Information Security Controls

January 19, 2017 | Views: 4454

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Estimated reading time: 3.5 minutes

Information Security is the way to ensure the confidentiality, integrity, and availability of information within an organization. Confidentiality, the information has been protected from authorized entity. Integrity, the information had been protected from unauthorized modification. Availability, the information is there when require accessing by authorizing users. To obtain the CIA, there are many components which are required to implement by the system administrator.

Before investing in the controls, you have to identify the threats, risk, and impact to your system. Sometimes the return on investment (ROI) is not relevant to the impact. Threats are the internal or external actors that can use any vulnerabilities to exploit or physical destruct your critical system. Threats can be terminated by an employee, a cybercriminal, a black-hat hacker, a system failure (event), a usage violation, or natural disaster. Risk is the successful exploitation of an organization’s system from threats. Impacts are the infections from system exploitation as result in financial loss, damage reputation, or punishment. Below are some controls, methodologies, and guideline for system administrator and information owner to ensure the CIA of their data.

Defense in Depth
An approach that uses multiple level protection. If one of the control is failed then other controls are still in place. With defense-in-depth, all critical internet facing servers have been protected by firewall, IDS, IPS. The clients can access the network through segment control (VLAN) and the host-based firewall, up to date anti-virus definition should be activated for every client. The system or network administrator should provide real-time network monitoring in case there is any incidents occur within their network.

Authentication
An approach to identify authorized users with multiple levels of the information below:

  •  Something you know: they are the password, passcode, or PIN.
  •  Something you have: they are the token device or access card.
  •  Something you are: they are biometric (or realistic authentication) such as your thumb print, iris, voice, or face recognition.

To ensure the identification and authentication process is reliable, the two-factor or three-factor authentication should be implemented. The two-factor is a combination of “something you know + something you have” while the three-factor is a combination between “something you know + something you have + something you are”

Authorization
An approach that ensures the data integrity and the authorized user can access the system resources with their access privilege. User access matrix will provide the baseline for the system administrator to assign or verify the user access right in account creation or modification phase. There are three subcomponents that can help administrator to achieve the data integrity:

  • Least privilege: provide the minimum access to organization resources as per their daily job requirement.
  • Separation of duties: avoidance of providing a person with full control in a process. To protect the illegal data modification or fraud organization requires assigning few people within a process so that the possibility of fraud will be reduced.
  • Data Encryption: ensure the data has been ciphered, stored in a safe place and users cannot direct access to data.

Accounting
A system that obtains the accountability means that it has the ability to identify the individual user, track and monitoring activity. Every enterprise application or system, the audit trail or audit logs is very important to record every user activities and then can be able to use later by the system administrator to find out the source of some illegal treatment. The audit logs should be regularly reviewed by management in term of detection and prevention.

Policy
Beside technical controls, the policy is also the legal notice or agreement between information owner and users. The system owner requires conducting relevant policy or guideline and aware to all employees to know what “DO” and “DON’T”. The fundamental policies to ensure the CIA of information Security are as follows:

  • Information Security Policy
  • Acceptable Use Policy (AUP)
  • Data Recovery Plan (DRP)
  • Business Continuity Plan (BCP)
  • Access Controls Policy
  • Password Policy
  • Privacy Policy
Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
4 Comments
  1. Good summary

  2. Thanks brahh 🙂 Nice sharing

  3. Great article! Thanks for sharing.

  4. Good article, thx.
    These subjects are explained more in depth in Comptia Security+ book.

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel