Scribd Logo
Upload

Welcome to Scribd!

  • System Security Controls

    Uploaded by

    Jamaica Ramos
    8 views3 pages
    gjhjk

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    gjhjk

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    8 views3 pages

    System Security Controls

    Uploaded by

    Jamaica Ramos
    gjhjk

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    System Security Controls

    Controls that Provide a Secure System

    System Security- It is the protection of computer facilities, equipment, programs and data from destruction of
    environment hazards (fires, floods, tornadoes, earthquakes and any other natural disasters- INFREQUENTLY BUT WITH
    A HIGHER COST PER OCCURRENCE), by equipment, software or human error or by computer abuse.

    ERRORS (FREQUENT BUT WITH LOW COST PER OCCURRENCE)

    a. damage to disk packs by faulty disk drives


    b. mistakes in the application programs that destroy or damage data
    c. operator mounting of incorrect files

    COMPUTER ABUSE- Violation of computer system to perform (FREQUENCY IS DIFFICULT TO DETERMINE AND COST PER
    INCIDENT CAN VARY WIDELY)

    a. MALICIOUS DAMAGE- includes looting and sabotage


    b. CRIME- includes embezzlement, industrial espionage and the sale of commercial secrets
    c. INVASION OF PRIVACY- for example, discovery of confidential salary information and the review of sensitive
    data by a competing company.

    System Security Controls- general controls

    a. Prevent failures in system security- by limiting access to the equipment, program and data and by other steps to
    reduce the likelihood of security failures.
    b. Detect failures in system security
    c. Provide for recovery from failures in system security

    Importance of System Security

    a. Impact on other general controls


    b. Vulnerability of computer systems to loss of assets
    c. Impact of security failures on data reliability
    d. Possibility of lack of compliance with legal requirements
    e. Possibility of a loss contingency if data processing security risks are severe and uninsured
    f. Vulnerability of computer systems to unauthorized use

    Security Management- ensures that the controls will provide the maximum security benefit. It increases the likelihood
    that controls will work in the event of a failure in system security.

    1. Establish security objectives- to protect computer facilities, equipment, programs and data from the
    environmental hazards.
    2. Evaluate security risks- for likelihood and cost of occurrence
    3. Develop a security plan- that will provide an acceptable level of security at a reasonable cost. The plan should
    describe all controls and identify the purpose of their inclusions in the plan. It should be reviewed and approved
    prior to implementation.
    4. Assign responsibilities- for system security.
    5. Test system security- to determine whether they prevent or detect security failures or provide recovery from
    security failures. It provides assurance that responsibilities are fully assigned, procedures are understood and
    follow and control devices function properly.
    6. Evaluate system security- it should be used to evaluate the effectiveness of controls in meeting system security
    objectives.

    Facilities Security Controls- It is designed to protect computer buildings and equipment from physical damage (can
    disrupt processing and cause damage to or loss of vital data, programs and documentation)

    Controls that PREVENT DAMAGE

    a. Location Controls- Computer center should be remote from environmental, technological and social hazards.
    b. Construction Controls- Proper construction (requires physical isolation- separate building for the computer
    center or by location in a secure part of the building.) of the computer facilities can reduce the risk of damage
    from security or environmental hazards.
    Security risks can be reduced by adequate construction standards.
    Walls and doors should be strong.
    If possible avoid window, if provided should contain bulletproof glass.
    Safe and vaults should be used for storage and documentation.
    Power and communication lines should be adequately protected.
    Building design should avoid security weaknesses.

    Environmental risks can be reduced by the use of fire and water standards.
    Fire- includes fire-resistant walls, floors, ceilings and doors
    Common or exterior walls have at least one-hour fire rating.
    Vaults and safes have at least four-hour fire rating.
    Air condition and heating ducts have fire dampers.
    Sprinkler or flooding systems can minimize fire damage. Disadvantage: may cause water damage to
    equipment.
    Carbon dioxide flooding systems avoid water damage form sprinklers, but the gas may be dangerous to
    personnel.
    Halon gas fire extinguishment- It avoids water damage, but has little danger to personnel.

    c. Access Controls- It is necessary to prevent unauthorized access, and to enforce segregation of duties.

    Library Controls-to restrict access to data files, computer programs and documentation. These controls are provided by
    a librarian function and by physical safeguards over file usage.

    Library Function- It provides a physical control over file usage and quality. It should be performed by a full-time
    librarian.

    a. Testing and control of files- to ensure that it is not defective.


    b. Storage of files and documentation- files should be clearly labeled and indexed for easy retrieval.
    c. Release of Files and documentation- according to general or specific authorization.
    d. Log usage of files and documentation
    e. Inventory of files and documentation

    Physical File Controls- Protect files from damage during handling.

    a. Internal header and Trailer labels- These labels can be read by the system software to ensure that the correct
    file is being used for processing, that files are read in their entirety, and that no records have been lost or added.
    b. External labels- These labels provide visible confirmation to the operator that the correct files are being used.
    c. Protective rings- “No ring, no write”.
    d. Read-Only Switch- It permits the operator to turn off the writing capability of the disk drive.

    On-line Access Controls- It used terminals that are usually located outside the computer room.

    a. Physical security of terminals- Access to the terminals should be restricted by the terminal room (computer
    room) access controls and by the use of physical terminal locks (with entry by key, card, badge or some other
    identification method).
    b. Authorization controls- To restrict access to the system to authorized terminals and to users who perform only
    authorized activities.
     Authorized terminals- The authorization scheme should prevent illicit terminals from accessing the
    system and should restrict each authorized terminal to programs and data files normally used by the
    terminal.
     Authorized users- The authorization scheme should identify the programs and files that each user is
    permitted to access.
     Implementation of the Authorization Scheme- by the use of one of several procedures.
    Authorization tables and Locks on data records
    c. Identification Controls- This is accomplished by a method of identifying the terminal and the user so that the
    access can be granted based on authorization scheme.
     Terminal identification- Ensures that the computer is linked to an authorized terminal.
     User identification- can be accomplished by physiology (voiceprints, handprints and thumbprints), by a
    special “key” or password (key to unlock the terminal, a magnetic-stripe card, or an optionally encoded
    badge).
    d. Data Communication Access Control- Controls that reduce the danger from wiretapping include fragmentation,
    intermixing and encryption.
     Fragmentation- is the communication of a message of one fragment at a time.
     Message intermixing- is the communication of several messages simultaneously.
     Encryption- provides an additional level of security over data transmission. The original data can only be
    discovered by the person or device that knows the key that decodes the data. The encoding of data can
    be accomplished by the use of an algorithm (one or more operations on the data that disguise their
    information content). The decoding of encoded data is accomplished by the use of key (series of
    operations necessary to reverse the encoding and reveal the original data)

    Controls for Detecting Failures in System Security

    Detection Devices- are electronic or mechanical devices that detect fire or unauthorized access. Their purpose is to
    provide an opportunity for intervention to minimize damage or loss.

    Fire Detection Devices-to alert personnel to take action to protect equipment and files to put out the fire. These are
    heat-sensitive (usually fusible links built into the water nozzles of sprinkler system) or smoke-sensitive (are able to
    detect electric fires much more quickly than heat-sensitive device).

    Unauthorized Access Detection Devices-

    a. Microswitches- used to detect the presence of an intruder by breaking or completing an electric circuit.
    b. Beams- can be directed across computer room entrances or other high security areas.
    c. Ultrasonic and radar detectors- designed to protect movement within the computer facilities.
    d. Microphones- can detect sound in the computer facilities.

    Controls for Recovery from System Security Failures

    You might also like