INFORMATION SECURITY
AND CONTROL
SECURITY:
Deter
 Detect
 Minimize
 Investigate
 Recover

Security Risks
Internal
External
Accidental
Destruction
Alteration
Access
Intentional
Threats
Disaster and breakdowns
 Access and disclosure
 Alteration or destruction
 Improper use

RISK ASSESSMENT
P1
 P2
L

Probability of attack
Probability of success
Cost of Loss
Expected Loss = P1 * P2 * L
Minimize Threat Categories
Administrative Controls
Standards, rules, procedures and
discipline to assure that personnel
abide by established policies. Includes
segregation of functions.
Security Policy
Security is always a cost to efficiency. It
must be promoted to be effective.
 From the top
 Before installing hardware
 Politically charged
Writing a Security Policy
Assess the types of risks
 Identify vulnerabilities
 Analyze user needs
 Write the policy
 Develop change procedures
 Plan implementation
 Implement

Vulnerabilities

Servers
Operating systems and applications

Networks
Snooping, attacks, spoofing

Clients and modems
PCAnywhere etc.

Viruses
Operating Systems
UNIX
 Novell Netware
 Windows and Windows NT

Administrative Controls
Security organization
 Audits
 Risk assessment
 Administrative standards and
procedures

Disaster Management
Redundancy and fault tolerant systems
 Backups and off site storage
 Hot and cold sites
 Planning and procedures

Architectural Controls
Software controls
Prevent unauthorized changes
 Hardware controls
Control access and use

Tools
Firewalls
 Network partitioning and routers
 Encryption
 Testing tools
 Consultants

Encryption
Keys and key length
 Public key/private key
 Processing problems
 Location

» Application
» Network
» Firewall
» Link
Authentication
Passwords
 Biometrics
 Isolation
 Remote location verification

SECURITY:





Deter
Detect
Minimize
Investigate
Recover