IS 4680 Final
Guideline
A parameter within which a policy, standard, or procedure is suggested but optional
Procedure
A written statement describing the steps required to implement a process - very technical in nature -mostly used by IT personnel.
CIA
Confidentiality, Integrity, Availability
Detective controls
Detective controls are mechanisms that recognize when an undesired action has occurred, such as motion detectors or usage log analysis tools.
LAN-to-W AN Domain AND WAN Domain
The transition from the LAN to theW AN typically involves equipment such as a router or a firewall. A router is used to forward data between different networks. A firewall is another common component. A firewall is placed between networks and is designed to permit authorized access, while blocking everything else.
Single Sign On
Users have to log on several times as they use different applications. One solution is to use an SSO system.
Router
Within the LAN-to-WAN Domain this connects two or more separate networks
Security Assessment
a key activity that involves the management of risk. Information systems provide numerous benefits and efficiencies within organizations. However, the benefits come with risks as a result of operating these systems.
TACACS
a network protocol developed by Cisco to provide authentication services in the remote access domain. TACACS stands for Terminal Access Controller Access Control System.
RADIUS
a network protocol that supports remote connections by centralizing the management tasks. RADIUS stands for Remote Authentication Dial In User Service
a VPN solution
allows for choices such as IPSec, L2F, and GRE- each of which is an encapsulating protocol. When using remote access and VPN tunnels be sure to monitor remote computer login.
IT Security Audit
an independent assessment of an organization's internal policies, controls, and activities.You use an audit to assess the presence and effectiveness o IT controls and to ensure that those controls arecompliant with stated policies.
Operational impact
applying controls is a direct result of the risk assessment process combined with an analysis of the tradeoffs. This is the tradeoff.
difference between an Assessment and an Audit
assessment finds blame where an Audit does not.
Technical
controls (also called logical controls) use software and data to monitor and control access to information and computing systems. For example: passwords, network and host based firewalls, network intrusion detection systems, access control lists, and data encryption are logical controls. An important logical control that is frequently overlooked is the principle of least privilege. The principle of least privilege requires that an individual, program or system process is not granted any more access privileges than are necessary to perform the task.
Administrative
controls (also called procedural controls) consist of approved written policies, procedures, standards and guidelines. Administrative controls form the framework for running the business and managing people. They inform people on how the business is to be run and how day to day operations are to be conducted
Physical
controls monitor and control the environment of the work place and computing facilities. They also monitor and control access to and from such facilities.
Software configuration management
formal method to control the software development life cycle
two main types of attacks that may originate from within your organization
internal attacks on your organization and internal to external attacks on another organization
Certification and Accreditation Professional (CAP)
is a certification for professionals involved in certifying and accrediting the security of information systems.
Certified Secure Software Lifecycle Professional (CSSLP)
is a certification for those involved with ensuring security throughout the software life cycle.
ISACA
is a professional association that provides many resources for information systems auditors and IT security and governance professionals.
Systems Security Certified Practitioner (SSCP)
is an ideal certification for security engineers, analysts, and administrators. It is also popular for those without primary duties as an IS professional but who would benefit from understanding security. This includes information system auditors, programmers, and database administrators.
Remote Access Domain
is made up of the authorized users who access organization resources remotely.Access often occurs over unsecured transports such as the Internet. Other unsecured transports include dial-upvia a modem. Mobile workers often need access to the private LAN while traveling or working from home, for example. Mobile workers are granted this access using remote access solutions. Remote access solutions, such as a virtual private network (VPN), are able to create an encrypted communications tunnel over a public network such at the Internet.
System/Application Domain
made up of the many systems and software applications that users access. Knowledge within this domain can be very specialized as operators may focus on one specific aspect, such as mail servers, and be quite familiar with associated security ramifications. On the other hand, that same person might know very little about databases. Like the desktop operating system, server operating systems should be hardened to authorized baselines and configured according to policies and standards with the appropriate controls.
Preventive controls
mechanisms that keep an undesired action from happening, such as locked doors or computer access controls.
