|
|
|
|
|
|
Lesson#31
|
Control Adjustment
|
|
|
|
Control Adjustment
This phase involves determining whether any controls can be
designed, implemented, operated. The cost
of devising controls should not exceed the expected potential
benefit being enchased and the potential
loss being avoided. The above decision takes into account
consideration of various factors like personal
judgment of the situation, any information gained on
desired/non-existing controls during the previous
phases, seeking demands of users for an ideal control
environment.
Existing controls should not be totally discarded while
adjusting controls. They can either be terminated
totally due to the threats not being there any more and
existence of better controls either modified for
betterment. This phase should consider the security to be cost
effective, and integrated.
31.1 Security to be cost effective
IT Guideline on security issued by IFAC states
:
“Different levels and types of security may be required to
address the risks to information. Security levels
and associated costs must be compatible with the value of the
information.”
An organization should consider various factors to make security
cost effective. These factors include
criticality of information assets, devising safeguards, cost of
implementation of safe guards, an optimum
balance between the harm arising from a security breach and the
costs associated with the safeguards.
Level of integration of security
There should be harmonization of security systems with
information systems. This would help achieving
consistency in the security framework. Where information systems
have some level of integration, the
security system should have a corresponding level of integration
by accepting the level of
communication and interaction which is allowable in the IS
itself.
31.2 Roles & Responsibility
For security to be effective, it is imperative that individual
roles, responsibilities are clearly communicated
and understood by all. Organizations must assign security
related functions in the appropriate manner to
nominated employees. Responsibilities to consider include:
1.
Executive Management —
assigned overall responsibility for
the security of information;
2.
Information Systems
Security Professionals —
responsible
for the design,
implementation, management, and review of the organization’s
security policy,
standards, measures, practices, and procedures;
3.
Data Owners —
responsible for determining sensitivity or
classification levels of the data as
well as maintaining accuracy and integrity of the data resident
on the information system;
4.
Process Owners —
responsible for ensuring that appropriate
security, consistent with the
organization’s security policy, is embedded in their information
systems;
5.
Technology providers —
responsible for assisting with the
implementation of information
security;
6.
Users —
responsible for following the procedures set out
in the organization’s security policy;
and
7.
Information Systems
Auditors —
responsible for providing
independent assurance to
management on the appropriateness of the security objectives.
138
31.3 Report Preparation
It is the final phase. The report documents the findings of the
review and makes recommendations. The
critical part is to get the management accepted the importance
of exposures identified. It is the
responsibility of the security administrator to prove the
possibility and benefits of the safeguards being
recommended.
Meaning of threat
In literal terms, an expression of an intention to inflict pain,
injury, evil, or punishment, and an indication
of impending danger or harm. Threat in day to day life is
defined as an unwanted (deliberate or accidental)
event that may result in harm to an asset. Often, a threat is
exploiting one or more known vulnerabilities.
Identification of threats
Threats can be identified on the basis of nature of Threat which
can either be accidental-natural
occurrences/force major, or deliberate-intentional act of harm
or on the basis of sources of threat which
can either be internal-threat caused within the organization, or
external-threat from some one outside the
organization.
31.4 Types of Threat
Threats can be divided in to two broad categories
1. Physical threat
This refers to the damage caused to the physical infrastructure
of the information systems.
Examples are natural disasters (Fire, earth quake, flood),
pollution, energy variations and physical
Intrusion.
2. Logical
This refers to damage caused to the software and data without
physical presence. Examples are
viruses and worms, logical intrusion commonly referred to as
hacking.
Physical threats
The risks of physical damage render the computer hardware
becomes useless due to the damage
caused to it by natural disasters (Fire, earth quake, flood),
pollution-Dust, energy Variations.
Reasonable measures should be taken to avoid undesirable
consequences. Frequency/Probability of
such past occurrences should be established for suitable
remedial measures to be taken.
Energy Variations
They can disrupt not only the hardware but also the operational
systems and applications systems.
The total power needs of an organization need to be carefully
assessed and provided for. Power
supply must be monitored to ascertain the range of voltage
fluctuations and take suitable steps to
upgrade voltage control equipment.
Energy variations can be of various types.
Surges or spikes
–
sudden increase in power supply
Sags or brown outs
–
sudden decrease in power supply
Black outs –
Total
Loss of power or power failure whether scheduled or un-scheduled
There can be various remedies to avoid the damages caused by the
power variations. Un-interruptible
power supplies (UPS) can be used to help avoid the turning on
and off of electrical equipment.
Voltage regulators and circuit breakers can also be used to
avoid undesirable results.
The design of security system must also provide for the total
loss of power. Certain systems
should not fail and should keep working in case of total loss.
Power doors can be deactivated
manually, should the staff want to exit manually. Alarms and
fire extinguisher systems should not fail
in the even of total power loss. |
|
|
|
|
|
|