IS SECURITY AND CONTROL

Goup 7 members
Edith Mbasha R172752H
Nobody Mbulayi R202068H
 Information security
• Information security refers to the protection of information and information systems from unauthorized
access, use, disclosure, disruption, modification, or destruction. In today's digital age, where information
is a valuable asset, ensuring its security is of utmost importance for individuals, organizations, and
governments.
• The primary goal of information security is to safeguard the confidentiality, integrity, and availability of
information. Let's explore these three aspects in more detail:
1. Confidentiality: Confidentiality focuses on preventing unauthorized access to information. It ensures that
only authorized individuals or entities can access sensitive data or resources. Measures such as access
controls, encryption, and secure communication protocols are used to maintain confidentiality.
2. Integrity: Integrity ensures that information remains accurate, complete, and reliable throughout its
lifecycle. It involves protecting information from unauthorized modification, deletion, or tampering.
Techniques like data validation, checksums, and digital signatures help maintain data integrity.
3. Availability: Availability ensures that information and information systems are accessible and usable
when needed. It involves protecting against disruptions, system failures, or denial-of-service attacks that
could render information inaccessible. Redundancy, fault-tolerant systems, and disaster recovery plans
are employed to maintain availability.
 INFORMATION SECURITY

• Information security encompasses various principles, practices, and technologies to achieve these goals. Some key concepts include:
1. Risk Management: Risk management involves identifying, assessing, and mitigating risks to information assets. It includes conducting risk
assessments, implementing controls, and developing incident response plans to minimize the impact of security incidents.
2. Access Control: Access control mechanisms ensure that only authorized individuals can access specific information or resources. This
includes methods like authentication (e.g., passwords, biometrics), authorization (defining user privileges), and accountability (audit trails).
3. Encryption: Encryption is the process of converting information into a form that is unreadable without a decryption key. It protects the
confidentiality of sensitive data, both during storage and transmission.
4. Network Security: Network security focuses on protecting the communication infrastructure, including wired and wireless networks. It
involves measures such as firewalls, intrusion detection systems, virtual private networks (VPNs), and secure protocols.
5. Software Security: Software security aims to identify and mitigate vulnerabilities in software applications. This includes secure coding
practices, regular patching, and secure software development life cycles (SDLC) to minimize the risk of exploitation.
6. Physical Security: Physical security safeguards the physical assets that house information systems, such as data centers and server rooms. It
includes measures like access controls, surveillance systems, and environmental controls (e.g., fire suppression, temperature regulation).
 INFORMATION SECURITY

• Information security is a dynamic field that constantly evolves to address emerging threats and
technologies. It requires a multi-layered approach, combining technical controls, policies, and
user awareness to create a robust security posture.
• By implementing effective information security practices, individuals and organizations can
protect their sensitive data, maintain trust with stakeholders, and mitigate potential financial,
legal, or reputational damages resulting from security incidents.
 Information Security Vulnerability and
Abuse
• - refer to weaknesses or flaws in systems, processes, or controls that can be exploited by attackers to gain unauthorized access, disrupt operations, or compromise the
confidentiality, integrity, or availability of information. These vulnerabilities can arise from various sources, including software flaws, misconfigurations, human errors, or social
engineering tactics.
• Information security abuse involves intentional or unintentional actions that violate information security policies, procedures, or ethics. It can include unauthorized access,
misuse of privileges, data theft, sabotage, or any activity that compromises the security of information .Below are some common types of vulnerabilities and abuses:

1. Misconfigured Systems: Misconfigured systems or applications can create security vulnerabilities. For example, leaving default passwords, open ports, or unnecessary
services enabled can provide avenues for attackers to exploit. It is crucial to follow security best practices and regularly review system configurations to minimize these
vulnerabilities.
2. Social Engineering: Social engineering involves manipulating individuals to disclose sensitive information or perform actions that compromise security. This can include
phishing emails, phone scams, impersonation, or pretexting. Attackers exploit human psychology and trust to gain unauthorized access to systems or obtain confidential
information.
3. Insider Threats: Insider threats refer to abuses or vulnerabilities caused by individuals within an organization who have authorized access to systems or resources. This can
include employees, contractors, or trusted partners. Insider threats can involve intentional actions, such as data theft or sabotage, or unintentional actions due to negligence
or lack of awareness.
4. Weak Authentication and Access Controls: Weak authentication mechanisms, such as using weak passwords or not implementing multi-factor authentication, can lead to
unauthorized access. Additionally, inadequate access controls, such as granting excessive privileges or not revoking access promptly, can increase the risk of abuse or
unauthorized actions.
 Cont…