Corrective controls
mechanisms that repair damage caused by an undesiredaction and limit further damage, such as the procedure to remove viruses or using a firewall to block an attacking system
IDS/IPS
most firewall rules are based on static attributes; therefore, they are not effective at protecting a network from all types of attacks. These can be used to help firewalls do a better job
Security control management
pertains specifically to the configuration items that are directly related to controls or settings representing significant risk, if not managed properly.
Baseline configuration management
plan for establishing the basic standard of system configurations and the management of configuration items
System characterization
provides details about the infrastructure systems. This includes the hardware,software, data, interfaces, and associated users. A discussion of existing technical, management, and operational controls can be included.
network operating system (NOS)
provides the interface between the hardware and the application layer software .
Threat identification
requires the identification of all possible threats first.
LAN Domain Audit can examine various elements
• Logon mechanisms and controls for access to the LAN • Hardening and configuration of LAN systems • Backup procedures for servers • Review of power supply for the network
National Institute of Standards and Technology (NIST) include
• Management • Technical • Operational
types of assessments
• Network security architecture review • Review of security policies, procedures, and practices • Vulnerability scan and testing • Physical security assessment • Security risk assessment • Social engineering assessment • Application assessment
The IIA code has:
• Integrity • Objectivity • Confidentiality • Competency
RADIUS or TACACS
Authentication in the Remote Access Domain can be handled best by using:
Gap Analysis
By having sound policies in place and a framework for the application of controls, you will be able to map existing controls to each regulation, including future regulations. Thereafter, organizations perform these to identify anything that is missing.
Regulatory compliance benefits:
1. Organizations 2. Consumers 3. Shareholders
Policy
A document that states how the. organization is to perform and conduct business functions and transactions with a desired outcome- very high level and not very granular
GLBA
Also known as the Financial Modernization Act of 1999, includes provisions to protect consumers personal financial information held by financial institutions
User Domain
An audit of the ___________ should be considered for anyone accessing the organization's information systems. This includes not just employees but non employees as well, such as contractors or consultants. This domain considers the roles and responsibilities of the users. It should examine all policies that relate to them, specifically access policies.
Standard
An established and proven norm or method, which can be a procedural standard or a technical standard implemented organization-wide - somewhat more granular than the policy that it is derived from
COBIT
Control Objectives for Information and Related Technology
RACI Matrix
Each task in the audit process has one or more people who are responsible or accountable for that task. Many organizations use a RACI matrix to document tasks and personnel responsible for the assignments. RACI stands for responsible, accountable, consulted, and informed
FISMA
Enacted in 2002, requires federal agencies to implement a program to provide security for their information and information systems, including those provided or managed by another agency or contractor. It is Title III of theE-Government Act of2002. The Federal Information Security Management Act (FISMA) ensures that organizations have sound information security practices and the organizations have a framework for effective information security resources that support federal operations
Fault, Configuration, Accounting, Performance, Security
FCAPS
COSO
stands for Committee of Sponsoring Organizations. a joint initiative of :five private sector organizations, established in the United States, dedicated to providing thought leadership to executive management and governance entities on critical aspects of organizational governance, business ethics, internal control, enterprise risk management, fraud, and financial reporting
Application data encryption
strategy used for encrypting data to send to remote users
FCAPS
the ISO Telecommunications Management Network model and framework for network management.
Workstation Domain
the end users' operating environment
Risk assessment
the way in which firms quantity how significant each risk is to the achievement of their overall goals.
Certified Information Systems Security Professional (CISSP)
this is arguably the most recognized information security certification. This certification is ideal for information security management professionals or those who develop policies and procedures for information security. The CISSP includes three concentrations in architecture, engineering, and management.
Proxy Server
type of firewall that makes requests for remote services on the behalf of the local clients
PCIDSS
used for the payment card industry.
Main controls in this domain for maintaining a System/Application Domain include:
• Application patch management • Domain management
Institute of Internal Auditors (IIA), provides a fellowship program for experienced auditors to develop their careers. Participants must meet the following requirements:
• At least five years of professional experience in internal auditing • An active IIA membership or a professional certification • A bachelor's or higher degree • Two professional recommendations • A personal letter of interest • A minimum of two writing samples • A completed application
Under the two components, People and Documentation, you find people fall into three types:
• Employees • Guests/third parties • Contractors
The three authentication types include:
• Identity - What you know • Tokens - What you have • Biometrics - What you are