This document discusses controls and standards for information systems security. It covers various types of security controls including physical security controls like locks and access control, and logical security controls like authentication and encryption. It also discusses standards for information integrity, access control, and system implementation and maintenance. The key topics covered are information system security policy, physical and logical security controls, and standards for information integrity, access control, computer audits and system lifecycle management.

1. IT APPLICATIONS
Professional Stage Application Level, ICAB
Teacher: Mohammad Abdul Matin
Chapter 5
Controls and Standards

2. Chapter Outline
 Information System Security Controls
 Physical Security Controls
 Logical Security Controls
 Control and Standard for Information Integrity
 Control and Standard for Information Access Control
 Control and Standard for Computer Audit
 Control and Standard for System Implementation Phase
 Control and Standard for System Maint. and Evaluation
 Risks of IT Systems
 Controls for Personal Systems

3. Syllabus
 In the examination, candidates may be required to
a. describe in detail the controls and standards which are
applied to information systems for the purpose of audit and
security (regulatory and management controls, computer
risk management, back up procedures, controls over data
integrity, computer audit, passwords and logical access
system, personal security planning)
b. explain the risks to IT systems from hackers and viruses

4. Types of Security Control
Physical Security Controls
Lock | Access Control | Fire Protection
Logical Security Controls
Authentication | Anti Virus | Encryption
Environmental Controls
Security Policy | SOP | License | AMC | Warranty
Information System Operating Controls
Performance | Completion | Accuracy | Backup & Restore

5. Information System Security Policy
 Information System (IS)
Hardware, Network, Software, Applications, Databases involved
in recording, processing, analyzing, storing and reporting
information.
 IS Security Policy
High level statements stating goals regarding control and security
of Information Systems, which also…
– specifies who is responsible of implementation
– is established by management and approved by Board
– does not lay down detailed control procedures or SOPs

6. Sections of a Security Policy
• to provide guidelines on information processing,
reporting, MIS, etc. for management and Board
Purpose &
Responsibility
• guides on system life-cycle management, starting
with evaluation, procurement to monitoring
System Procurement
& Development
• defines access authorization and processes for
management to the information systemsAccess Terminals
• explains equipment & environment, information &
communication security, contingency & recovery
Equipment &
Information Security
• outline the engagement framework and service
levels in regard to development, management
Service Bureau
Programs

7. IS Security Standards
 Minimum criteria, rules and procedures established in
an organization that must be implemented for ensuring
achievement of IS Security Policy objectives.
The IS Security Standards….
– are implemented under the direction of Management
– specify detailed requirements of each IS control; e.g. length of
passwords, construction of passwords, backup retention
period, etc.
– are not specific to any particular computer platform. It’s more
generally applicable.

8. Physical Security Controls
 Physical Locks
 Security Guards
 Video Surveillance Cameras
 General Emergency and Detection Controls
 Heating, Ventilation and Cooling Systems
 Insurance Coverage
 Periodic Backups
 Emergency Power and UPS
 Business Resumption Programs
 Backup System Security Administrator

9. Logical Security Control
 User ID and Passwords
 Remote Access Controls
• Dedicated Leased Lines
• Automatic Dial-back
• Secure Socket Layer (SSL)
• Multifactor Authentication
• Virtual Private Network (VPN)
 Computer Operations Audit
 Backup and Recovery Procedures
 Integrity / Completeness Checks

10. Control & Standards for Information
Integrity
 Policy & Procedures
– Formal documented policy addressing purpose, scope, roles,
committees, coordination among entities, etc.
– Formal guideline on the process of establishing information
integrity policy
 Flaw Remediation
– Establishing a process for proactive identification, reporting
and addressing flaws/vulnerability (that can take effect into
errors/faults)
– Patch management, system updates, service packs, etc.

11. Control & Standards for Information
Integrity (cont.)
 Malicious Code Protection
– Gateway filtering/protection for email, web, removable media
– Software for in-depth protection
 Security Alerts and Advisories
– Following and keeping up-to-date with different popular alerts
 Security Functionality Verification
– Monitoring and notification system for automated security test
failures or exposed vulnerabilities
 Software and Information Integrity
– Software integrity with version control, release management, etc.
– Master Data Management (MDM)

12. Control & Standards for Information
Integrity (cont.)
 Spam Protection
– Spam protection in gateways, messaging, servers and devices
– Keeping spam signature database updated
– Combine multiple software to strengthen protection
 Information Input Restrictions
– Role based authorization, location/schedule based access, etc.
 Information Input Accuracy, Completeness, Validity and
Authenticity
– Input validation based on format, context, length, source, etc.
– Completeness check based on transaction definition, etc.

13. Control & Standards for Information
Access Control
 Access Control Policy and Procedures
– Formal document outlining information access policy
 Identification and Authentication Policy & Procedures
– Access identification guidelines formally documented
 Account Management
– User / group / system ID definitions with authorization matrix
– Account add/move/delete processes and procedures
 Account Review
– Automated account and access audit
– Reviewing, analyzing and reporting on audit records

14. Control & Standards for Information
Access Control (cont.)
 User Identification and Authentication
– User authentication with single and multifactor verification
 Device Identification and Authentication
– Bidirectional negotiation and authentication of devices
 Passwords
– Changing default passwords
– Complexity of passwords
– Expiration and repeatability of passwords
– Keeping passwords away from login IDs
– Control and log for master passwords

15. Questions
 Explain the physical security control and logical security
controls
 What do you mean by Information System Security
Standards?

16. Thank You