Security Management Controls

1
Security Management Controls

• Assets
• expected loss (AL)over time is at acceptable
  level
• Total elimination of loss is either impossible or
  too costly
• Determine AL and time period
• Controls of last resort backup, recovery
  procedures, and insurance

2
Information Systems Assets

• Physical
• Personnel
• Hardware
• computers
• peripherals
• storage media
• Facilities
• Documentation (systems and programs
  documentation)
• Supplies (forms, printed checks, )

3
Factors Impacting IS Assets

• Asset market Values
• Who values? (different users have different
  values)
• How Lost? Customer list was lost to a competitor
• Asset Age? Is it a recent list of A/R?
• Loss period?

4
Information Systems Assets

• Logical
• Data/information (mater files, archival files)
• Software
• System (compilers, utilities, communication
  software)
• Application (payroll, bill of materials)

5
Chapter 6 DB Controls

• External Schema e.g., salesperson interested in
  the sales process. What can a salesperson see?
• Conceptual Schema describes the entire contents
  of the database. Locating the salespersons
  content request.
• Internal Schema mapping of content to physical
  storage media. Where the salesperson content is
  physically located and protected.

6
Role of Security Administrator

• Prevent and detect
• Malicious and non-malicious threats
• Conduct a security program
• Auditors must evaluate whether security
  administrators are conducting on-going,
  high-quality security reviews. Focus on asset
  safeguarding and data integrity

7
Types of threats to IS Assets

• See Figure 7-5 and 7-8
• Exposure analysis
• EL Expected loss associated with assets
• Pt Probability of threat occurrence
• Pf Probability of control failure
• L Resulting loss if threat is successful
• ELPt Pf L

8
Security Program

• Prepare a project plan
• Identify assets
• value assets
• Identify threats
• Assess likelihood of threats
• Analyze the exposure
• Adjust controls
• Prepare security report

9
Major Security Threats and Remedial Measures

• Fire Damage
• Water
• Energy
• Structural Damage
• Pollution
• Unauthorized Intrusion
• Viruses and Worms See Fig 7-9
• Misuse of Software, Data, and Service
• Develop Code of Conduct Table 7-2

10
Controls of Last Resort

• Disaster Recovery Plan
• Emergency plan, Backup plan- Recovery plan- Test
  plan
• Backup plan
• hot site (most hardware and software ready)
• cold site ( not running at the moment, but will)
• warm site (some things can work immediately)
• Reciprocal agreement (2 or more organizations
  agree to help each other)
• Insurance