Transcript Chapter 7 Security Management Controls

Chapter 7
Security Management
Controls
Introduction
Information systems security administrators
are responsible for ensuring that
information systems assets are secure.
Assets are secure when the expected losses
that will occur that threats eventuating over
some time period at an acceptable level.
The information systems assets we must protect
via security measures can be classified in two
ways (figure 7-1 p. 244):
 The physical assets comprise personnel,
hardware (including storage media &
peripherals), facilities, supplies and
documentation
 The logical assets comprise data/information &
software
In this chapter, however, we focus on the work
usually performed by information systems
security administrators. Although their specific
functions vary across organizations, they tend to
be responsible for controls over:
 Both malicious & nonmalicious threats to
physical assets
 Malicious threats to logical assets
Conducting A Security Program
A security program is a series of ongoing,
regular, periodic reviews conducted to
ensure that assets associated with the
information systems function are
safeguarded adequately.








Eight major steps to be undertaken when
conducting a security review (figure 7-3 p. 246):
Preparation of a project plan
Identification of assets
Valuation of assets
Threats identification
Threats likelihood assessment
Exposures analysis
Controls adjustment
Report preparation
Major Security Threats &
Remedial Measures
Nine major threats to the security of
information systems assets are:
 Fire
 Water
 Energy variations
 Structural damage
 Pollution
 Unauthorized intrusion
 Viruses & worms
 Misuse of software, data & services
 Hackers
Controls of Last Resort
In spite of safeguards that might be
implemented, the information systems
function still could suffer a disaster.
Two controls of last resort must take effect:
 A disaster recovery plan
 Insurance
Some Organizational Issues
Depending on the size of an organization and
its reliance on its information systems
function, the security – administration role
can occupy four possible positions within
the organizational hierarchy (figure 7-11 p.
272).
Security policies and procedures must be adapted to
take into account the dispersal of sometimes
critical information systems resouces and the
different circumstances in which micro –
computers might be used.
Whatever the particular organizational
circumstances in which security administrators
must function, however, top management must
define its authority and allocate its
responsibilities carefully.