5. Physical Security Breaches: Physical security vulnerabilities can result in unauthorized access to physical assets, such as
data centers or server rooms. This can include unauthorized entry, theft of equipment, or tampering with physical
infrastructure. Physical security measures, such as access controls, surveillance systems, and environmental controls, are
essential to prevent such abuses.
6. Data Leakage: Data leakage occurs when sensitive information is unintentionally or maliciously disclosed to
unauthorized individuals or entities. This can happen through insecure communication channels, inadequate data protection
measures, or insider threats. Data loss prevention techniques, encryption, and access controls are employed to mitigate data
leakage risks.
 Addressing vulnerabilities and prevent
abuses
• To address vulnerabilities and prevent abuses, organizations should adopt a comprehensive approach to information security,
including:
1. Regular vulnerability assessments and penetration testing to identify and remediate vulnerabilities in systems and applications.
2. Implementing strong access controls, authentication mechanisms, and privilege management to ensure that only authorized
individuals can access sensitive information.
3. Employee training and awareness programs to educate users about security best practices, the risks of social engineering, and
the importance of adhering to security policies.
4. Incident detection and response capabilities to identify and respond to security incidents promptly, minimizing the impact of
potential abuses.
5. Regular monitoring and auditing of systems and networks to detect and investigate any suspicious activities or policy violations.
6. Keeping software and systems up to date with the latest security patches and updates to address known vulnerabilities.
• By proactively addressing vulnerabilities and promoting a strong security culture, organizations can reduce the risk of information
security breaches and abuses, safeguarding their valuable information assets.
 Creating computer operations controls
• This involves implementing measures and procedures to ensure the effective and secure operation of computer systems.
• These controls help protect the confidentiality, integrity, and availability of information, prevent unauthorized access, and minimize the risk of disruptions or errors. Here are some key considerations when creating computer
operations controls:
1. Access Controls:

 Implement strong authentication mechanisms, such as passwords, biometrics, or multi-factor authentication, to ensure that only authorized individuals can access computer systems.
 Use role-based access control (RBAC) to assign appropriate privileges and permissions to users based on their roles and responsibilities.
 Regularly review and update access controls to reflect changes in personnel or organizational structure.
2. Change Management:

 Establish a formal change management process to control and track changes made to computer systems, software, and configurations.
 Require documentation and approvals for proposed changes, including an assessment of potential security risks.
 Test changes in a controlled environment before implementing them in production systems.
 Maintain an inventory of hardware and software assets and track changes to ensure system integrity.
3. Incident Management:

 Develop an incident response plan that outlines the steps to be taken in the event of a security incident or system disruption.
 Establish procedures for detecting, reporting, and responding to security incidents promptly.
 Regularly conduct drills and exercises to test the effectiveness of the incident response plan.
 Maintain incident logs and conduct post-incident analysis to identify lessons learned and improve future response.
4. Backup and Recovery:

 Implement regular and automated backup procedures to ensure the availability and recoverability of critical data and systems.
 Store backups securely, both on-site and off-site, to protect against data loss due to hardware failures, disasters, or malicious activities.
 Test the restoration process periodically to verify the integrity and reliability of backups.
 Continued….

5. Monitoring and Logging:

 Deploy monitoring tools to detect and alert on suspicious activities, unauthorized access attempts, or system anomalies.
 Implement centralized logging mechanisms to capture and retain logs of system events, user activities, and security-related incidents.
 Regularly review and analyze logs to identify potential security issues or policy violations.
6. Physical Security:

 Secure physical access to computer systems, data centers, and server rooms through measures such as access controls, locks, and surveillance systems.
 Implement environmental controls to protect against temperature fluctuations, power outages, and other physical threats.
 Conduct periodic physical security assessments and audits to identify vulnerabilities and address them proactively.
7. User Awareness and Training:

 Provide regular security awareness training to employees and system users to promote secure computing practices and educate them about potential risks and threats.
 Emphasize the importance of following policies, reporting incidents, and maintaining the confidentiality of information.
8.Compliance and Auditing:

 Regularly assess and validate compliance with relevant regulations, industry standards, and internal policies.
 Conduct periodic audits and reviews of computer operations controls to ensure their effectiveness and identify areas for improvement.
 Engage internal or external auditors, if necessary, to perform independent assessments.
computer operations controls should be tailored to the specific needs, risks, and regulatory requirements of the organization. It is also essential to regularly review and update controls to
adapt to evolving threats and technologies.
 Data security controls
Data security
controls are crucial aspects of information security that focus on protecting the confidentiality, integrity, and availability of data. Effective data security measures are essential to safeguard
sensitive information from unauthorized access, disclosure, alteration, or destruction. Here are some key considerations for data security and controls:
1. Data Classification:
 Classify data based on its sensitivity, criticality, and regulatory requirements. This helps in determining appropriate security controls and allocating resources effectively.
2. Data Access Controls:

