapter, you will be able to;
• Elaborate what is physical and environmental
security.
• Engage with the objectives of physical and
environmental security.
• Distinguish the physical security measures.
• Recognize the physical controls.
• Appreciate the essence of technical controls
64. Learning Outline
• Physical and environmental security
• Objectives of Physical and Environmental
Security
• Physical Security Measures
• Physical Controls
• Technical Controls
66. What does physical and
environmental security mean?
The protection of personnel, hardware, software,
networks and data from physical actions and events
that could cause serious loss or damage to an
enterprise, agency or institution. This
includes protection from fire, flood, natural
disasters, burglary, theft, vandalism and terrorism.
67. Objectives of Physical and
Environmental Security
1. Prevent unauthorized physical access, damage, and
interference to premises and information.
2. Ensure sensitive information and critical information
technology are housed in secure areas.
3. Prevent loss, damage, theft, or compromise of assets.
4. Prevent interruption of activities.
68. Objectives of Physical and
Environmental Security
5. protect assets from physical and environmental
threats.
6. ensure appropriate equipment location,
removal, and disposal.
7. ensure appropriate supporting facilities (e.g.,
electrical supply, data and voice cabling
infrastructure).
69. PHYSICAL AND
ENVIRONMENTAL SECURITY
The term physical and environmental security refers
to measures taken to protect systems, buildings,
and related supporting infrastructure against threats
associated with their physical environment.
70. PHYSICAL AND
ENVIRONMENTAL SECURITY
Physical and environmental safeguards are often
overlooked but are very important in protecting
information. Physical security over past decades
has become increasingly more difficult for
organizations. Technology and computer
environments now allow more compromises to
occur due to increased vulnerabilities.
71. PHYSICAL AND
ENVIRONMENTAL SECURITY
USB hard drives, laptops, tablets and smartphones
allow for information to be lost or stolen because of
portability and mobile access. In the early days of
computers, they were large mainframe computers
only used by a few people and were secured in
locked rooms.
72. PHYSICAL AND
ENVIRONMENTAL SECURITY
Today, desks are filled with desktop computers and
mobile laptops that have access to company data
from across the enterprise. Protecting data,
networks and systems has become difficult to
implement with mobile users able to take their
computers out of the facilities.
73. PHYSICAL AND
ENVIRONMENTAL SECURITY
Fraud, vandalism, sabotage, accidents, and theft
are increasing costs for organizations since the
environments are becoming more “complex and
dynamic”. Physical security becomes tougher to
manage as technology increases with complexity,
and more vulnerabilities are enabled.
74. PHYSICAL AND
ENVIRONMENTAL SECURITY
Buildings and rooms that house information and
information technology systems must be afforded
appropriate protection to avoid damage or
unauthorized access to information and systems. In
addition, the equipment housing this information
(e.g., filing cabinets, data wiring, laptop computers,
and portable disk drives) must be physically
protected.
75. PHYSICAL AND
ENVIRONMENTAL SECURITY
Equipment theft is of primary concern, but other
issues should be considered, such as damage or
loss caused by fire, flood, and sensitivity to
temperature extra.
76. PHYSICAL AND
ENVIRONMENTAL SECURITY
Physical and environmental security programs
define the various measures or controls that protect
organizations from loss of connectivity and
availability of computer processing caused by theft,
fire, flood, intentional destruction, unintentional
damage, mechanical equipment failure and power
failures.
77. Physical security measures should be
sufficient to deal with foreseeable threats
and should be tested periodically for their
effectiveness and functionality.
78. Physical Security Measures
1. Determine which managers are responsible for
planning, funding, and operations of physical
security of the Data Center.
79. Physical Security Measures
2. Review best practices and standards that can
assist with evaluating physical security controls,
such as ISO/IEC 27002:2013.
80. Physical Security Measures
3. Establish a baseline by conducting a physical
security controls gap assessment that will include
the following as they relate to your campus Data
Center:
81. Physical Security Measures
3.1 Environmental Controls
An Environmental Control (EC) system can provide
a level of independent control of many devices in
the home for people with significant physical
disabilities. EC may be suitable if you struggle to
control equipment around you because of
difficulties with using your arms or hands.
86. Physical Security Measures
3.6 System Reliability
Which ensures the system is doing the required job, goes
hand in hand with reliability, which ensures the system is
doing its job correctly. Although they come from different
ways of looking at the same problem, they are both
dependent on each other.
88. Physical Security Measures
3.8 Contingency Plans
An alternative Information Systems Security
(INFOSEC) plan that is implemented when normal
business operations are interrupted by emergency,
failover or disaster. A contingency plan is also known as a
disaster recovery plan (DRP).
89. Physical Security Measures
4. Determine whether an appropriate investment in
physical security equipment (alarms, locks or other
physical access controls, identification badges for
high-security areas, etc.) has been made and if
these controls have been tested and function
correctly.
90. Physical Security Measures
5. Provide responsible managers guidance in handling
risks. For example, if the current investment in physical
security controls is inadequate, this may allow
unauthorized access to servers and network equipment.
Inadequate funding for key positions with responsibility for
IT physical security may result in poor monitoring, poor
compliance with policies and standards, and overall poor
physical security.
91. Physical Security Measures
6. Maintain a secure repository of physical and
environmental security controls and policies and
establish timelines for their evaluation, update and
modification.
92. Physical Security Measures
7. Create a team of physical and environmental
security auditors, outside of the management staff,
to periodically assess the effectiveness of the
measures taken and provide feedback on their
usefulness and functionality.
93. Physical Controls
Facilities need physical access controls in place that
control, monitor and manage access. Categorizing
building sections should be restricted, private or public.
