IT Security Objectives and Controls - PDF

Summary

The document outlines IT security objectives, controls, and various threats such as malware and data breaches. It details mitigation strategies including access controls, data protection methods, and testing management controls. It provides information useful for professionals in cybersecurity.

Full Transcript

MODULE 2: IT OBJECTIVES AND CONTROLS

I. SECURITY
IT security is vital for protecting sensitive data and ensuring the integrity, confidentiality, and
availability of information. It involves systematically assessing an organization's information
systems to identify vulnerabilities, evaluate security controls, and ensure compliance with
established policies and regulations. Through comprehensive audits, organizations can
uncover potential risks, enhance their security posture, and foster a culture of accountability
in safeguarding information assets. This proactive approach not only helps mitigate threats
but also supports business continuity and instills stakeholder confidence in the organization's
data management practices.

A. IT SECURITY AND OBJECTIVES:
1. Confidentiality: Ensure sensitive data is accessible only to authorized users.
2. Integrity: Protect data from unauthorized changes or corruption.
3. Availability: Ensure systems and data are available when needed by authorized users.
4. Auditability: Maintain records of access and changes to systems for accountability.

B. THREATS AND ATTACKS
1. Malware: Viruses, ransomware, and spyware that compromise system security.
2. Phishing: Attempts to trick users into divulging sensitive information.
3. Denial of Service (DoS): Attacks aimed at making services unavailable.
4. Insider Threats: Risks posed by employees or contractors intentionally or
unintentionally compromising security.
5. Zero-Day Exploits: Attacks exploiting previously unknown vulnerabilities.

C. MITIGATION
1. Network Security Controls:
 Firewalls to filter incoming and outgoing traffic.
 Intrusion Detection and Prevention Systems (IDPS) for real-time threat analysis.
2. Endpoint Protection:
 Antivirus and anti-malware software to detect and remove threats.
 Regular updates and patches for all software and operating systems.
3. Access Management:
 Role-based access control (RBAC) to limit data access based on user roles.
 Multi-factor authentication (MFA) to enhance login security.
4. Data Protection:
 Encryption of sensitive data at rest and in transit.
 Regular backups and a disaster recovery plan.
5. Training and Awareness:
 Continuous training programs for employees on security best practices and
recognizing threats.

D. TESTING MANAGEMENT CONTROLS
1. Vulnerability Assessments: Regular scans to identify weaknesses in the system.
2. Penetration Testing: Simulating attacks to assess the effectiveness of security controls.
3. Audit Trails: Review logs to ensure compliance with security policies and detect
anomalies.
4. Incident Response Testing: Conducting tabletop exercises to test the organization’s
response to security incidents.
5. Continuous Monitoring: Employing security information and event management (SIEM)
systems for real-time analysis of security alerts.

II. CONFIDENTIALITY AND PRIVACY
A. THREATS
1. Unauthorized Access: Access by individuals without permission can expose sensitive
information.
 2. Data Breaches: Incidents where confidential data is accessed or disclosed without
authorization.
3. Insider Threats: Employees or contractors may intentionally or unintentionally
compromise data confidentiality.
4. Malware and Ransomware: Software designed to exploit vulnerabilities and gain
access to sensitive data.
5. Phishing Attacks: Techniques used to trick users into revealing confidential
information.

B. MITIGATION
1. Access Controls: Implement role-based access controls (RBAC) to limit access to
confidential information.
2. Regular Audits: Conduct periodic audits to identify vulnerabilities and ensure
compliance with policies.
3. Employee Training: Provide training on recognizing threats and understanding their
responsibilities regarding confidentiality.
4. Incident Response Plan: Develop and maintain a plan for responding to data breaches
and security incidents.
5. Monitoring and Alerting: Use security systems to monitor access and detect
unauthorized attempts to access data.

C. ENCRYPTION FUNDAMENTALS, TECHNIQUES AND APPLICATIONS
1. Fundamentals:
 Encryption transforms data into a format that is unreadable without a decryption
key.
 It protects data at rest (stored data) and in transit (data being transmitted).
2. Techniques:
 Symmetric Encryption: Uses the same key for encryption and decryption (e.g.,
AES-Advance Encryption Standard).
 Asymmetric Encryption: Utilizes a pair of public and private keys (e.g., RSA-
Rivest-Shamir-Adleman).
3. Applications:
 Email encryption to secure sensitive communications.
 Full disk encryption to protect data on devices.
 TLS (Transport Layer Security) /SSL (Secure Sockets Layer) protocols to secure
data transmitted over networks.

D. DIFFERENCES BETWEEN CONFIDENTIALITY AND PRIVACY
Confidentiality: Refers to the obligation to protect sensitive information from unauthorized
access or disclosure.

Privacy: Involves the right of individuals to control their personal information and how it is
collected, used, and shared.

E. METHODS FOR PROTECTION OF CONFIDENTIAL DATA
1. Access Control Mechanisms: Limit who can view or modify data based on their role or
status.
2. Data Masking: Obscure sensitive information in non-production environments.
3. Secure Coding Practices: Follow coding standards to prevent vulnerabilities in
applications.
4. Physical Security Measures: Implement security controls for physical access, such as
locked servers and surveillance.

F. DATA LOSS PREVENTION (DLP)
1. DLP Tools: Implement software solutions that monitor and protect sensitive
information from being unintentionally shared or accessed.
 2. Policy Enforcement: Define policies to control how data is handled and ensure
compliance through monitoring and alerts.
3. Endpoint Protection: Employ solutions to safeguard data on endpoints, preventing
unauthorized access and data exfiltration.

