TAILIEUCHUNG - Lecture Accounting information systems (13/e) – Chapter 8: Controls for information security

After studying this chapter, you should be able to: Explain how information security affects information systems reliability; describe how a combination of preventive, detective, and corrective controls can be employed to provide reasonable assurance about information security. | Controls for Information Security Chapter 8 8-1 Learning Objectives Explain how information security affects information systems reliability. Discuss how a combination of preventive, detective, and corrective controls can be employed to provide reasonable assurance about the security of an organization’s information system. 8-2 Trust Services Framework Security Access to the system and data is controlled and restricted to legitimate users. Confidentiality Sensitive organizational data is protected. Privacy Personal information about trading partners, investors, and employees are protected. Processing integrity Data are processed accurately, completely, in a timely manner, and only with proper authorization. Availability System and information are available. 8-3 8-4 Security Life Cycle Security is a management issue 8-5 Security Approaches Defense-in-depth Multiple layers of control (preventive and detective) to avoid a single point of failure Time-based model, security is effective if: P > D + C where P is time it takes an attacker to break through preventive controls D is time it takes to detect an attack is in progress C is time it takes to respond to the attack and take corrective action 8-6 How to Mitigate Risk of Attack Preventive Controls Detective Controls People Process IT Solutions Physical security Change controls and change management Log analysis Intrusion detection systems Penetration testing Continuous monitoring 8-7 Preventive: People Culture of security Tone set at the top with management Training Follow safe computing practices Never open unsolicited e-mail attachments Use only approved software Do not share passwords Physically protect laptops/cellphones Protect against social engineering 8-8 Preventive: Process Authentication—verifies the person Something person knows Something person has Some biometric characteristic Combination of all three Authorization—determines what a person can access 8-9 Preventive: IT Solutions Antimalware controls Network access controls Device and software hardening controls Encryption 8-10 Preventive: Other Physical security access controls Limit entry to building Restrict access to network and data Change controls and change management Formal processes in place regarding changes made to hardware, software, or processes 8-11 Corrective Computer Incident Response Team (CIRT) Chief Information Security Officer (CISO) Patch management 8-12 Key Terms Defense-in-depth Time-based model of security Social engineering Authentication Biometric identifier Multifactor authentication Multimodal authentication Authorization Access control matrix Compatibility test Border router Firewall Demilitarized zone (DMZ) Routers Access control list (ACL) Packet filtering Deep packet inspection Intrusion prevention system Remote Authentication Dial-in User Service (RADIUS) War dialing Endpoints Vulnerabilities Vulnerability scanners Hardening Change control and change management Log analysis Intrusion detection system (IDS) 8-13 Key Terms (continued) Penetration test Computer incident response team (CIRT) Exploit Patch Patch management Virtualization Cloud computing 8-14

• Kế toán - Kiểm toán
• Controls for information security
• Accounting information systems
• Lecture Accounting information systems
• Hệ thống thông tin kế toán
• Information security
• Trust services framework
• Ebook Information security management
• Information security management
• Information security principles
• Information risk
• Information security framework
• People security controls
• Technical security controls
• Software development
• Environmental security
• Business continuity management
• Accounting information systems
• Lecture Accounting information systems
• Information systems controls
• System reliability
• NetFlow
• NetFlow analysis
• Security Monitoring
• security controls
• security infrastructure
• Risk Management
• Access Controls
• Cryptography
• Security Architecture
• Code of Ethics
• Information systems
• Computer crime
• Information technology security
• IT controls
• Introduction to information systems
• Transforming business
• Supporting business
• Information controls
• Introduction to MIS
• Management Information Systems
• Internet security issues
• Data protection