ICAB - ITA Chapter 5 class 7-8 - Controls and Standards

IT APPLICATIONS
Professional Stage Application Level, ICAB
Teacher: Mohammad Abdul Matin
Chapter 5
Controls and Standards

Chapter Outline
 Information System Security Controls
 Physical Security Controls
 Logical Security Controls
 Control and Standard for Information Integrity
 Control and Standard for Information Access Control
 Control and Standard for Computer Audit
 Control and Standard for System Implementation Phase
 Control and Standard for System Maint. and Evaluation
 Risks of IT Systems
 Controls for Personal Systems

Syllabus
 In the examination, candidates may be required to
a. describe in detail the controls and standards which are
applied to information systems for the purpose of audit and
security (regulatory and management controls, computer
risk management, back up procedures, controls over data
integrity, computer audit, passwords and logical access
system, personal security planning)
b. explain the risks to IT systems from hackers and viruses

Information System Security Policy
 Information System (IS)
Hardware, Network, Software, Applications, Databases involved
in recording, processing, analyzing, storing and reporting
information.
 IS Security Policy
High level statements stating goals regarding control and security
of Information Systems, which also…
– specifies who is responsible of implementation
– is established by management and approved by Board
– does not lay down detailed control procedures or SOPs

Sections of a Security Policy
• to provide guidelines on information processing,
reporting, MIS, etc. for management and Board
Purpose &
Responsibility
• guides on system life-cycle management, starting
with evaluation, procurement to monitoring
System Procurement
& Development
• defines access authorization and processes for
management to the information systemsAccess Terminals
• explains equipment & environment, information &
communication security, contingency & recovery
Equipment &
Information Security
• outline the engagement framework and service
levels in regard to development, management
Service Bureau
Programs

IS Security Standards
 Minimum criteria, rules and procedures established in
an organization that must be implemented for ensuring
achievement of IS Security Policy objectives.
The IS Security Standards….
– are implemented under the direction of Management
– specify detailed requirements of each IS control; e.g. length of
passwords, construction of passwords, backup retention
period, etc.
– are not specific to any particular computer platform. It’s more
generally applicable.

Physical Security Controls
 Physical Locks
 Security Guards
 Video Surveillance Cameras
 General Emergency and Detection Controls
 Heating, Ventilation and Cooling Systems
 Insurance Coverage
 Periodic Backups
 Emergency Power and UPS
 Business Resumption Programs
 Backup System Security Administrator

Logical Security Control
 User ID and Passwords
 Remote Access Controls
• Dedicated Leased Lines
• Automatic Dial-back
• Secure Socket Layer (SSL)
• Multifactor Authentication
• Virtual Private Network (VPN)
 Computer Operations Audit
 Backup and Recovery Procedures
 Integrity / Completeness Checks

Control & Standards for Information
Integrity
 Policy & Procedures
– Formal documented policy addressing purpose, scope, roles,
committees, coordination among entities, etc.
– Formal guideline on the process of establishing information
integrity policy
 Flaw Remediation
– Establishing a process for proactive identification, reporting
and addressing flaws/vulnerability (that can take effect into
errors/faults)
– Patch management, system updates, service packs, etc.

Integrity (cont.)
 Malicious Code Protection
– Gateway filtering/protection for email, web, removable media
– Software for in-depth protection
 Security Alerts and Advisories
– Following and keeping up-to-date with different popular alerts
 Security Functionality Verification
– Monitoring and notification system for automated security test
failures or exposed vulnerabilities
 Software and Information Integrity
– Software integrity with version control, release management, etc.
– Master Data Management (MDM)

Integrity (cont.)
 Spam Protection
– Spam protection in gateways, messaging, servers and devices
– Keeping spam signature database updated
– Combine multiple software to strengthen protection
 Information Input Restrictions
– Role based authorization, location/schedule based access, etc.
 Information Input Accuracy, Completeness, Validity and
Authenticity
– Input validation based on format, context, length, source, etc.
– Completeness check based on transaction definition, etc.

Access Control
 Access Control Policy and Procedures
– Formal document outlining information access policy
 Identification and Authentication Policy & Procedures
– Access identification guidelines formally documented
 Account Management
– User / group / system ID definitions with authorization matrix
– Account add/move/delete processes and procedures
 Account Review
– Automated account and access audit
– Reviewing, analyzing and reporting on audit records

Access Control (cont.)
 User Identification and Authentication
– User authentication with single and multifactor verification
 Device Identification and Authentication
– Bidirectional negotiation and authentication of devices
 Passwords
– Changing default passwords
– Complexity of passwords
– Expiration and repeatability of passwords
– Keeping passwords away from login IDs
– Control and log for master passwords

Questions
 Explain the physical security control and logical security
controls
 What do you mean by Information System Security
Standards?

ICAB - ITA Chapter 5 class 7-8 - Controls and Standards

More Related Content

What's hot

Viewers also liked

Similar to ICAB - ITA Chapter 5 class 7-8 - Controls and Standards

Recently uploaded

ICAB - ITA Chapter 5 class 7-8 - Controls and Standards