 Implement access controls to ensure that only authorized individuals or entities can access specific data.
 Use authentication mechanisms, such as strong passwords, biometrics, or multi-factor authentication, to verify the identity of users.
 Employ role-based access control (RBAC) to assign access privileges based on job roles and responsibilities.
 Regularly review and update access privileges as personnel or job roles change.
3. Encryption:

 Encrypt sensitive data at rest and in transit to protect it from unauthorized access or interception.
 Use strong encryption algorithms and properly manage encryption keys.
 Implement secure protocols, such as HTTPS or VPNs, for secure data transmission.
4. Data Loss Prevention (DLP):

 Deploy data loss prevention solutions to monitor, detect, and prevent the unauthorized transmission or disclosure of sensitive data.
 Use techniques like content filtering, data classification, and policy enforcement to prevent data leakage.
 Cont….

5. Backup and Disaster Recovery:

 Regularly back up critical data and ensure backups are stored securely.
 Establish a comprehensive disaster recovery plan to ensure the timely restoration of data in the event of system failures, natural disasters, or other disruptions.
6. Data Retention and Destruction:

 Define data retention policies that specify how long data should be retained based on legal, regulatory, or business requirements.
 Establish secure processes for data destruction, including the secure erasure or destruction of data when it is no longer needed.
7. Data Masking and Anonymization:

 Implement data masking or anonymization techniques to protect sensitive information while maintaining data utility for development, testing, or analysis purposes.
 Replace sensitive data with realistic but fictitious data to prevent unauthorized access or exposure.
8. Monitoring and Logging:

 Implement monitoring and logging mechanisms to track access to sensitive data, detect suspicious activities, and facilitate incident response.
 Regularly review and analyze logs to identify security incidents or policy violations.
9. Employee Training and Awareness:

 Conduct regular security awareness training programs to educate employees about data security best practices, policies, and potential risks.
 Promote a culture of security awareness and accountability among employees to prevent human errors or intentional data breaches.
 Continued…

10. Regulatory Compliance:

 Ensure compliance with relevant data protection regulations (e.g., GDPR, CCPA) and industry-specific security standards.
 Regularly assess and validate compliance through audits and assessments.
• Data security and controls should be implemented in a layered approach, considering both technical and organizational measures. Regular
assessments, audits, and continuous monitoring are essential to ensure the effectiveness of data security controls and to identify and address
vulnerabilities or emerging threats.
 Administrative controls

• Administrative controls, also known as organizational controls, are a vital component of a comprehensive information security program. These controls focus on policies, procedures, guidelines, and management
practices that help establish a secure environment, define responsibilities, and guide the behavior of individuals within an organization. Here are some key examples of administrative controls:
1. Security Policies and Procedures:

 Develop and implement comprehensive security policies and procedures that outline the organization's expectations, guidelines, and requirements for information security.
 Include policies related to data classification, access control, incident response, acceptable use, remote access, password management, and other relevant areas.
 Regularly review and update policies to align with changing business needs and evolving threats.
2. Risk Management:

 Establish a formal risk management process to identify, assess, and prioritize information security risks.
 Conduct risk assessments to understand potential threats, vulnerabilities, and business impacts.
 Develop risk treatment plans to mitigate or address identified risks and monitor their effectiveness.
3. Security Awareness and Training:

 Provide regular security awareness and training programs to educate employees about their roles and responsibilities in protecting sensitive information.
 Cover topics such as phishing awareness, social engineering, password security, data handling, and incident reporting.
 Foster a culture of security awareness to encourage employees to be proactive in identifying and reporting security issues.
4. Personnel Security:

 Implement personnel security practices such as background checks, security awareness training during onboarding, and termination procedures to ensure that only trustworthy individuals have access to
critical systems and data.
 Clearly define and communicate security roles and responsibilities to employees.
 Enforce disciplinary actions for policy violations or security breaches.
 Administrative controls

5. Access Control:

 Establish procedures for granting, modifying, and revoking access privileges based on the principle of least privilege.
 Regularly review and audit user accounts and access permissions to ensure they align with business requirements.
 Implement strong user authentication mechanisms and enforce password management policies.
6. Incident Management:

 Develop an incident response plan that outlines the steps to be taken in the event of a security incident.
 Establish procedures for reporting, investigating, and responding to security incidents promptly.
 Conduct post-incident analysis to identify root causes, implement corrective actions, and prevent future incidents.
7. Change Management:

