![Page 1: Information Systems Security Operational Control for Information Security](https://reader031.vdocuments.site/reader031/viewer/2022012922/56649eab5503460f94bb115f/html5/thumbnails/1.jpg)
Information Systems Security
Operational Control for Information Security
![Page 2: Information Systems Security Operational Control for Information Security](https://reader031.vdocuments.site/reader031/viewer/2022012922/56649eab5503460f94bb115f/html5/thumbnails/2.jpg)
Operational Control
The controls that due with the everyday operation of an organization to ensure that all objectives are achieved
This covered a wide spectrum of procedures associated with the users and how to get the work done
A continual effort and discipline to maintain the system in a high level of security
![Page 3: Information Systems Security Operational Control for Information Security](https://reader031.vdocuments.site/reader031/viewer/2022012922/56649eab5503460f94bb115f/html5/thumbnails/3.jpg)
Aspects of operational control
Staffing Management Application control User management Change control Backup and restore Incident handling Awareness, training and education Physical and environmental security
![Page 4: Information Systems Security Operational Control for Information Security](https://reader031.vdocuments.site/reader031/viewer/2022012922/56649eab5503460f94bb115f/html5/thumbnails/4.jpg)
Staffing
Defining the job Determine the sensitivity of the position Filling the post, which involves background
check, screening and selecting an individual Employee handbook Training Mandatory vacation Job rotation
![Page 5: Information Systems Security Operational Control for Information Security](https://reader031.vdocuments.site/reader031/viewer/2022012922/56649eab5503460f94bb115f/html5/thumbnails/5.jpg)
Management
Make sure the policies, standards, guidelines and procedures are in place and being followed
Administrative management practice to prevent and eliminate the chance of fraud
Act with due care and due diligence
![Page 6: Information Systems Security Operational Control for Information Security](https://reader031.vdocuments.site/reader031/viewer/2022012922/56649eab5503460f94bb115f/html5/thumbnails/6.jpg)
Management
Proper organization structure Clear duties and responsibilities Proper authorization procedure Check and balance Schedule of work Checking of result
![Page 7: Information Systems Security Operational Control for Information Security](https://reader031.vdocuments.site/reader031/viewer/2022012922/56649eab5503460f94bb115f/html5/thumbnails/7.jpg)
Application of security principles
Separation of duties: to ensure a single individual cannot subvert a critical process (check and balance)
Least privilege: only granting those rights to perform their official duties
![Page 8: Information Systems Security Operational Control for Information Security](https://reader031.vdocuments.site/reader031/viewer/2022012922/56649eab5503460f94bb115f/html5/thumbnails/8.jpg)
Application controls
It refers to the transactions and data relating to each computer-level and are therefore specific to each application
The objective is to ensure the completeness and accuracy of the records and the validity of the entries
![Page 9: Information Systems Security Operational Control for Information Security](https://reader031.vdocuments.site/reader031/viewer/2022012922/56649eab5503460f94bb115f/html5/thumbnails/9.jpg)
Application controls
They are controls over input, processing and output functions. They include methods to ensure Only complete, accurate and valid data
are entered and updated Processing do the correct task Data are maintained
![Page 10: Information Systems Security Operational Control for Information Security](https://reader031.vdocuments.site/reader031/viewer/2022012922/56649eab5503460f94bb115f/html5/thumbnails/10.jpg)
Input controls
Sequence check Limit check Range check Validity check Check digit Duplicate check Logical relationship check
![Page 11: Information Systems Security Operational Control for Information Security](https://reader031.vdocuments.site/reader031/viewer/2022012922/56649eab5503460f94bb115f/html5/thumbnails/11.jpg)
Process controls
Manual re-calculation Run to run totals Programmed controls Exception reports
![Page 12: Information Systems Security Operational Control for Information Security](https://reader031.vdocuments.site/reader031/viewer/2022012922/56649eab5503460f94bb115f/html5/thumbnails/12.jpg)
Output controls
Logging Storage of sensitive forms and reports in a
secure place Report distribution
![Page 13: Information Systems Security Operational Control for Information Security](https://reader031.vdocuments.site/reader031/viewer/2022012922/56649eab5503460f94bb115f/html5/thumbnails/13.jpg)
Data files control
Source document retention Before and after imaging Version control Transaction log Labeling Authorization for access
![Page 14: Information Systems Security Operational Control for Information Security](https://reader031.vdocuments.site/reader031/viewer/2022012922/56649eab5503460f94bb115f/html5/thumbnails/14.jpg)
Media control
Media library might be set up and procedure adopted to ensure the physical safety of the media and that the information security is ensured Date of creation Who created it Period of retention Classification Volume name and version
Disposal
![Page 15: Information Systems Security Operational Control for Information Security](https://reader031.vdocuments.site/reader031/viewer/2022012922/56649eab5503460f94bb115f/html5/thumbnails/15.jpg)
Error handling
Transaction log Error correction procedure
Logging Timely correction Upstream resubmission Suspense file Error file
Cancellation of source document
![Page 16: Information Systems Security Operational Control for Information Security](https://reader031.vdocuments.site/reader031/viewer/2022012922/56649eab5503460f94bb115f/html5/thumbnails/16.jpg)
User administration
User account management Detecting unauthorized/illegal activities Temporary assignment and transfers Termination: friendly and unfriendly Contractor access consideration Public access consideration
![Page 17: Information Systems Security Operational Control for Information Security](https://reader031.vdocuments.site/reader031/viewer/2022012922/56649eab5503460f94bb115f/html5/thumbnails/17.jpg)
