IT Security and Control

By: Joanna

IT SECURITY and
CONTROL
SECURITY
Merriam: Measures taken to guard
against crime, attack, sabotage.

CONTROL
Merriam: to direct the actions or
function of (something) : to cause
(something) to act or function in a
certain way.

IT SECURITY and
CONTROL
Informationsecurity INFOSEC
a practice
Defend information from unauthorized
access, recording, disruption, modification or
destruction.

regardless of the form the data may

take (e.g. electronic, physical).

CIA TRIAD
PRIVAC
Y

N
E
T
IS
S
N
CO CY
U
C
C
A

CY
A
R

TRUSTWORTHI
NESS

INDUSTRY STANDARDS

1. International Organization for

Standardization / International
Electrotechnical Commission
(ISO/IEC 27001:2013)
Preservation of confidentiality, integrity
and availability of information.
other properties, such as authenticity,
accountability and reliability can also be
involved.

2. Payment Card Industry Data

Security Standard (PCI DSS)
An
informationsecuritystandard
for
organizations that handle branded credit
cards from the major card schemes
including Visa, MasterCard, American
Express, Discover, and JCB.

REGULATORY
REQUIREMENTS

1. Data Privacy Act 2012

Protect - Human Right Privacy
Ensure that personal information and
communication systems are secure and
protected

2. Telephone Consumer
Protection Act
Before 8:00 am or After 9:00 pm
Must disclose information to the recipient
COMPANY
NAME
TELEPHONE NUMBER

Do-not-call registry

3. Gramm Leach Bliley Act

(GLBA)
Financial Services
Modernization Act
1999
Tell customers
about their
information-sharing
practices with third
parties

SCENARIO

INPUT
S

SCENARIO
RECEI
VE

T
U
P
IN
S

What POLICIES
should be in place
to secure record
of sales?

1. Physical Security
Physically protected from unauthorized access,
damage and interference by a defined security
perimeter with appropriate entry controls and
security barriers.

Security Guard
Badges
ID

2. PERSONAL
MANAGEMENT

Reveal the basic philosophy of top management

towards the labour force engaged on the work
and its deep underlying conviction as to the
importance of the people in the organisation.

2. PERSONAL
MANAGEMENT
Selection of the right type and number of persons
required to the organization
Proper orientation and introduction of
employees to the organization and their jobs

new

Suitable
training
facilities
for
better
job
performance and to prepare the man to accept the
challenge of higher job.
To give a good impression to the man who is
leaving the organisation.
Maintain good relationship with the employees

3. Access Management

All access to systems and data

must be controlled through a
formal user registration process
which includes approvals for
access to specific roles. All user
accounts and access must be
reviewed on a regular basis to
ensure the legitimacy of user
accounts and access levels. A
formal process must exist for
changing or terminating user
access levels when users
change roles or are no longer
affiliated with the company.

4. Logging and
Monitoring
Systems, devices and applications must generate
usable and informative security audit and event
logs in order to effectively respond to potential
security incidents or faults which may affect
confidentiality, integrity or availability. Personnel
must be available to respond to security alerts on
a 24/7 basis and review critical logs on a daily
basis. Log information must be backed up and
retained.

5. System Backup
Adequate and appropriate backup of critical
systems and data must be in place to ensure
essential business information and software can
be recovered in the event of a critical failure or
natural disaster.

6. Vulnerability
Management
Anti-malware protection and critical systems will
be tested using scanning tools and penetration
testing in order to actively discover new
vulnerabilities. In order to minimize exposure to
security flaws, all systems and hardware must
follow a patch management process to ensure
software and operating systems are protected.

7. Systems and Network

Formal system acceptance, configuration, and
hardening procedures must be in place for all
servers, workstations and network hardware.
Security controls must be put in place to manage
external network connections and wireless
networks. Appropriate security controls must be
put in place for any mobile device use and
telecommuters.

8. Software Development
Documented software development standards
must be maintained which include processes for
designing,
developing,
testing
and
implementation. Development standards must
include details on developing software using
security best practices in addition to testing for
common security vulnerabilities.

9. Incident Management
A
comprehensive
incident
handling
process must be in place to respond to
security breaches, fraud, faults and other
disruptions
to
business
processes,
contractual agreements, or privacy.

10. Acceptable Use of

Resources

Acceptable use requirements must be in

place for employee and contractor use of
Internet,
email,
software,
internal
systems, portable and remote devices,
instant
messaging,
and
telephone
equipment

WHO CAN
ACCESS THE
DATA?

THANK YOU!