Ready to Start Your Career?
By: Vandy Ly
January 19, 2017
Information Security Controls
By: Vandy Ly
January 19, 2017
Estimated reading time: 3.5 minutesInformation Security is the way to ensure the confidentiality, integrity, and availability of information within an organization. Confidentiality, the information has been protected from authorized entity. Integrity, the information had been protected from unauthorized modification. Availability, the information is there when require accessing by authorizing users. To obtain the CIA, there are many components which are required to implement by the system administrator.Before investing in the controls, you have to identify the threats, risk, and impact to your system. Sometimes the return on investment (ROI) is not relevant to the impact. Threats are the internal or external actors that can use any vulnerabilities to exploit or physical destruct your critical system. Threats can be terminated by an employee, a cybercriminal, a black-hat hacker, a system failure (event), a usage violation, or natural disaster. Risk is the successful exploitation of an organization's system from threats. Impacts are the infections from system exploitation as result in financial loss, damage reputation, or punishment. Below are some controls, methodologies, and guideline for system administrator and information owner to ensure the CIA of their data.Defense in DepthAn approach that uses multiple level protection. If one of the control is failed then other controls are still in place. With defense-in-depth, all critical internet facing servers have been protected by firewall, IDS, IPS. The clients can access the network through segment control (VLAN) and the host-based firewall, up to date anti-virus definition should be activated for every client. The system or network administrator should provide real-time network monitoring in case there is any incidents occur within their network.AuthenticationAn approach to identify authorized users with multiple levels of the information below:
- Something you know: they are the password, passcode, or PIN.
- Something you have: they are the token device or access card.
- Something you are: they are biometric (or realistic authentication) such as your thumb print, iris, voice, or face recognition.
- Least privilege: provide the minimum access to organization resources as per their daily job requirement.
- Separation of duties: avoidance of providing a person with full control in a process. To protect the illegal data modification or fraud organization requires assigning few people within a process so that the possibility of fraud will be reduced.
- Data Encryption: ensure the data has been ciphered, stored in a safe place and users cannot direct access to data.
- Information Security Policy
- Acceptable Use Policy (AUP)
- Data Recovery Plan (DRP)
- Business Continuity Plan (BCP)
- Access Controls Policy
- Password Policy