Logical access controls direct access through open databased connectivity

Logical access controls direct access through open

This preview shows page 11 - 13 out of 16 pages.

Logical access controls: direct access through open databased connectivity should be prohibited and all access to data files should be forced through authentication in a user right management program (application processing control) iv. Transaction processing controls: should be controlled with authentication and validation checks Process control: i. Batch totals: compare output ii. Total number of items: ensure each item was processed iii. Transaction logs: record activity iv. Run-to-run total: verify data values during the different stages of processing v. Limit checks vi. Exception reporting vii. Job cost accounting Mobile software Low Risk Moderate Risk High Risk PDF Applets ActiveX Adobe Flash PostScript JavaScript Visual Basic i. ActiveX places no restrictions on what the programmer can do.
Image of page 11
3. Business Continuity Plan The strategy for which the sum of downtime cost and recovery cost is the lowest is the optimal strategy. Components i. DRP plan: It is critical to initially identify information assets that can be made more resilient to disasters. ii. Plan to restore operations to normal following disaster iii. Improvement of security operations BCP Lifecycle i. Create BCP policy ii. Business Impact Analysis (BIA) should be conducted with input from a wide array of stakeholders , which identifies Protecting human resources during a disaster-related event should be addressed first. Different business processes & criticality Critical IS resources supporting critical business processes Critical recovery period before significant losses occur A determination of acceptable downtime is made iii. Classify of operations and criticality iv. Identify IS processes that support business criticality v. Develop BCP and IS DRP vi. Develop resumption procedures vii. Training and awareness programs viii. Test and implement plan ix. Monitoring: Periodic testing of the recovery plan is critical to ensure that whatever has been planned and documented is feasible. Terms i. Recovery point objective (RPO) – based on acceptable data loss; earliest time in which it is acceptable to recover; date/time or synchronization point to which systems/data will be restored. ii. Recovery time objective (RTO) – based on acceptable downtime; earliest time when business operations must resume. iii. Interruption window – how long a business can wait before operations resume (after this point, losses are unaffordable) iv. Maximum Tolerable outage (MTO) – maximum time business can operate in alternate processing mode before other problems occur v. Service delivery objective (SDO) – acceptable level of services required during alternate processing Recovery Alternatives i. Hot site – fully configured and ready to operate within hours. Not for extended use. ii. Warm site – partially configured. Site ready in hours, operations ready in days or weeks.
Image of page 12
Image of page 13

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture