Chapter 8
Controls for Information Security
Timothy L. Baker, CPA, CITP, CMA
Lecturer
Certain materials used with permission of
Pearson Education, Inc. publishing as Prentice Hall and ISACA
Chapters 8 through 10
Security (Chapter 8)
Access to system and its data is controlled and restricted to legitimate users.
Confidentiality (Chapter 9)
Sensitive organizational information (e.g., marketing plans, trade secrets) is protected from unauthorized disclosure.
Privacy (Chapter 9)
Personal information about stakeholders is collected, used, disclosed, and maintained only in compliance with internal policies and external regulatory requirements and is protected from unauthorized disclosure.
Processing Integrity (Chapter 10)
Data are processed accurately, completely, in a timely manner, and only with proper authorization.
Availability (Chapter 10)
The system and its information are available to meet operational and contractual obligations.
Learning Objectives
• Explain how information security affects information systems reliability.
• Discuss how a combination of preventive, detective, and corrective controls can be employed to provide reasonable assurance about the security of an organization’s information system.
Trust Services Framework
• Security
– Access to the system and data is controlled and restricted to legitimate users. • Confidentiality
– Sensitive organizational data is protected.
• Privacy
– Personal information about trading partners, investors, and employees are protected.
• Processing integrity
– Data are processed accurately, completely, in a timely manner, and only with proper authorization.
• Availability
– System and information are available.
Trust Services Framework
Steps in an IS System Attack
Conduct
Reconnaissance
Cover Tracks
Attempt Social
Engineering
Execute Attack
Scan & Map
Target
Research
Security Life Cycle
Security is a management issue
Security Approaches
• Defense-in-depth
– Multiple layers of