System vulnerabilities exist at multiple layers in computing environments and from both internal and external threats. Database security aims to protect data from accidental or intentional loss, destruction, or misuse. Key challenges include increased internet access, client/server technologies, and the growing amount of electronic data stored. Effective security policies around personnel, physical access, maintenance, and privacy can help mitigate threats. Frameworks like COBIT provide guidance on establishing appropriate IT controls and processes to ensure business objectives, resources, and operations are properly managed.
System vulnerabilities exist at multiple layers in computing environments and from both internal and external threats. Database security aims to protect data from accidental or intentional loss, destruction, or misuse. Key challenges include increased internet access, client/server technologies, and the growing amount of electronic data stored. Effective security policies around personnel, physical access, maintenance, and privacy can help mitigate threats. Frameworks like COBIT provide guidance on establishing appropriate IT controls and processes to ensure business objectives, resources, and operations are properly managed.
System vulnerabilities exist at multiple layers in computing environments and from both internal and external threats. Database security aims to protect data from accidental or intentional loss, destruction, or misuse. Key challenges include increased internet access, client/server technologies, and the growing amount of electronic data stored. Effective security policies around personnel, physical access, maintenance, and privacy can help mitigate threats. Frameworks like COBIT provide guidance on establishing appropriate IT controls and processes to ensure business objectives, resources, and operations are properly managed.
System vulnerabilities exist at multiple layers in computing environments and from both internal and external threats. Database security aims to protect data from accidental or intentional loss, destruction, or misuse. Key challenges include increased internet access, client/server technologies, and the growing amount of electronic data stored. Effective security policies around personnel, physical access, maintenance, and privacy can help mitigate threats. Frameworks like COBIT provide guidance on establishing appropriate IT controls and processes to ensure business objectives, resources, and operations are properly managed.
electronic form they are vulnerable to many more kinds of threats
Why systems are vulnerable
Why systems are vulnerable
In multi-tier client server computing environment
vulnerabilities exist at each layer and in communications between the layer
Intruders who launch denial of service attacks or
malicious software
Unauthorized access
Database Security Database Security: Protection of the data against accidental or intentional loss, destruction, or misuse Increased difficulty due to Internet access and client/server technologies
System malfunction because hardware breaks
down or damaged by improper use or criminal act
Possible locations of data
security threats
Threats to Data Security
Accidental losses attributable to:
Human error Software failure Hardware failure Theft and fraud Loss of privacy or confidentiality Loss of data integrity Loss of availability (through, e.g. sabotage)
Database Recovery
Security Policies and
Procedures Personnel controls!
Hiring practices, employee monitoring, security training
Journalizing Facilities Audit trail of transactions and database updates Transaction log record of essential data for each transaction processed against the database Database change log images of updated data
Before-image copy before modification
After-image copy after modification
of the entire database
backup
Hot backup selected portion is shut down and
backed up at a given time
Backups stored in secure, off-site location
Security and challenges of
vulnerabilities
Internal threats : Employee
Management Framework for
Security and Control COBIT FRAMEWORK
Largest financial threats to business institutions
come from insiders Users lack of knowledge is the single greatest cause of network security breaches
Also know as the Control Objectives for
Information and Related Technology framework.
Developed by the Information Systems Audit and
Control Foundation (ISACF).
A framework of generally applicable information
systems security and control practices for IT control.
COBIT FRAMEWORK
Types of Information Systems Control
The framework addresses the issue of control from three
vantage points or dimensions:
Business Objectives: To satisfy business objectives,
information must conform to certain criteria referred to
as business requirements for information.
IT resources: people, application systems,
technology, facilities, dan data
General Control govern the design, security, and
use of computer programs and the security of data files in general throughout the organizations information infrastructure.
IT processes: planning and organization, acquisition
and implementation, delivery and support, and monitoring
General control
General control includes software controls,
physical hardware controls, computer operations controls, control over implementation process and administrative controls.
Picture example of Physical
hardware control
Picture example of Physical
hardware control
Ensuring business continuity
Computer failures, interruptions and downtime
translate into disgruntled customers Downtime. Period of time in which a system is not operational.
Ensuring business continuity
Fault-tolerant computer systems: hardware,
software and power supply components that provides continuous, uninterrupted service. Part of these computers can be removed and repaired without disruption to computer system
Ensuring business continuity
High-availability computing: System that help firms recover quickly from crash Requires a tools and technologies to ensure maximum performance of computer system and networks. Including redundant server, load balancing, clustering, high capacity storage, and good recovery.
Ensuring business continuity
Data Center
Load balancing: distributes large numbers of
access request across multiple servers. TELKOM SIGMA Data Center in Serpong and Sentul
Mirroring. Backup server that duplicates all the
processes and transactions of primary server.
Facebook data center
Disaster recovery plan and
business continuity planning Disaster recovery plan: Plans for restoration and computing and communications services after disrupted by disaster Business continuity planning, focus on how company can restore business operations after a disaster strike.
Disaster recovery plan and business
continuity planning
Disaster recovery plan and business
continuity planning
Disaster recovery plan and business
continuity planning
Technology and tools for
security and control
Sarbanes Oxley and
databases
The Sarbanes Oxley were designed to ensure
the integrity of public companies financial statement
the key component is ensuring sufficient control
and security over the financial system and IT infrastructure in use.
Firewalls gatekeeper that examines each user
credential before access granted Intrusion Detection System, full time monitoring tools placed at most vulnerable points.
Key focus of SOX audit
IT Change Management
Logical Access to data
IT operations
IT Change Management
Refer to process by which changes to
operational systems and databases are authorised
Top deficiency found by SOX auditor:
Logical Access to data
Logical Access to data is essentially about
security procedures in place to prevent unauthorised access to data.
Two types of security policy and procedure:
Personnel Control
Physical Access Control.
Inadequate segregation of duties between
people who have access to database in three environments: Development, Test and Production
IT Operations
IT Operations refers to the policies and
procedures in place related to day to day management of the infrastructure, applications, and databases in organisation
