Security Controls

Controls are steps in processes — or components in information systems — that enforce compliance with business or security rules. Technology can enforce a control, or an individual may perform a manual step or procedure.

instantanswer.eps The major types of controls are

check.png Preventive controls: Used to prevent errors and unauthorized actions.

check.png Detective controls: Used to detect errors and unauthorized activities.

check.png Corrective controls: Used to reverse or minimize the impact of errors and unauthorized events. These are also known as recovery controls.

check.png Automatic controls: Those that automatically enforce a security policy.

check.png Manual controls: Those that must be proactively performed in order to enforce a security policy.

All the controls discussed in the following sections fall into these categories. A control is preventive, detective, or corrective; also, the control is either automatic or manual.

Operations controls are the processes and procedures that protect business operations and information. The major operations controls are

check.png Resource protection

check.png Privileged entity controls

check.png Change controls

check.png Media controls

check.png Administrative controls

check.png Trusted recovery

The following sections delve into each operations control in more detail.

Resource protection

Resource protection is the broad category of controls that protect information assets and information infrastructure. The resources that require protection include

check.png Communications hardware and software: Routers, switches, firewalls, load balancers, multiplexers, fax machines, Virtual Private Network (VPN) servers, and so on, as well as the software that these devices use

check.png Computers and their storage systems: All corporate servers and client workstations, storage area networks (SANs), network-attached storage (NAS), direct-attached storage (DAS), near-line and offline storage systems, and backup devices

check.png Business data: All stored information, such as financial data, sales and marketing information, personnel and payroll data, customer and supplier data, proprietary product or process data, and intellectual property

check.png System data: Operating systems, utilities, user IDs and password files, audit trails, and configuration files

check.png Backup media: Tapes, removable disks, and off-site replicated disk systems

check.png Software: Application source code, programs, tools, libraries, vendor software, and other proprietary software

Privileged entity controls

Privileged entity controls are the mechanisms, generally built into computer operating systems, which give privileged access to hardware, software, and data. In UNIX and Windows, the controls that permit privileged functions reside in the operating system.

Change controls

Change controls are the people-operated processes that govern architectural and configuration changes in a production environment. Instead of just making changes to systems and the way that they relate to each other, change control is a formal process of proposal, design, review, approval, implementation, and recordkeeping.

The two prevalent forms of change controls are Change Management and Configuration Management:

instantanswer.eps check.png Change Management is the approval-based process that ensures that only approved changes are implemented.

check.png Configuration Management is the control that records all of the soft configuration (settings and parameters in the operating system, database, and application) and software changes that are performed with approval from the Change Management process.

See Chapter 7 for more on Change and Configuration Management.

Patch and vulnerability management

On a daily basis, flaws are discovered in server and desktop operating systems, database management systems, and various other applications. Many of these flaws are security vulnerabilities that could permit an attacker to access sensitive data or critical functions. Patch management is closely associated with configuration management and change control processes.

To perform patch management, follow these basic steps:

1. Retrieve security advisories from vendors and third-party organizations.

2. Perform risk analysis on each advisory to determine its applicability and risk to your organization.

3. Develop a plan to either install the security patch or to perform another workaround, if any is available.

You should base your decision on which solution best eliminates the vulnerability.

4. Test the security patch or workaround in a test environment.

This process involves making sure that stated functions still work properly and that no unexpected side-effects arise as a result of installing the patch or workaround.

5. Install the security patch in the production environment.

6. Verify that the patch is properly installed and that systems still perform properly.

7. Update all relevant documentation to include any changes made or patches installed.

instantanswer.eps Configuration Management is the process (or processes) of actively managing the configuration of every system, device, and application and thoroughly documenting those configurations.

Media controls

Media controls refer to a broad category of controls that are used to manage information classification and physical media. Information classification refers to the tasks of marking information according to its sensitivity, as well as the subsequent handling, storage, transmission, and disposal procedures that accompany each classification level. Physical media is similarly marked; likewise, controls specify handling, storage, and disposal procedures.

Administrative controls

Administrative controls are the family of controls that includes least privilege, separation of duties, and rotation of duties. These controls form the basis of many processes, as well as access control and function control methodologies.

Trusted recovery

Trusted recovery is concerned with the processes and procedures that support the hardware or software recovery of a system. Specifically, the confidentiality and integrity of the information stored on and the functions served by a system being recovered must be preserved at all times.

The primary problem with system recovery is that a system may be operated briefly in maintenance or single-user mode in which all the software controls protecting the operating system and business data may not be functioning.

Organizations should have well-defined processes and procedures for system recovery to ensure that no inappropriate disclosure or leakage of sensitive information can occur.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.139.83.199