Different access control levels are needed to restrict
zones that each employee may enter depending on their
role.
94. Physical Controls
Many mechanisms exist that enable control and isolation
access privileges at facilities. These mechanisms are
intended to discourage and detect access from
unauthorized individuals.
95. Physical Controls
1. Perimeter Security
Mantraps, gates, fences and turnstiles are used outside of
the facility to create an additional layer of security before
accessing the building.
96. Physical Controls
2. Badges
Proof of identity is necessary for verifying if a person is an
employee or visitor. These cards come in the forms of
name tags, badges and identification (ID) cards. Badges
can also be smart cards that integrate with access control
systems. Pictures, RFID tags, magnetic strips, computer
chips and employee information are frequently included to
help security validate.
97. Physical Controls
3. Motion Detectors
Motion detectors offer different technology options
depending on necessity. They are used as intrusion
detection devices and work in combination with alarm
systems. Infrared motion detectors observe changes in
infrared light patterns. Heat-based motion detectors sense
changes in heat levels. Wave pattern motion detectors
use ultrasonic or microwave frequencies that monitor
changes in reflected patterns.
98. Physical Controls
4. Intrusion Alarms
Alarms monitor various sensors and detectors. These
devices are door and window contacts, glass break
detectors, motion detectors, water sensors, and so on.
Status changes in the devices trigger the alarm.
99. Technical Controls
The main focus of technical controls is access control
because it is one of the most compromised areas of
security. Smart cards are a technical control that can allow
physical access into a building or secured room and
securely log in to company networks and computers.
100. Technical Controls
Multiple layers of defense are needed for overlap to
protect from attackers gaining direct access to company
resources. Intrusion detection systems are technical
controls that are essential because they detect an
intrusion.
101. Technical Controls
Detection is a must because it notifies the security event.
Awareness of the event allows the organization to respond
and contain the incident. Audit trails and access logs must
be continually monitored. They enable the organization to
locate where breaches are occurring and how often.
102. Technical Controls
This information helps the security team reduce
vulnerabilities.
1. Smart Cards
2. Proximity Readers and RFID
3. Intrusion Detection, Guards and CCTV
4. Auditing Physical Access
103. Technical Controls
1. Smart Cards
Token cards have microchips and integrated circuits built
into the cards that process data. Microchips and
integrated circuits enable the smart card to do two-factor
authentication. This authentication control helps keeps
unauthorized attackers or employees from accessing
rooms they are not permitted to enter.
105. Technical Controls
2. Proximity Readers and RFID.
Access control systems use proximity readers to scan
cards and determines if it has authorized access to enter
the facility or area.
107. Technical Controls
3. Intrusion Detection, Guards and CCTV
If the equipment is relocated without approval,
intrusion detection systems (IDSs) can monitor and
notify of unauthorized entries. IDSs are essential to
security because the systems can send a warning if
a specific event occurs or if access was attempted
at an unusual time.
109. Technical Controls
4. Auditing Physical Access
Auditing physical access control systems require
the use logs and audit trails to surmise where and
when a person gained false entry into the facility or
attempted to break-in.
110. Summary
Physical protection can be achieved by creating
one or more physical barriers around the
organization’s premises and information processing
facilities. The use of multiple barriers gives
additional protection, where the failure of a single
barrier does not mean that security is immediately
compromised.
112. Learning Objectives:
At the end of this chapter, you will be able to;
• Identify the Policy statement.
• Engage with the Cope and application of the policy
• Elaborate the Definitions of Supplier Relationships
• Apprehend about Supplier relationship security policy
• Engage with IT division practices
• Recognize about Remote access monitoring
• Distinguish about the Contract requirements
113. Learning Outline
• POLICY STATEMENT
• COPE AND APPLICATION OF THE POLICY
• DEFINITIONS
• SUPPLIER RELATIONSHIP SECURITY POLICY
• IT DIVISION PRACTICES
• REMOTE ACCESS MONITORING
• CONTRACT REQUIREMENTS
116. What do you understand
by supplier relations?
117. POLICY STATEMENT
• The security of information processed, transmitted or
stored by organizations contracted by Organization to
provide those services needs to be insured. This means
that the Organization must put in place and manage
contracts that protect the confidentiality, integrity and
availability of information handled by suppliers of these
services.
118. COPE AND APPLICATION OF
THE POLICY
• This policy affects all Organization in information
technology systems that are supported by suppliers,
whether the system or service provided is on-premise or
not.
119. DEFINITIONS
A. Suppliers
Shall mean vendors, contractors or other third-parties that
provide software or IT services to the Organization
through a contract or other agreement.
123. IT Division Practices
Access Control
1. Supplier Accounts
Access must be granted to suppliers only when required
for performing work and with the full knowledge and prior
approval of the data steward or their designee for the
pertinent data
124. IT Division Practices
Access Control
2. Multi-factor authentication
a. Suppliers needing access to systems that require multi-
factor authentication must do so from an account tied to an
individual.
b. When an exception to the single individual per supplier
account is approved multi-factor authentication to the
account must be accomplished by utilizing a soft token
mechanism.
125. Remote Access Monitoring
• When required for regulatory compliance supplier
access to on-premise systems must be monitored
or logged. This may be done using active
monitoring by staff or by session logging done
with software.
126. Contract Requirements
IT contract requirements
• Contracts that relate to services where data is stored off-
campus must utilize the standard IT contract addendum,
or contract language that sufficiently insures the security
of the data.
127. Contract Requirements
IT contract requirements
• When purchasing software solutions, either hosted or
on-premise, where the Organization has not issued an
RFP then the supplier must complete the IT Solution
Initial Assessment Tool. Responses to this tool must be
analyzed and approved by IT prior to signing a contract.