User account management
Process of requesting, establishing, issuing and closing of user accounts
Assign user access authorization and rights Tracking users and their respective access
authorizations Password policy and guidelines
![Page 18: Information Systems Security Operational Control for Information Security](https://reader031.vdocuments.site/reader031/viewer/2022012922/56649eab5503460f94bb115f/html5/thumbnails/18.jpg)
Detecting unauthorized/illegal activities
Monitoring and keep log Audit and review log Set clipping level
![Page 19: Information Systems Security Operational Control for Information Security](https://reader031.vdocuments.site/reader031/viewer/2022012922/56649eab5503460f94bb115f/html5/thumbnails/19.jpg)
Change management
Request for change Approval of change Documentation of the change Test and presentation
Test system Production system
Implementation Report to management
![Page 20: Information Systems Security Operational Control for Information Security](https://reader031.vdocuments.site/reader031/viewer/2022012922/56649eab5503460f94bb115f/html5/thumbnails/20.jpg)
Backup and Restore
Loss of data due to: Hardware failure Software failure File system corruption Accidental deletion Virus infection Theft Sabotage Natural disaster
![Page 21: Information Systems Security Operational Control for Information Security](https://reader031.vdocuments.site/reader031/viewer/2022012922/56649eab5503460f94bb115f/html5/thumbnails/21.jpg)
6 steps to backup and recovery
Preparation Identify assets and requirement Select backup strategy Develop data protection strategy Backup process and monitoring Recovery drill test
Refer IS Guide to SME
![Page 22: Information Systems Security Operational Control for Information Security](https://reader031.vdocuments.site/reader031/viewer/2022012922/56649eab5503460f94bb115f/html5/thumbnails/22.jpg)
Comparison of backup media
![Page 23: Information Systems Security Operational Control for Information Security](https://reader031.vdocuments.site/reader031/viewer/2022012922/56649eab5503460f94bb115f/html5/thumbnails/23.jpg)
Computer security incident handling
How to respond to malicious technical threats Closely related to support and operations and
contingency planning
![Page 24: Information Systems Security Operational Control for Information Security](https://reader031.vdocuments.site/reader031/viewer/2022012922/56649eab5503460f94bb115f/html5/thumbnails/24.jpg)
Computer security incident handling
Reporting of the security accident How to contain the damage What technical expertise required Liaise with other organizations, e.g. CERT,
police How to respond to the public Awareness of staff important
![Page 25: Information Systems Security Operational Control for Information Security](https://reader031.vdocuments.site/reader031/viewer/2022012922/56649eab5503460f94bb115f/html5/thumbnails/25.jpg)
Incident Response
Objectives Minimise business loss and subsequent
liability of company Minimise the impact of the accident in terms
of information leakage, corruption of system etc
Ensure the response is systematic and efficient
![Page 26: Information Systems Security Operational Control for Information Security](https://reader031.vdocuments.site/reader031/viewer/2022012922/56649eab5503460f94bb115f/html5/thumbnails/26.jpg)
Incident Response Ensure the required resources are available
to deal with accidents Ensure all concerned parties have clear
understanding about the task they should perform
Ensure the response activities are coordinated
Prevent future attack and damages Deal with related legal issues
![Page 27: Information Systems Security Operational Control for Information Security](https://reader031.vdocuments.site/reader031/viewer/2022012922/56649eab5503460f94bb115f/html5/thumbnails/27.jpg)
Incident Response
Preparation Detection Containment Eradication Recovery Follow up
Refer IS Guide to SME
![Page 28: Information Systems Security Operational Control for Information Security](https://reader031.vdocuments.site/reader031/viewer/2022012922/56649eab5503460f94bb115f/html5/thumbnails/28.jpg)
Disaster recovery andBusiness Continuity Planning
Identify the mission critical functions Identify the resources that support the critical
functions Anticipating potential contingencies or
disasters Select and devise contingency plans Implement contingency plans Test and revise the plans
![Page 29: Information Systems Security Operational Control for Information Security](https://reader031.vdocuments.site/reader031/viewer/2022012922/56649eab5503460f94bb115f/html5/thumbnails/29.jpg)
Awareness, training and education
People being a very important part of an information system
How to improve their behaviour Increase the ability to hold employees
accountable
![Page 30: Information Systems Security Operational Control for Information Security](https://reader031.vdocuments.site/reader031/viewer/2022012922/56649eab5503460f94bb115f/html5/thumbnails/30.jpg)
Awareness
Stimulates and motivates employees to take security seriously and to remind them of security practices to be taken
![Page 31: Information Systems Security Operational Control for Information Security](https://reader031.vdocuments.site/reader031/viewer/2022012922/56649eab5503460f94bb115f/html5/thumbnails/31.jpg)
Physical and environmental security
Measures to protect systems, buildings and related supporting infrastructure against threats associated with the physical environment
Natural threats Man-made threats
![Page 32: Information Systems Security Operational Control for Information Security](https://reader031.vdocuments.site/reader031/viewer/2022012922/56649eab5503460f94bb115f/html5/thumbnails/32.jpg)
Physical and environmental security
Threats Physical damage Physical theft Interruption of computing services Unauthorized disclosure of information Loss of control over system integrity
![Page 33: Information Systems Security Operational Control for Information Security](https://reader031.vdocuments.site/reader031/viewer/2022012922/56649eab5503460f94bb115f/html5/thumbnails/33.jpg)
Physical and environmental security
Controls Physical access control: biometrics Fire safety Supporting facilities Structural collapse Plumbing leaks Interception of data Mobile and portable systems