G. FINANCIAL AND OPERATIONAL IMPLICATION OF DATA BREACH
1. Financial Costs: Include regulatory fines, legal fees, notification costs, and potential
loss of business.
2. Reputation Damage: Loss of customer trust, leading to reduced sales and long-term
brand damage.
3. Operational Disruption: Impacts on business operations, including system downtime
and resource diversion to manage the breach.

H. CONTROLS AND DATA MANAGEMENT PRACTICES
1. Data Classification: Classify data based on its sensitivity and apply appropriate security
measures.
2. Retention Policies: Develop policies for how long data is stored and when it should be
securely disposed of.
3. Regular Compliance Checks: Conduct checks to ensure data management practices
align with legal and regulatory requirements.

I. DEFICIENCES IN THE SUITABILITY OR DESIGN
1. Inadequate Controls: Insufficient measures in place to adequately protect sensitive
information, such as weak passwords or outdated software.
2. Poor Risk Assessment: Lack of proper risk assessment processes that could identify
potential vulnerabilities in data handling.

J. DEVIATIONS IN THE OPERATION OF CONTROLS
1. Control Failures: Instances where security controls do not function as intended,
leading to potential breaches.
2. Policy Violations: Employees failing to follow established data handling and
confidentiality policies.

K. WALKTHROUGH
1. Process Review: Perform a walkthrough of data handling processes to ensure they
align with documented policies.
2. Interviews: Engage with personnel to understand their roles in data protection and
identify areas for improvement.

L. TESTING MANAGEMENT CONTROLS
1. Control Testing: Conduct tests to ensure that designed security controls function as
intended and effectively protect confidential data.
2. Audit Trails: Analyze records to track access and modifications to sensitive data,
verifying adherence to controls.
3. Stress Testing: Simulate potential security incidents to evaluate response effectiveness
and identify weaknesses in controls.

III. PROCESSING INTEGRITY AND AVAILABLITY
A. THREATS
1. Data Corruption: Errors in data processing that lead to inaccuracies in data stored and
used.
2. System Failures: Hardware or software malfunctions that result in system outages or
data unavailability.
3. Cyberattacks: Attacks such as Denial of Service (DoS) that can disrupt service
availability.
4. Human Error: Mistakes made by users or administrators that compromise data
integrity or system operations.
 5. Natural Disasters: Events (e.g., earthquakes, floods) that can impact the physical
availability of resources.

B. MITIGATION
1. Data Validation: Implement input validation controls to ensure data accuracy and
completeness during entry.
2. Regular Backups: Schedule frequent backups of critical data to minimize loss and
facilitate recovery.
3. Redundant Systems: Use redundant systems and components to maintain operations
during hardware failures.
4. Access Controls: Enforce strict access controls to limit changes to critical data and
systems to authorized personnel.
5. Monitoring and Alerts: Utilize monitoring tools that provide alerts for anomalies and
potential issues in system performance.

C. IT GENERAL CONTROLS (ITGC)
1. Access Control Management: Ensuring that only authorized users have access to
systems and data.
2. Change Management Controls: Procedures to properly manage changes to systems
and applications, ensuring such changes do not adversely affect integrity or availability.
3. Backup and Recovery Controls: Regular and documented backup processes that
ensure data can be restored in case of a loss.
4. Operational Procedures: Defined and documented operational procedures to ensure
consistent system performance.

D. OTHER ITGC
1. Incident Management: Processes for identifying, managing, and mitigating incidents
that affect system integrity or availability.
2. Configuration Management: Ensuring that system configurations are documented and
monitored to maintain stable operation.
3. Physical Security Controls: Measures to protect the physical infrastructure, ensuring it
is secure from unauthorized access and environmental threats.

E. IT APPLICATION CONROLS (ITAC)
1. Input Controls: Procedures to verify the accuracy and completeness of data inputted
into applications.
2. Processing Controls: Checks during data processing to ensure that data is processed
accurately (e.g., reconciliations).
3. Output Controls: Validation measures to verify that outputs are accurate and
complete, ensuring outputs reflect correctly processed data.

F. CHANGE MANAGEMENT
1. Change Control Procedures: Implement formalized procedures for managing changes
to IT systems, including testing, approval, and documentation.
2. Impact Analysis: Assess the potential impact of changes on system integrity and
availability before implementation.
3. Review and Approval: Obtain necessary approvals before executing changes, and
conduct post-implementation reviews to confirm integrity.

G.BUSINESS CONTINUITY AND DISASTER RECOVERY MANAGEMENT
1. BCP Development: Create and maintain a Business Continuity Plan (BCP) that outlines
how business functions will continue during disruptions.
2. DRP Testing: Regularly test the Disaster Recovery Plan (DRP) to ensure recovery
strategies are effective and personnel are familiar with procedures.
3. Critical Function Identification: Identify and prioritize essential business functions,
ensuring they have corresponding recovery strategies.
H. TESTING MANAGEMENT CONTROLS
1. Control Assessment: Regularly test ITGCs and ITACs to confirm their effectiveness in
maintaining integrity and availability.
2. Vulnerability Testing: Conduct vulnerability assessments and penetration testing to
identify weaknesses and ensure safeguards are in place.
3. Audit Trails Review: Evaluate logs and audit trails for irregularities that could indicate
potential issues with data integrity or availability.