 Implement a formal change management process to control and track changes to information systems, software, and configurations.
 Require documentation, approvals, and testing for proposed changes to prevent unauthorized or unintended modifications.
 Conduct regular change reviews to assess the impact of changes on security and compliance.
8. Vendor Management:

 Implement a vendor management program to assess and manage the security controls of third-party vendors or service providers.
 Establish contractual agreements that define data security requirements, data handling practices, and incident response procedures.
 Regularly assess the security posture of vendors and conduct audits or assessments, if necessary.
9. Business Continuity and Disaster Recovery:

 Develop business continuity and disaster recovery plans to ensure the organization can continue operations and recover critical systems and data in the event of disruptions or disasters.
 Regularly test and update these plans to reflect changes in technology, infrastructure, or business requirements.
10. Compliance and Auditing:

 Regularly assess and validate compliance with relevant regulations, industry standards, and internal policies.
 Conduct internal audits and assessments to evaluate the effectiveness of administrative controls and identify areas for improvement.
 Engage external auditors, if necessary, to perform independent assessments.
 continued

• Administrative controls provide the framework for effective

governance, risk management, and compliance. They help
establish a security-conscious culture, ensure accountability,
and facilitate the implementation of technical controls. Regular
review, monitoring, and continuous improvement are essential
to maintain the effectiveness of administrative controls in
mitigating information security risks.
 APPLICATION CONTROLS

• These are are specific measures implemented within software applications to ensure the integrity, accuracy, completeness, and security of data processing. These controls are
designed to prevent or detect errors, fraud, and unauthorized activities within the application environment. Here are some examples of application controls:
1. Input Controls:

 Data Validation: Validate input data to ensure it meets predefined criteria (e.g., range checks, format checks, data type validation) and reject or correct invalid data.
 Field-level Checks: Perform checks on individual fields to verify the accuracy and integrity of data (e.g., checksums, character limits, mandatory fields).
 Data Integrity Checks: Implement checks to identify duplicate or inconsistent data entries, ensuring the accuracy and consistency of stored information.
2. Processing Controls:

 Workflow and Approval Mechanisms: Establish workflows and approval processes to ensure that critical transactions or data changes are authorized before processing.
 Segregation of Duties (SoD): Enforce separation of responsibilities to prevent any one individual from having complete control over a transaction from initiation to
completion.
 Batch Controls: Implement controls to monitor and verify the accuracy and completeness of batch processing, including reconciliation and error-handling procedures.
3. Output Controls:

 Report and Output Validation: Validate the accuracy, completeness, and formatting of generated reports and outputs to ensure that they reflect the intended results.
 Secure Output Handling: Implement controls to secure and protect sensitive or confidential output, such as encryption, access controls, or secure delivery mechanisms.
 Cont…

4. User Interface Controls:

 Access Controls: Enforce user authentication and authorization mechanisms to ensure that only authorized individuals can access the application.
 User Interface Design: Design user interfaces with usability and security in mind, including appropriate input validation, clear error messages, and intuitive
navigation.
 Session Management: Implement controls to manage user sessions and prevent unauthorized access or session hijacking.
5. Audit Trails and Logging:

 Record and log application activities, including user actions, system events, and critical transactions.
 Enable detailed logging to facilitate troubleshooting, forensic analysis, and compliance audits.
 Implement mechanisms to protect log files from tampering or unauthorized access.
6. Error Handling and Exception Reporting:

 Implement robust error handling mechanisms to gracefully handle application errors, prevent data corruption, and maintain system stability.
 Generate exception reports or notifications to alert appropriate personnel of critical errors or abnormal conditions.
7. Change Management Controls:

 Implement controls to manage changes to the application software, configuration, or data structures.
 Establish change management processes to document, review, and test changes before deployment to minimize the risk of introducing vulnerabilities or errors.
 continued

8.Security Controls:

 Implement security measures within the application to protect against unauthorized access, data breaches, or malicious activities.
 Include mechanisms such as authentication, authorization, encryption, secure coding practices, and vulnerability assessments.
9.Compliance Controls:

 Implement controls to ensure compliance with relevant regulations, industry standards, and internal policies within the application.
 Include features such as data privacy controls, audit trails, or data retention policies as required by applicable regulations.
• Application controls are essential for ensuring the reliability and security of software applications. They should be designed, implemented, and
tested during the development and deployment processes. Regular monitoring, assessment, and updates of application controls are necessary
to address emerging risks and maintain the effectiveness of controls over time.
END

Titende, Siyabonga, Thank you, Twalumba