Information Security Controls

Keywords: Information Security, CIA, Access Controls, Data Integrity, Data Encryption, Defense in Depth, Security Policy

Information Security is the way to ensure the confidentiality, integrity, and availability of information within an organization. Confidentiality, the information has been protected from authorized entity. Integrity, the information had been protected from unauthorized modification. Availability, the information is there when require accessing by authorize users. To obtain the CIA, there are many components which are required to implement by the system administrator.

Before investing in the controls, you have to identify the threats, risk, and impact to your system. Sometimes the return on investment (ROI) is not relevant to the impact. Threats are the internal or external actors that can use any vulnerabilities to exploit or physical destruct your critical system. Threats can be terminate employee, cybercriminal, black-hat hacker, system failure (event), usage violation, or natural disaster. Risk is the success of exploiting the organization system from threats. Impacts are the infections from system exploitation as result in financial lose, damage reputation, or punishment. Below are some controls, methodologies, and guideline for system administrator and information owner to ensure the CIA of their data.

Defence in Depth

An approach that uses multiple level protection. If one of the control is failed then other controls are still in place. With defence in depth, all critical internet facing servers have been protected by firewall, IDS, IPS. The clients access network through segment control (VLAN) and the host-based firewall, up to date anti-virus definition should be activated for every client. The system or network administrator should provide real-time network monitoring in case there is any incidents occur within their network.

Authentication

An approach to identify authorized user with multiple levels of the information below:

•  Something you know: they are the password, passcode, or PIN.
•  Something you have: they are the token device or access card.
•  Something you are: they are biometric (or realistic authentication) such as your thumb print, iris, voice, or face recognition.

To ensure the identification and authentication process is reliable, the two-factor or three-factor authentication should be implemented. The two-factor is a combination of “something you know + something you have” while the three-factor is a combination between “something you know + something you have + something you are”.

Authorization

An approach that ensures the data integrity and the authorised user can access the system resources with their access privilege. User access matrix will provide the baseline for the system administrator to assign or verify the user access right in account creation or modification phase. There are three subcomponents that can help administrator to achieve the data integrity:

• Lease privilege: provide the minimum access to organization resources as per their daily job requirement.
• Separation of duties: avoidance of providing a person with full control in a process. To protect the illegal data modification or fraud organization requires assigning few people within a process so that the possibility of fraud will be reduced.
• Data Encryption: ensure the data has been ciphered, stored in a safe place and users cannot direct access to data.

Accounting

A system that obtains the accountability means that it has the ability to identify the individual user, track and monitoring activity. Every enterprise application or system, the audit trail or audit logs is very important to record every user activities and then can be able to use later by the system administrator to find out the source of some illegal treatment. The audit logs should be regularly reviewed by management in term of detection and prevention.

Policy

Beside technical controls, the policy is also the legal notice or agreement between information owner and users. The system owner requires conducting relevant policy or guideline and aware to all employees to know what “DO” and “DON’T”. The fundamental policies to ensure the CIA of information Security are:

• Information Security Policy
• Acceptable Use Policy (AUP)
• Data Recovery Plan (DRP)
• Business Continuity Plan (BCP)
• Access Controls Policy
• Password Policy
• Privacy Policy