Version: 1.0.2Information security controls overview
- Maintaining following of information during its use, storage, processing and transfer:
- Integrity: No tampering of data from point A to point B, e.g. restraining physical access.
- Availability: At all times data needs to be available to those who need it, e.g. stock market
- Confidentiality: No leaks, e.g. ensuring policies are in-place
- Authenticity: Only those who are authorized can access something
- Non-repudiation: If you do something, you cannot say I did not do it, e.g. signatures, log files, camera videos.
- Processes to achieve information assurance are:
- Security policies
- Network and user authentication strategy
- Identification of vulnerabilities and threats e.g. pen-testing
- Identification of problems in the system and resource requirements
- Plan design for the identified requirements
- Certification and accreditation to find vulnerabilities and remove them
- Training for employees
Types of control
- By type
- Physical controls
- E.g. fences, doors, locks and fire extinguishers
- Technical controls
- Also known as logical controls
- E.g. security tokens
- Administrative controls
- E.g. security policies and continuity of operations plans are administrative control
- By function
- Preventative controls
- Prevents the threat from coming in contact with the weakness
- E.g. authentication, encryption (such as IPSec)
- Detective controls
- Used after a discretionary event.
- E.g. audits, alarm bells, alerts
- Corrective controls
- Put in place after the detective internal controls discover a problem
- E.g. backups and restore
- All activities the organization takes to protect sensitive information
- E.g. security policies, rules, standards, business resilience, training and awareness, security metrics and reporting.
- Regulates organizations structure and behavior in terms of security, processes and employees.
- Includes requirements, process, principles and models
- Goals:
- Real time monitoring of organization's network
- Security breach detection and recovery
- Ensuring cost efficiency of security provisions
- Helping the IT department to function properly
- e.g. with policies and education
- Risk assessment of IT assets
Security management framework
- To reduce risks of any system
- Risks are never zero but you should reduce as much as u can
- Combination of policies, procedures, guidelines and standards
Defense in Depth
- Also known as defence in depth
- 📝 Using multiple layers for protection
- Like a tower defence game
- Provides redundancy in the event a security control fails or a vulnerability is exploited
- Layers:
- Policies, Procedures, Awareness: Data Classification, Risk Management, Code Reviews, Educations...
- Physical security: ID cards, CCTV, fences...
- Maintenance board should be protected in server room.
- Not good in schools, universities etc.
- Perimeter: Encryption, identities...
- In front of the internal network where traffic in and out is filtered.
- Internal network: Network zoning, firewalls...
- Host: Antivirus patches, security updates...
- Individual devices with networking capability e.g. servers / PCs.
- Services: Audit logs, authentication, authorization, coding practices.
- Applications running on hosts
- Data: Backups, encryption...